With the rise of cybercrimes and breaches, insurance carriers have significantly increased their underwriting standards and have started to scrutinize their insureds controls more stringently in order to properly assess their cyber risk. Because the questions are becoming more complex, insureds must look more closely at how they answer the questions on their cyber application than ever before. The unintentional omission or incomplete answer to a question could invalidate coverage, even if the insured did not fully understand the question.
Cost is not the issue regarding coverage to those who are buying cyber insurance in today’s market. In many cases, it comes down to whether the risk is insurable at all. Cyber insurance carriers are now looking at all the controls in place, software being used and how current the software is updated to determine insurability. Insurance carrier rate their risk using a score, typically between 1 and 100, with 100 being the best risks. In order to develop that risk score, carriers will assess very specific controls. Unfortunately. Many of the questions are in several parts and the devil is in the details. Some of the most significant scoring items are below:
- Does the insured use Multifactor Authentication on the following and of so, which vendor do they use and is it used on the following?
- Email Access
- All Remote Access
- Privileged Account Management
- All Endpoint Access
- Inside the Client Network
- Are their different usernames for Privileged Access Management
- For Back Ups
- Does the insured use any Endpoint Detection and Response Software? If so:
- Who is the Vendor?
- Is it 24/7 monitoring?
- Does it have Quarantine Capabilities
- Will it disconnect network access?
- Does the insured have backups?
- Are they encrypted?
- Are they Air Gapped?
- Are they Immutable?
- Are there three backups with at least one offsite (3-2-1 backup
- Are systems encrypted?
- At Rest?
- In Transit?
- On Backups?
In prior years, only the first parts of the above questions were asked on an application. For example, do you use Multifactor Authentication? The current Applications requests to know the name of the vendor, when you use it and if you use separate usernames for privileged accounts and backups. This can lead to problems when a claim arises if not completely answered.
In one recent claim, an insured answered “yes” as to if they used Multifactor Authentication to all endpoint users. However, they didn’t use MFA for access to their servers. When a claim arose, 300 servers were vulnerable since MFA only applied to email and outside VPN access.. The client didn’t believe a server was an endpoint as it was not a user endpoint, whereas the carrier felt it was. Luckily in this case the claim was paid, but it could have spelled trouble.
In another claim from last year, an insured used an EDR on their systems, however, it didn’t have immediate notification or quarantine capabilities. When the IT department received an email of a problem from their vendor when they returned to work on Monday, the damage was already done. In this year’s application the carrier would want to know which vendor is used if it has quarantine capabilities and if its 24/7 monitored.
With all of these new requirements in place, companies would do well to fully scrutinize their cyber application in conjunction with both their broker and IT department so as to fully disclose the totality of controls in place. In general, an application is a representation and in some cases a warranty of fact. Even minor omissions from an application could lead to a denial of coverage. Cyber policy issuers rely on applications to determine the risk they are willing to take. When a breach happens, they will investigate the claim and review it for misrepresentation. If they determine the insured misrepresented their controls, could have prevented or at least mitigated the claim, with the proper controls in place, they can deny coverage and leave insureds in a difficult position.
A good example of this occurred with a recent Traveler’s client. In May 2022, their client International Control Services (ICS) was breached and had several of their records compromised as a result. When they launched an investigation, they discovered that ICS had not even implemented Multifactored Authentication. Further research revealed they had been breached in 2020 and had not taken the necessary steps to mitigate another breach.
This was not disclosed to Travelers’s when they were renewing their cyber policy with them Travelers alleged ICS submitted a cyber policy application signed by its CEO and “a person responsible for the applicant’s network and information security” that the company used MFA for administrative or privileged access. However, following the May ransomware event, Travelers first learned during an investigation that the insured was not using the security control to protect its server and “only used MFA to protect its firewall, and did not use MFA to protect any other digital assets.”
As a result, in what is believed to be the first of its kind lawsuit, Traveler’s has asked the courts to vacate their policy. “According to a July 6 filing in U.S. District Court for the Central District of Illinois, Travelers said it would not have issued a cyber insurance policy in April to Decatur, Illinois-based, electronics manufacturing services company International Control Services (ICS) if the insurer knew the company was not using MFA as it said. Additionally, Travelers wants no part of any losses, costs, or claims from ICS – including from a May ransomware attack ICS suffered.”(1) They wish the courts to declare it null and void and to remove their responsibility to defend ICS.
Mike Smith, President and CEO of Axis Insurance Services, LLC and PLRisk Advisors, Inc said “We have never experienced a market where clients were just uninsurable. These new underwriting standards, although necessary, are shaking up the market and causing concerns for our insureds that they could be without coverage by being held to a standard that they did not know they needed to. Some insureds have been told by their IT departments that their controls are sufficient only to be told with little warning by carriers that they are not. The significant cost to implement major changes on the fly at renewal is causing increasing stress for our clients”
Regardless of the outcome of this matter with Travelers, this case should serve as a lesson to others to take a second look at their application and ensure they have fully disclosed all their controls. With cyber-crimes increasing by the day, it is imperative that companies know what to put in their application and utilize the proper professional to provide the best protection.
Axis Insurance Services, LLC has professionals and resources that can help companies better prepare for their cyber renewal. Time spent upfront prior to the renewal can help save money on their renewal and help insureds properly complete their applications. For a brief consultation please feel free to contact us at 201-847-9175 Ext 105 or email us at firstname.lastname@example.org
Please review our cyber best practices guide: (Link)