Cyber insurance companies are insisting on Multifactor Authentication (MFA)... and so should you

Cyberinsurance companies mfa

In what may be one of the first court filings of its kind, cyber insurance company Travelers is asking a district court for a ruling to rescind a policy because the insured allegedly misrepresented its use of multifactor authentication (MFA) – a condition to get cyber coverage.

According to a July 6 filing in U.S. District Court for the Central District of Illinois, Travelers said it would not have issued a cyber insurance policy in April to Decatur, Illinois-based, electronics manufacturing services company International Control Services (ICS) if the insurer knew the company was not using MFA as it said. Additionally, Travelers wants no part of any losses, costs, or claims from ICS – including from a May ransomware attack ICS suffered.

Travelers alleged ICS submitted a cyber insurance policy application signed by its CEO and “a person responsible for the the applicant’s network and information security” that the company used MFA for administrative or privileged access. However, following the May ransomware event, Travelers first learned during an investigation that the insured was not using the security control to protect its server and “only used MFA to protect its firewall, and did not use MFA to protect any other digital assets.”

Therefore, statements ICS made in the application were “misrepresentations, omissions, concealment of facts, and incorrect statements” – all of which “materially affected the acceptance of the risk and/or the hazard assumed by Travelers,” the insurer alleged in the filing.

ICS also was the victim of a ransomware attack in December 2020 when hackers gained access using the username and password of an ICS administrator, Travelers said. ICS told the insurer of the attack during the application process and said it improved the company’s cybersecurity.

Travelers said it wants the court to declare the cyber insurance contract null and void, rescind the policy, and declare it has no duty to indemnify or defend ICS for any claim.

Travelers Property Casualty Co. of America v. International Control Services Inc., No. 22-cv-2145 

Acumen Consulting Logo

About Acumen

We are a TOP FIVE Managed IT Services provider in St. Louis, Missouri, working to empower businesses to achieve their goals by leveraging technology.

Recent Posts

Follow Us

Sign up for our Newsletter