Misrepresenting yourself is easy to do in a world where many of our interactions exist online. Why not put that profile photo of yourself up at the gym from a few years ago when you actually went there regularly? You’ll eventually get back to working out. There’s no harm in it. Deceptive? Sort of. But in a situation like that, while misleading, it likely won’t cause issues if uncovered.
But what about misrepresentation when it comes to your business? If you apply for cyber insurance and have cybersecurity measures and tools that you’ve purchased but don’t use, is it lying to say that they are “in place”?
In the News
A recent court case from Travelers Insurance is asking for a policy to be rescinded based on misrepresentation in that exact scenario. On July 6th, 2022, Travelers filed a motion based on a cyber insurance policy that they had issued in April to International Control Services (ICS). When the policy was issued, ICS declared that it had in place, and was using, multi-factor authentication (MFA) on its server. This was verified by a CEO-signed policy application, with an additional signature from “a person responsible for the applicant’s network and information security”.
In May, ICS suffered a ransomware attack. Through the investigation procedure, Travelers Insurance learned that they (ICS) were not using MFA as indicated. Travelers Insurance believes that the application statements were therefore misrepresentative and concealed the actual truth of the situation. Additionally, there was a December 2020 incident in which ICS had been compromised. The company confirmed in the application process that they had improved their cybersecurity.
Travelers Insurance is asking the court to declare the insurance contract null and void. They also want to rescind the policy and declare it has no duty to indemnify or defend ICS for any claim.
Getting a cyber insurance policy is necessary and should be something that MSPs discuss with clients. If it isn’t part of the initial proposal, it should be part of the ongoing conversation to identify the responsibilities of a client who declines coverage. Additionally, discuss what happens if you as an MSP put measures in place but they disable them or don’t use them. If you need would like to learn more about cybersecurity insurance or how to support clients with a strong cybersecurity program, Breach Secure Now can help!