In latest edition of The Wright Toolbox:
- Cyber Policies Increasingly Present a Challenge in the Application Process
Cyber Policies Increasingly Present a Challenge in the Application Process
By: Michael A. Stover, Esq.
A recent case points out the need to be completely knowledgeable and accurate when answering those underwriting/application questions from insurance companies regarding cyber coverage. The need for cyber insurance has become increasingly critical for all businesses because of the increase in cyber-attacks and breaches and the financial impact on companies. However, cyber insurance is somewhat unique due to the technical nature of the covered systems and operational protocols in place for each company.
In a recent case, the insurer denied coverage under a cyber insurance policy after a ransomware attack on the insured’s server that did not have multi-factor authentication. The denial of coverage was due to alleged material misrepresentations in the insured’s application for the policy that was signed by the CEO regarding the company’s use of multi-factor authentication.
Because of the rising rate of cyber losses, insurance companies questions as part of the underwriting process are becoming more specific and intensive and are increasingly looking for the specifics regarding internal controls and protocols that are in place to protect from cyber-attacks. So you will start to see questions like “Is multi-factor authentication in place for emails, third-party access to emails, on servers and VPNs, in remote access protocols, and on the network for domain controller-type credentials;” “Is the entity performing timely backups, and are these done online or offline;” “Are secure processes in place for initiating money transfers to prevent the fraudulent transfer of funds?”
Insureds need to keep in mind that responses to applications for coverage may be presumed to continue upon a future renewal of the policy. Thus, at renewal, the insured needs to ensure that its original responses in the application remain true and accurate. Insureds should also consider compiling backup or supporting documentation to justify the application responses in the event of a claim in the future in case there is a challenge to coverage.
As new threats continue to arise and evolve over time, cyber policy language and terms will continue to evolve. Insureds cannot just assume that new policies will have the same terms or requirements. With cyber insurance applications becoming more complex and technical, average office managers and business owners may not possess the skills to fully comprehend the questions asked. Insureds may need to look to IT professionals to respond. The takeaway is that cyber insurance coverage is a new and evolving policy and the underwriting/application process needs to be treated differently to ensure that your coverage is secured.
If you have any questions regarding this matter, please do not hesitate to contact any member of the WCS Insurance Defense Practice Group.