Insurer: Tech company with lax security can't get ransomware coverage
2022 INSDBREF 0412
•
By Thomas Parry
WESTLAW Insurance Daily Briefing
•
July 8, 2022
(July 8, 2022) - A technology firm cannot get coverage against a ransomware attack because it failed to implement multifactor authentication as required by its policy with Travelers Property Casualty Co. of America, the insurer says in an Illinois federal court complaint.
Travelers Property Casualty Co. of America v. International Control Services Inc., No. 22-cv-2145, complaint filed (C.D. Ill. July 6, 2022).
Travelers filed its suit for policy rescission and declaratory judgment against International Control Services Inc. in the U.S. District Court for the Central District of Illinois on July 6 through its counsel Christopher J. Bannon and Samuel R. Leist of Aronberg Goldgehn Davis & Garmisa.
Multifactor authentication
According to Travelers, ICS applied for a CyberRisk Tech insurance policy in March 2022.
Travelers says that ICS had suffered a ransomware attack in December 2020 and that in applying for the CyberRisk policy, the company represented that it had made security improvements required by the insurer.
Specifically, Travelers required that CyberRisk policyholders protect digital assets with multifactor authentication, or MFA, where a user seeking access to the company computer network, or email, for example, goes through two or more tests to establish their identity.
According to Travelers, ICS provided an "MFA Attestation" as part of its policy application to show that it would follow the MFA requirement.
Another ransomware attack
According to Travelers, ICS suffered a ransomware attack in May 2022 in which hackers gained access to the ICS server and unleashed a computer virus called Zeon.
In investigating the incident, Travelers said it discovered that ICS was not using multifactor authentication as it said it would on the policy application.
Travelers said ICS used multifactor authentication only with regard to its firewall access and failed to institute the security measure for any of its other digital assets.
ICS' statements that it would use MFA amount to misrepresentations and incorrect statements that materially impact the risk Travelers agreed to cover with the CyberRisk policy, the insurer says.
Accordingly, Travelers is asking the District Court to rescind the policy and declare that ICS cannot get coverage for the May 2022 ransomware attack.