Insurer Asks Court To Rescind Policy And Indemnify Them Of Losses

Illinois based, electronics manufacturing services company International Control Services (ICS) had their cyber insurance claim denied by Travelers Insurance, who in one of the first court filings of its kind, also asked the District Court to rescind their policy on the grounds that ICS misrepresented their use of Multi-Factor Authentication (MFA) on their insurance application.

Misrepresentations Found After Ransomware Event

Travelers alleged ICS submitted a cyber policy application signed by its CEO and “a person responsible for the applicant’s network and information security” which stated that the company used MFA for administrative or privileged access. However, during a May ransomware event investigation Travelers learned that the insured was not using the security control to protect its server and “only used MFA to protect its firewall, and did not use MFA to protect any other digital assets.”

Therefore, statements ICS made in the application were “misrepresentations, omissions, concealment of facts, and incorrect statements” – all of which “materially affected the acceptance of the risk and/or the hazard assumed by Travelers,” Travelers claims that if they had known this they would not have issued the policy.

In addition to the May ransomware event, ICS was also the victim of a ransomware attack in December 2020 when hackers gained access using the username and password of an ICS administrator, Travelers said. ICS told the insurer of the attack during the application process and said it improved the company’s cybersecurity.

Sign Of Things To Come

As underwriters are requiring ever longer, more complex and technical application forms of 40 pages or more, the implications of this could be dramatic and far reaching. A single question like “Do you apply the principal of least privileges to your administrative accounts?” can have far reaching implications to how IT operates within the organization. Some of the applications seem to be just asking every question they can come up with even when it doesn’t make sense. How many of the questions on those applications will the IT guy give the expedient answer to, because the question is too technical to give a yes or no answer but it’s a yes or no checkbox, and he knows what answer his boss wants on the form and “Yes” gets checked. So when the time comes and you need to file a claim, can you prove you are always doing everything you said on the insurance application?

But Can You Prove It?

If you said you have current anti-virus, apply security updates, and provide cybersecurity training to your users on your cybersecurity application, and you experience a data breach because someone clicked a bad link, the only way your insurance claim will be paid is if you can prove to the adjustor that the virus definitions were up-to-date on that computer, that all the latest security updates were present, and that the user was current in their training with a log or recent test score. For most organizations it would be impossible to prove all that, but what if you also had to prove that you “apply the principal of least privileges to your administrative accounts”? Can you produce the documentation to prove that? What if you have 40 pages of questions like that, can you prove them all?

Affordable Solutions To Complex Problems

If you don’t have that level of comfort regarding your cyber insurance, contact Rocky Mountain Cybersecurity today. Our experts and affordable services can make sure your insurance safety net is there for you when you need it.


Court Case: Travelers Property Casualty Co. of America v. International Control Services Inc., No. 22-cv-2145
(C) Copyright 2022 Rocky Mountain Cybersecurity, All Rights Reserved