A voided lawsuit from a cyber insurance carrier claiming its customer misled it on its insurance application could potentially pave the way to change how underwriters evaluate self-attestation claims on insurance applications.
The case — Travelers Property Casualty Company of America v. International Control Services Inc. (ICS) — hinged on ICS claiming it had multifactor authentication (MFA) in place when the electronics manufacturer applied for a policy. In May the company experienced a ransomware attack. Forensics investigators determined there was no MFA in place, so Travelers asserted it should not be liable for the claim.
The case (No. 22-cv-2145) was filed in the U.S. District Court for the Central District of Illinois on July 6. At the end of August, the litigants agreed to void the contract, ending ICS's efforts to have its insurer cover its losses.
This case was unusual in that Travelers maintained the misrepresentation "materially affected the acceptance of the risk and/or the hazard assumed by Travelers" in the court filing.
Taking a client to court is a departure from other similar cases where an insurance company simply denied the claim, but it is hardly unique, said Scott Godes, a partner at Barnes & Thornburg LLP, a Washington, D.C.-based law firm.
"I have seen this issue bubbling up over the last few years. From my perspective, insurance carriers have made this a hard market — raising premiums and lowering limits — and that has emboldened them to choose the nuclear option by rescinding coverage," Godes says.
Security should be proactive, stopping possible breaches before they occur rather than simply responding to each successful attack, notes Sean O'Brien, visiting fellow at the Information Society Project at Yale Law School and the founder of Privacy Lab at Yale Law School.
View the full article on our sister site Dark Reading.