Travelers v. ICS underscores need to respond carefully to cyber insurance application questions

A recent federal case out of Illinois has thrust the issues of misrepresentations on an insurance application and rescission of a cyber policy into the spotlight.

On July 6, 2022, Travelers Property Casualty Company of America filed a complaint in federal court for rescission and declaratory relief against its insured, International Control Services, Inc. (ICS). On August 26, 2022, the lawsuit was dismissed, with judgment entered in favor of Travelers, after ICS agreed to allow the court to issue a judgment rescinding the policy.

Although the Travelers v. ICS case is over, the message it sends to organizations buying cyber insurance will resonate for a long time to come.

Travelers’ allegations

Travelers alleged in its complaint that ICS made material misrepresentations in connection with its application for a Travelers cyber insurance policy. Specifically, Travelers alleged that ICS made misrepresentations regarding the extent to which it utilized multifactor authentication (MFA).

The alleged misrepresentations came to light when ICS suffered a ransomware attack in May. After being notified by ICS of the ransomware event, Travelers alleged that it learned the following during its investigation that at the time ICS completed and submitted its insurance application:

  • MFA was not being utilized to protect a server.

  • ICS only utilized MFA to protect its firewall and did not use MFA to protect any other digital assets.

Travelers contended that because MFA was not being utilized to protect the server and various other digital assets at the time ICS applied for the policy, various statements that ICS made in its application were misrepresentations that warranted rescission of the policy.

What is policy rescission?

Under U.S. law, an insurer can seek to rescind a policy if it discovers, after the policy has been issued, that the insured misrepresented or concealed material facts in applying for insurance. A rescinded policy ceases to exist for all purposes.

Rescission generally is permitted when a representation is materially false and when the insured intentionally or unintentionally conceals material information from the insurer.

For an insurer to rescind a policy, the concealed information must be material to the risk insured under the policy, although not necessarily material to a particular claim tendered to the insurer.

Critical to the question of materiality is whether the underwriter would have accepted the risk if the information had been disclosed to the insurer. In Travelers v. ICS, Travelers alleged that had it been aware ICS was not using MFA to the extent represented in the application, it would not have issued the policy.

The rescission of the Travelers policy issued to ICS may be a harbinger of future litigation by cyber carriers. Increasingly, Lockton has seen cyber insurers raise misrepresentation and concealment issues on the basis of incorrect answers in policy applications.

Underwriting scrutiny to continue

Cyber insurance applications have become longer and more complex than they were in the past. Completing them accurately requires great care and focus, and a thorough understanding of what is being asked. Where answers prove to be incorrect, insurers are not hesitating to raise those as a defense to coverage for a claim or, in more extreme situations, rescind a policy, as Travelers did.

The underwriting process for cyber insurance policies is rigorous, with a sharp focus on essential controls that can help mitigate overall exposure to data breaches and ransomware events. While MFA was critical to the Travelers v. ICS case and will remain a vital control for organizations, other controls are pertinent to policy applications and the underwriting process. These include:

  • Conscientious and regular patch management;

  • Regular backups;

  • Isolating cloud backups;

  • Recognizing and replacing unsupported software;

  • Email scanning and filtering;

  • Email authentication;

  • The use of secure remote access solutions;

  • Encrypting sensitive information; and

  • Restricting administrative privileges.

It is essential that organizations accurately convey the current status of their controls in response to relevant questions in policy applications. As ICS discovered, the failure to do so can be costly. While legal remedies available to insurers may vary from one country to another, organizations should assume that incorrect answers in applications will have significant and unfortunate consequences.

For more information about the Travelers v. ICS case or help completing cyber policy applications, contact your Lockton adviser or cyber@lockton.com (opens a new window).