Assurex E&O Plus | Multifactor Authentication – A Key Question on a Cyber App
20891
post-template-default,single,single-post,postid-20891,single-format-standard,qode-quick-links-1.0,ajax_fade,page_not_loaded,,qode-theme-ver-11.1,qode-theme-bridge,wpb-js-composer js-comp-ver-5.1.1,vc_responsive

Multifactor Authentication – A Key Question on a Cyber App

Multifactor Authentication – A Key Question on a Cyber App

In researching claims frequency in the cyber line of coverage, I found an article by Howden in July 2021 (sorry, that’s the latest I could find) subtitled “Not if, but when.” While the data is from YE 2020, it still displays alarming statistics.

The data, supplied by S&P Global Market Intelligence, HX Analytics broke the numbers down by First Party vs. Third Party and by Standalone vs. Packaged (an endorsement to another policy where the coverage is typically not as broad). 

                                                                                  2020 vs 2019 2020 vs 2018

Standalone – 1st party (approx. 9,000 claims) + 60% + 200% 

Standalone – 3rd party (approx. 3,000 claims) – 25% + 25%

 

Packaged – 1st party (approx. 7,000 claims) + 16% + 40% 

Standalone – 3rd party (approx. 3,000 claims) – 10% Flat

 

One must believe that the number of claims continues to rise, so “Not if but when.” To the best of my knowledge, it is unknown what percentage of these claims are actually being paid.

As anyone dealing with securing Cyber coverage is aware, the issue of multifactor authentication (MFA) has taken on the utmost level of importance. What if the client states they have MFA, but at the time of the claim, the carrier does not agree? Take a minute to read the following article by Chad Hemenway of Insurance Journal posted on July 12, 2022.

In what may be one of the first court filings of its kind, insurer Travelers is asking a district court for a ruling to rescind a policy because the insured allegedly misrepresented its use of multifactor authentication (MFA) – a condition to get a cyber policy.

According to a July 6 filing in U.S. District Court for the Central District of Illinois, Travelers said it would not have issued a cyber insurance policy in April to Decatur, Illinois-based electronics manufacturing services company International Control Services (ICS), if the insurer knew the company was not using MFA as it said. Additionally, Travelers wants no part of any losses, costs, or claims from ICS – including from a May ransomware attack ICS suffered.

Travelers alleged ICS submitted a cyber policy application signed by its CEO and “a person responsible for the applicant’s network and information security” that the company used MFA for administrative or privileged access. However, following the May ransomware event, Travelers learned during an investigation that the insured was not using the security control to protect its server. It “only used MFA to protect its firewall, and did not use MFA to protect any other digital assets.”

Therefore, statements ICS made in the application were “misrepresentations, omissions, concealment of facts, and incorrect statements” – all of which “materially affected the acceptance of the risk and/or the hazard assumed by Travelers,” the insurer alleged in the filing.

Travelers said that ICS was the victim of a ransomware attack in December 2020 when hackers gained access using the username and password of an ICS administrator. ICS told the insurer of the attack during the application process and said it improved the company’s cybersecurity.

Travelers said it wants the court to declare the insurance contract null and void, rescind the policy, and declare it has no duty to indemnify or defend ICS for any claim.

Travelers Property Casualty Co. of America v. International Control Services Inc., No. 22-cv-2145