Can Your Cyber Insurance Claim Be Denied?
Do we have to tell the truth when it comes to Cyber Insurance?
It probably happened to you. It’s dinner time, you’re called to the table. “Did you wash your hands like you’re supposed to?” you’re asked. You didn’t. On purpose or not, your hands are dirty. But it’s dinner time, and it’s your favorite dish, rutabaga stew…mmmmm…. (inside joke for long time Simplex-IT fans). But you put on your sweetest face (just like mine except 100% different) and say “of course I did.” Do you get busted? I’ll let you finish your own story.
Because this is about cyber insurance and somebody who did get busted, and I doubt it’ll be the last time. We’ve talked before about how insurance companies are getting stricter in what their clients need to do on the security front before offering a cyber security policy. We’ve even referred to it as “the Travelers dilemma” since one of the first carriers to do so was Travelers.
They required organizations (and sometimes managed service providers…um, like Simplex-IT) to sign off stating that the client had implemented several basic security strategies. Most notably, multi-factor authentication (aka MFA). We’ve got a video on that as well.
On July 5 in the U.S. District Court for the Central District of Illinois, Travelers said it would not have issued a cyber insurance policy earlier this year to an electronics manufacturing services company if the insurer (Travelers) knew the company was not using MFA as it said. Recently that company suffered a ransomware attack. Travelers doesn’t want to have anything to do with losses, costs, or claims from the attack.
Think about this. A company applies for a policy and as part of that application indicates they are following an appropriate security strategy. Travelers not only offers the policy but also sets the pricing for the policy based on the truthfulness of the application. Only it’s wrong. And we’re not talking about missed a comma or a minor omission. Flat out wrong. MFA was not implemented anywhere near the level the submitted documents stated.
Stupid, greedy insurance companies!?
Actually on this one, I have to give Travelers the benefit of the doubt (based on what information I can see). Our economy is going to continue to be attacked until the business model that the bad guys live under is eliminated. Which isn’t going to happen anytime soon. And insurance is going to be a critical go to for organizations to withstand some of the damages that will occur from successful attacks.
But the insurance industry has to control some of its costs, and one of the ways is insist on implementation of certain cyber security practices. And if clients aren’t willing to implement these strategies then the insurance company shouldn’t have to pay.
Those of you who have cyber insurance policy renewals coming up in the near future, be ready to see either significant rate hikes or required security strategies implemented.
Or both, most likely.
Oh, and usually, I didn’t wash my hands. And got busted. Every. Single. Time.