In the Wake of Breaches, Insurers Look to Rescind Policies
As loss payouts on cyber policies continue to increase, carriers are looking for ways to get out of paying.
Since cyber insurance is a non-standard-form policy, you really have to read it carefully to understand whether you are complying.
For example, in reviewing one client’s policy, we discovered that if the client did not perform out-of-band verification to payment changes, even though you are paying for your policy, you will have no coverage.
Add to that, a lot of the application questionnaires are insanely complex and the questions are tricky. You might think you are answering the questions correctly when, in fact, you are not.
Experian says:
Cyber insurance claims are growing. According to Experian, in 2021, almost half of all organizations experienced a ransomware attack, and nearly half of the ransoms paid were for $100,000 or more. Experian reported that the average total cost for a ransomware breach was $4.62 million. A company’s decision to pay a ransom becomes much more understandable after the business has been without its data for two or three weeks, especially when backups needed to get the business up and running are not as robust as first expected.
https://www.taftlaw.com/news-events/law-bulletins/cyber-insurers-look-to-rescind-policies-after-large-claims
Here is an example of what the insurers are doing:
Earlier this month Travelers filed a lawsuit to rescind the policy of a 150 person company named International Control Services, Inc. It is an electronics manufacturing firm.
Travelers said that they asked, in the application, if the company used multi-factor authentication. After a breach and claim, Travelers got its magnifying glass out to see if they could get out of paying. If the application was wrong in a way that might affect the decision to provide coverage, they have an out.
ICS said that they were using it, but at the time of the application and at the time of the breach, they were not using it to ACCESS THEIR SERVERS. The application does not specifically mention servers, but it doesn’t exclude them either.
Travelers also requires an attestation. In this case it asked if MFA was required for “All internal & remote admin access to organization’s endpoints/servers.” Maybe a password plus a badge to the computer room qualifies as MFA. That would mean that an admin was technically blocked from logging in to the server from his or her desk – not a likely situation.
But finally, the attestation requires an officer to certify to the accuracy based on the person’s knowledge and belief. This may be one case where keeping your officers in the dark could pay off. Credit: Taft Law
If you need help completing your insurance application, understanding your policy or reviewing your documents, please contact us.