The Legal Danger Lurking in Cyber Insurance Policies

Cyber insurance coverage is already challenging enough to get and keep in these days of constant ransomware attacks. Now, companies apparently need to worry about insurers taking them to court to rescind their policies—as if they never existed.

In late August, Travelers Property Casualty Company of America and International Control Services (ICS) reached agreement in an Illinois federal court to approve the cancellation of ICS’s policy and any claims for coverage following a recent ransomware attack. Travelers had alleged in its suit that when ICS filled out its application for cyber-risk insurance, it misrepresented having multifactor authentication (MFA), which most such policies currently require. (Travelers and ICS did not respond to requests for comment.)

The fact that a major insurer sought to avoid paying a claim isn’t surprising. Insurers do that all the time. But challenging the validity of an already issued policy is highly unusual for any coverage type and should send a warning to companies seeking cyber-risk insurance to proceed carefully.

Compare and prescriptively improve your IT risk metrics against your industry peers.

Why pick a fight?

While policyholders shouldn’t expect such lawsuits to become commonplace, there will probably be more of them, according to Scott Godes, a partner and co-chair of the insurance recovery and counseling practice at Barnes & Thornburg, a national law firm that represents companies in insurance recovery cases.

Carriers have quietly been threatening to use policy rescission as a ‘nuclear option’ for some time.

“Carriers have quietly been threatening to use policy rescission as a ‘nuclear option’ for some time,” he says. “It’s super disappointing to see it. It’s a model, in my opinion, of blaming the policyholder as opposed to engaging in more careful loss control. It’s a model of using ambiguous and cleverly worded application questions against policyholders.”

Godes is referring to a practice of putting the onus on companies to regularly attest to the actions they’ve taken to strengthen cybersecurity instead of partnering closely with policyholders to ensure they are meeting security posture expectations. After an attack, insurers put a policyholder’s cybersecurity readiness under particular scrutiny. A forensic investigator is often assigned to verify the accuracy of the cybersecurity practices a company reported on its insurance application.

Insurers should work more collaboratively with policyholders to head off cyberattacks and to avoid any confusion that could lead to disagreement, Godes says. Some carriers already do this for other forms of insurance. For instance, some insurers advertise that they could provide discounted rates to motorists who are willing to place a device in their cars to monitor their driving habits. Insurers could employ a similar “loss control” strategy when writing cyber-risk policies, rather than use answers to applications as “trapdoors,” Godes argues.

[Read also: Ransomware is battering the cyber insurance industry]

However, many businesses are hesitant to share detailed information about their cybersecurity practices. They worry about insurers sticking their noses where they might not belong or about the potential legal implications of divulging security practices.

Tackling tedious applications

Given these difficulties and the growing spate of ransomware and other cyberattacks, many cyber insurers are requiring applicants to complete lengthy and unwieldy questionnaires to qualify for coverage, says Josephine Wolff, an associate professor of cybersecurity policy at the Fletcher School at Tufts University and author of Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks.

As people misrepresent things on their policies, either intentionally or unintentionally, insurance companies will push back.

“These applications have gotten so long now that some companies put teams of three or more people into rooms and tell them, ‘Answering this questionnaire is your job for the next month.’”

Of course, devoting that much time takes away from other work. A more common practice is for someone in the office of the CISO, CIO, CFO, or treasurer to fill out insurance paperwork.

The problem: It’s unlikely that one person will have the background or time to answer every technically detailed question accurately and completely. As a result, errors, omissions, and misrepresentations happen and spur insurers to deny claims or, as Travelers demonstrated with its precedent-setting case, rescind coverage.

[Read also: Will the feds backstop cyber insurance]

“I think the biggest thing you will see is, as people misrepresent things on their policies, either intentionally or unintentionally, insurance companies will push back,” says Gerry Glombicki, senior director at Fitch Ratings, one of the top credit-rating agencies.

Picking their battles

But even if others follow the lead of Travelers, industry observers maintain they will probably do so sparingly. The optics of taking cyber insurance policyholders to court aren’t great.

“It really doesn’t serve the insurance companies well to get wrapped up in a whole bunch of litigation where they’re trying to void coverage based on technicalities,” says David Anderson, U.S. head of cyber at reinsurance broker McGill and Partners.

Everything you put in writing to insurance companies is a representation, whether your signature is on it or not.

“I’m surprised that this kind of litigation occurs in the first place,” agrees Sean O’Brien, visiting fellow at the Information Society Project at Yale Law School. “It’s a horrific strategy because it’s going to result in nobody having faith in these products. They have enough difficulty selling cyber insurance.”

“It’s a slippery slope,” adds Gerry Kennedy, principal at Charles River Insurance. “You’re purporting to provide coverage to policyholders when they need it. But then you pull the rug out from underneath them [by rescinding contracts] when that time comes? Most people would say, ‘It would have been nice to know there was that possibility before you denied my claim.’”

Avoiding legal risk

To head off unpleasant surprises, industry observers recommend the following precautions.

• Take the questionnaire seriously. As cumbersome as these applications have become, they are legally binding statements of fact. Litigation can arise anytime there’s ambiguity. Before filling out an application, Anderson from McGill and Partners recommends forming a cross-functional risk-management team to gather all the operational and technical detail that will be needed to supply the most complete and accurate answers.
• Lawyer up. Anderson also suggests getting an attorney involved early on to help guide the process and review questionnaire responses. “Everything you put in writing to insurance companies is a representation, whether your signature is on it or not,” he says. “Hiring an attorney is an expensive process, and not a lot of companies, especially mom-and-pop shops, can do it. But if you can, it’s advisable.”
• Map your exposure. During the application process, it’s important to remember that cybercriminals often attack third parties. It could become an issue down the road if a company represents that it has MFA but doesn’t make sure its affiliated partners and vendors use it as well, notes Kennedy of Charles River. He suggests communicating with the insurer to understand if third-party risk management is one of its expectations and, if so, pinning them down on its requirements.
• Know what you’re attesting to. The buck stops with whoever signs on the dotted line of a cyber insurance application. If an issue occurs later, that’s the person who will be in the crossfire of any legal proceedings. For that reason, Fitch’s Glombicki stresses that the signatory, who is ideally a senior leader, should know what they are attesting to—for their own protection as well as the organization’s.
• Be forthcoming. Wolff of Tufts notes that the worst thing a company can do is gloss over the truth. Though they don’t need to overdo it with details, executives should be as forthcoming as possible to avoid accusations of misrepresentation. For example, if a company has deployed MFA in some places but not others, executives should identify where it exists and where it does not.
• Understand what’s in the policy. When applying for cyber insurance, don’t assume your policy protects against every imaginable scenario. Insurance doesn’t work that way. It’s extremely important, therefore, to understand what’s in a policy and pay particular attention to stated exclusions, warns Eric Gyasi, an attorney and vice president at Stroz Friedberg, an Aon company.

[Read also: 6 cybersecurity questions I always tell boards to ask]

“That may sound a little trite, but organizations tend to set it and forget it,” he says. “In fact, a policy may not cover what you thought it was covering.”

Insurers aren’t yet lining up to rescind policies they’ve issued. But observers believe more suits like Travelers v. ICS will almost certainly follow as the industry seeks to refine its risk models and rules.

As Godes of Barnes & Thornburg warns: “Companies should be mindful that carriers are taking more aggressive and strict constructionist views on their applications—and react accordingly.”