Using Multi-Factor Authentication as a Prerequisite to Cyber Liability Coverage

Farella Braun + Martel LLP
Contact

Farella Braun + Martel LLP

Multi-factor authentication (MFA) is more than an annoying popup or text message when logging onto a company’s website or platform. Not only is using MFA a sound security practice and good business,[1] it is frequently becoming a prerequisite to procuring (and keeping) cyber liability coverage. Following the May 2021 Colonial Pipeline ransomware attack which shut down the country’s largest oil pipeline for several days, more cyber insurers are now requiring policyholders to implement MFA. Last month, one tech manufacturer learned this lesson the hard way when its insurer filed suit for rescission of its insurance policy and a declaration that the insurer owed no coverage for the company’s losses stemming from a ransomware attack. Travelers Property Casualty Co. of America v. International Control Services Inc., No. 22-cv-2145, complaint filed, 2022 WL 2532994 (C.D. Ill. July 6, 2022).

Travelers’ complaint contains the following allegations: International Control Services, Inc. (ICS) applied for a cyber insurance policy with Travelers. As part of the insurance application, the CEO of ICS was required to sign a “Multi-Factor Authentication Attestation” form. By signing the form, the CEO represented that ICS would require MFA for employees to access email through a website or cloud-based service, for remote access, and for administrative access to directory services, network backup, network infrastructure, and to its endpoints/servers.  Travelers issued the policy and the following month, ICS reported to Travelers that it was the victim of a ransomware attack, during which hackers gained access to an ICS server and infected it with a computer virus known as “ZEON.” When Travelers began investigating the incident, it learned that ICS was only using MFA to protect its firewall, but not to protect its server and other digital assets. Travelers refunded ICS’s premium and filed suit in federal court seeking rescission of the policy on the ground that ICS misrepresented the extent to which it used MFA to protect its system.

In general, an insurer may rescind an insurance policy if the policyholder makes a material misrepresentation or conceals facts, even if the policyholder did not actually intend to deceive the insurer. Whether a misrepresentation is material is determined by the effect that the truth would have had on the insurer. Here, Travelers asserts that, had it known that ICS was not using MFA to protect its server and digital assets, Travelers would have not issued the policy.

Travelers has the burden of proving its allegations to succeed on its claims, and it is presently unclear whether it will be able to do so. Needless to say, however, the insured would rather have the insurer pay its claim instead of filing a coverage lawsuit, so this case highlights an important issue for policyholders to focus on when buying or renewing their cyber insurance. Policyholders should carefully review applications for new cyber coverage and renewals to ensure that their security controls meet the minimum standards required by the insurer. Many insurers also offer recommended vendors or resources to help policyholders implement MFA. Not only can using MFA help prevent a data breach, but using MFA to the full extent required will ensure that policyholders actually have the coverage they are depending on to respond to the breach.

[1] According to a year-long study conducted by Google, New York University, and the University of California, San Diego, MFA blocked 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks on users’ Google accounts. Google Security Blog, New Research: How Effective Is Basic Account Hygiene at Preventing Hijacking (May 17, 2019), https://security.googleblog.com/2019/05/new-researchhow-effective-is-basic.html. According to the U.S. Cybersecurity & Infrastructure Security Agency, businesses should implement MFA “across all networks, systems, and applications[.]” CISA, Capacity Enhancement Guide: Implementing Strong Authentication (Oct. 8, 2020), https://www.cisa.gov/sites/default/files/publications/CISA_CEG_Implementing_Strong_Authentication_508_1.pdf.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Farella Braun + Martel LLP | Attorney Advertising

Written by:

Farella Braun + Martel LLP
Contact
more
less

Farella Braun + Martel LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.