Cyber insurance coverage is hard enough to get and keep in these times of constant ransomware attacks. Now companies apparently have to worry about insurers suing them to void their policies as if they never existed.
In late August, the Travelers Property Casualty Company of America and International Control Services (ICS) reached an agreement in federal court in Illinois to approve cancellation of the ICS policy and any request for coverage following a recent Ransomware offensive. Travelers had alleged in its lawsuit that when ICS completed its application for cyber risk insurance, it said it had multi-factor authentication (MFA), which most such policies currently require. (Travelers and ICS did not respond to requests for comment.)
The fact that a large insurer sought to avoid paying a claim is not surprising. Insurers do this all the time. But challenging the validity of an already issued policy is highly unusual for any type of cover and should send a warning to companies seeking cyber risk insurance to proceed with caution.
Why choose a fight?
While policyholders shouldn’t expect such lawsuits to become commonplace, there likely will be more, according to Scott Godes, partner and co-chair of the collections and insurance advisory practice at Barnes & Thornburg, a national law firm that represents businesses. in insurance recovery cases.
The carriers have been quietly threatening to use the termination of the policy as a “nuclear option” for some time.
“Carriers quietly threatened to use policy cancellation as a ‘nuclear option’ for some time,” he says. “It’s super disappointing to see him. It is a pattern, in my view, of blaming the insured rather than engaging in more careful loss control. It is a model of using ambiguous and cleverly worded application questions against policyholders.
Godes refers to a practice of requiring companies to regularly attest to the the actions they have taken to strengthen cybersecurity instead of working closely with policyholders to ensure they meet security expectations. After an attack, insurers specifically look at an insured’s cybersecurity preparedness. A forensic investigator is often responsible for verifying the accuracy of the cybersecurity practices that a company has reported in its insurance application.
Insurers should work more collaboratively with policyholders to ward off cyberattacks and avoid confusion that could lead to disagreement, Godes says. Some insurers already do this for other forms of insurance. For example, some insurers advertise that they could offer reduced rates to motorists who are willing to place a device in their car to monitor their driving habits. Insurers could employ a similar “loss control” strategy when writing cyber risk policies, rather than using claims responses as “trap doors,” Godes argues.
However, many companies are reluctant to share detailed information about their cybersecurity practices. They worry about insurers sticking their noses where they might not belong or the potential legal implications of disclosing safety practices.
Deal with tedious applications
Given these difficulties and the proliferation of ransomware and other cyberattacksmany cyber insurers require applicants to complete long and unwieldy questionnaires to be eligible for coverage, says Josephine Wolff, associate professor of cybersecurity policy at Tufts University’s Fletcher School and author of Cyber Insurance Policy: Rethinking Risk in the Age of Ransomware, Cyber Fraud, Data Breaches and Cyber Attacks.
As people misrepresent things on their policies, intentionally or not, insurance companies will push back.
“These apps have gotten so long now that some companies are putting teams of three or more people into rooms and saying, ‘Completing this quiz is your job for the next month.'”
Of course, spending so much time takes away from other work. A more common practice is for someone from the office of the CISO, CIO, CFO or Treasurer to complete the insurance paperwork.
The problem: A single person is unlikely to have the knowledge or the time to answer all the technically detailed questions accurately and completely. As a result, errors, omissions, and misrepresentations occur that prompt insurers to deny claims or, as Travelers demonstrated with its precedent-setting case, to void coverage.
“I think the biggest thing you’ll see is that as people misrepresent things on their policies, intentionally or not, insurance companies will push back,” says Gerry Glombicki, senior director at Fitch Ratings, one from major rating agencies.
Choose their battles
But even if others follow the Travelers lead, industry watchers say they are likely to do so sparingly. The prospect of bringing cyber insurance policyholders to justice is not great.
“It really doesn’t do insurance companies to get tangled up in a whole bunch of litigation where they’re trying to void coverage based on technicalities,” says David Anderson, US head of cybersecurity at the brokerage. McGill and Partners reinsurance.
Anything you put in writing to insurance companies is a representation, whether or not your signature is on it.
“I’m surprised that this type of litigation is happening in the first place,” says Sean O’Brien, visiting fellow with the Information Society Project at Yale Law School. “It’s a horrible strategy because no one will trust these products. They have enough trouble selling cyber insurance.
“It’s a slippery slope,” adds Gerry Kennedy, manager at Charles River Insurance. “You claim to provide coverage to policyholders when they need it. But then you pull the rug out from under them [by rescinding contracts] when will that time come? Most people would say, “It would have been nice to know there was this possibility before you refused my request.”
Avoid legal risk
To avoid unpleasant surprises, industry watchers recommend the following precautions.
- Take the questionnaire seriously. As burdensome as these claims have become, they are legally binding statements of fact. A dispute can arise whenever there is ambiguity. Before completing an application, Anderson of McGill and Partners recommends forming a cross-functional risk management team to pull together all the operational and technical details that will be needed to provide the most complete and accurate answers.
- Lawyer standing. Anderson also suggests involving a lawyer early on to help guide the process and review questionnaire responses. “Anything you put in writing to insurance companies is a representation, whether your signature is on it or not,” he says. “Engaging a lawyer is an expensive process, and not many businesses, especially mom-and-pop shops, can do it. But if you can, it’s a good idea.
- Map your exposure. During the application process, it is important to remember that cybercriminals often attack third parties. This could become a problem later on if a company states that it has an MFA but does not ensure that its partners and affiliated suppliers use it too, notes Kennedy of Charles River. He suggests contacting the insurer to understand if third-party risk management is part of its expectations and, where applicable, to anchor them in its requirements.
- Know what you are attesting to. Liability rests with whoever signs on the dotted line of a cyber insurance application. If a problem arises later, this is the person who will be in the crossfire of any legal proceedings. For this reason, Fitch’s Glombicki emphasizes that the signer, who is ideally a senior executive, should know what they are attesting to, for their own protection as well as that of the organization.
- Be available. Wolff of Tufts notes that the worst thing a company can do is cover up the truth. While they don’t need to go overboard with details, leaders should be as open as possible to avoid accusations of misrepresentation. For example, if a company has deployed MFA in some places but not others, leaders need to identify where it exists and where it doesn’t.
- Understand what’s in the policy. When purchasing cyber insurance, don’t assume your policy protects against every conceivable scenario. Insurance doesn’t work that way. It is therefore extremely important to understand the content of a policy and to pay particular attention to declared exclusionswarns Eric Gyasi, lawyer and vice president of Stroz Friedberg, an Aon company.
“It may sound a little trivial, but organizations tend to set it and forget it,” he says. “In fact, a policy may not cover what you thought it covered.”
Insurers are not yet lining up to cancel the policies they have issued. But observers believe other lawsuits like Travelers v. ICS will almost certainly follow as the industry seeks to refine its risk models and rules.
As Godes of Barnes & Thornburg warns: “Companies need to be aware that carriers are taking more aggressive and stricter constructionist views on their applications – and react accordingly.”