We’ve all been there. “I didn’t lie; I just didn’t tell you (all of the truth).”.
Where have you heard that before? Did you/he/she get busted?
This article is not about honesty or proper manners but about cyber insurance applications. As you may have heard, someone got busted, and it won’t be the last time. Insurance companies are getting much stricter about what they require applicants to do on the security front before offering them a (affordable) cyber liability policy.
Why?
As cyber-attacks continue to increase, so have the payouts from insurance companies, and they are not happy about barely breaking even. So, to protect themselves, they demand organizations to sign off on an increasingly long list of requirements, stating they implemented a multitude of security strategies. Most notably, multifactor authentication (aka MFA or 2FA).
Now they say liars never prosper. And so, in what may be the first court filing of its kind, Travelers Insurance is asking a district court for a ruling to rescind a policy because the company they insured allegedly misrepresented its use of multifactor authentication (MFA) on their insurance application.
Travelers says that the company submitted a cyber insurance application, signed by its CEO and the person responsible for its IT network and security, stating that the company used MFA for administrative access. However, following a ransomware event, Travelers learned the company was not using the security control to protect its server and only used MFA to protect its firewall.
Ouch.
Think about it …
A company applies for a policy and indicates they are following an appropriate security strategy as part of that application. Travelers offers the policy and sets the pricing for the policy based on the truthfulness of the application. Only it’s wrong. And we’re not talking about missing a comma or a minor omission. Flat out wrong. Multifactor authentication was not implemented anywhere near the level the submitted application indicated.
What are the consequences of this misrepresentation of the truth?
The court will be the one to sort this out. From where we stand, though, we have to give Travelers the benefit of the doubt.
Unfortunately, our organizations will continue to be attacked until the bad guys’ business model is eliminated, which isn’t going to happen anytime soon. And insurance is a critical level of protection to help recover from some of the damages that will occur from a successful attack.
Not unreasonably, the insurance industry must control some of its costs, and one of the ways it does this is by insisting you implement proactive security practices. If clients aren’t willing to work with their MSP to implement added levels of protection, the insurance company shouldn’t have to pay. Just like they may cancel or fail to pay out if you fail your homeowner’s insurance inspection, the roof on your house is in bad shape, and a storm causes a tree to fall on it.
If you have cyber insurance policy renewals coming up soon, be ready to see significant rate hikes and a long list of security strategies that must be implemented.
If you aren’t using MFA yet (you should be!) or are unsure where you stand with regard to the requirements demanded by your insurance company, get in touch. No strings attached. We’ll help you decipher your application, and you’ll walk away knowing where your gaps are and have a plan to fix them.
