As the cyber liability landscape continues to evolve, there are several developments that have impacted many businesses. One of those impacts—it’s getting harder to obtain cyber liability insurance, but why?
First, cyber coverage is getting harder to get and harder to renew at a low price. Why is this? Underwriting has become more stringent, and the questions are getting deeper and harder to answer. Right now, Multi-Factor Authentication (MFA) is the hottest issue right now with most cyber carriers. And while, MFA is an important component for cybersecurity protection, even MFA has vulnerabilities.
Some carriers have added complex, multi-part questions on the cyber applications that are very difficult to answer with a yes or no. The reality is that technology infrastructure is complicated, and every company makes decisions based on operational needs, budget, talent constraints, and many other factors. Carriers are getting very specific on their questions into the implementation and utilization of MFA or other risk mitigation strategies and are relying on these responses to make underwriting decisions. Frequently, a yes or no is not the correct response, but rather, “it’s complicated.”
Carriers that request black and white responses to multi-part, complex questions can leave their clients in an impossible situation on how to respond in good faith. Clients may find themselves in a difficult situation when the carrier attempts to void cyber insurance coverage because of a misrepresentation. In some cases, the client may not even realize they were making the misrepresentation.
What is Rescission Action?
When we think about the issues that a company has completing cyber liability insurance applications and trying to respond in good faith, it is important to understand the implications of an inaccurate response. Responding incorrectly to a question on the application can leave a company vulnerable to a rescission action.
The concept of recission is to rescind or remove an insurance or cyber liability policy as if it never happened. We see this referred to as “void ab initio.” In this case, the carrier effectively gives back the premium dollars and pretends like the policy never happened. This leaves no coverage for the company at all.
Rescission actions are very rare and require court intervention. For rescission to be granted, there normally must be some egregious act of intentional fraud or misrepresentation on the part of the insured. I believe this is where we get into tricky territory with some of the questions on the cyber liability application.
Why Do Cyber Warranties Matter?
Most cyber liability applications today, even renewal applications, have a “warranty statement” embedded in the application. When the application is signed, the signor is agreeing to this warranty statement. These statements say that any information provided in the application process is accurate and that the signor is effectively guaranteeing that the information is right. The carrier relies upon this statement to issue the policy, and false information gives the carrier the ability to void or rescind coverage.
In a real-life example, Travelers recently filed a rescission action against a cyber insured. Travelers alleged that the insured misrepresented their use of MFA and did not have this fully implemented throughout the organization as represented on the application. When the insured experienced a ransomware case, Travelers not only denied coverage for the claim but filed with the court to rescind the policy.
The legal system will determine if there is a legitimate argument for misrepresentation or concealment of material facts; however, in the meantime, the insured company has no coverage for their loss and must have a legal fight with their insurance company. This is not fun for anyone. Don’t let this happen to you.
How Do You Prevent Rescission Action?
Read each question on the cyber liability insurance application carefully and answer thoroughly in good faith. If you can’t answer “yes” or “no,” then add a text box or a supplemental document to respond completely and accurately to the question being asked.
It’s also important to understand your network and your cybersecurity infrastructure. If you are not certain of the answer to the questions being asked, work with your team members who have in-depth expertise about your processes and products. NPR recently shared a blueprint on some best practices around cyber loss prevention.
The cyber market will continue to evolve, and the carriers in the marketplace are increasing capacity and offering policies to more and more companies. As this happens, new requirements for various controls are likely to continue to get pushed by insurance carriers.
Cyber liability insurance is tricky. Be sure not only that you are covered, but you know “what” is covered. And, if you aren’t sure what you need to do, have questions, or want us to review your cyber exposure or the insurance policies you have in place, reach out to us. We’re happy to help!