Here is an eye-opener if you are not properly deploying Multifactor Authentication (MFA).
A new case brought forth by a major insurance carrier is sending shock waves through the cybersecurity industry. Travelers Insurance is asking a district court for a ruling to rescind a cyber policy because the insured allegedly misrepresented its use of multifactor authentication (MFA), which was a condition to get the coverage.
According to a July 6th filing in U.S. District Court for the Central District of Illinois, Travelers said it would not have issued a cyber insurance policy in April to Decatur, Illinois-based, electronics manufacturing services company International Control Services (ICS) if the insurer knew the company was not using MFA as it said. Additionally, Travelers wants no part of any losses, costs, or claims from ICS – including from a May ransomware attack ICS suffered.
Travelers alleged ICS submitted a cyber policy application signed by its CEO and “a person responsible for the applicant’s network and information security” that the company used MFA for administrative or privileged access. However, following the May ransomware event, Travelers first learned during an investigation that the insured was not using the security control to protect its server and “only used MFA to protect its firewall, and did not use MFA to protect any other digital assets.”
Therefore, statements ICS made in the application were “misrepresentations, omissions, concealment of facts, and incorrect statements” – all of which “materially affected the acceptance of the risk and/or the hazard assumed by Travelers,” the insurer alleged in the filing.
ICS also was the victim of a ransomware attack in December 2020 when hackers gained access using the username and password of an ICS administrator, Travelers said. ICS told the insurer of the attack during the application process and said it improved the company’s cybersecurity.
If Travelers is successful, this means that a cybersecurity policy that requires MFA on servers for privileged and administrative access must be complied with or the policy would not be paid as a business would expect.
Travelers said it wants the court to declare the insurance contract null and void, rescind the policy, and declare it has no duty to indemnify or defend ICS for any claim.
The case is Travelers Property Casualty Co. of America v. International Control Services Inc., No. 22-cv-2145.
River Run includes MFA as part of our R-Security portfolio to ensure that our clients are protected and meet their industry and government compliance while meeting the conditions of their cyber insurance policy.
Share this article