(844) 627-8267
(844) 627-8267

TECH INTELLIGENCE: Promises in the dark | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Listen to this article

When a manufacturer suffered a ransomware attack, company executives thought its $1 million cybersecurity insurance policy would cover the damages. But the insurer denied coverage, alleging that the policyholder’s initial insurance application misrepresented key conditions of its cybersecurity defenses. In a case that serves as a warning to companies, the policyholder lost out. 

I have heard that an increasing number of companies unintentionally make these small errors on their cyber policy applications and end up paying a big price for it down the road. So, I spoke with two professionals from Lockton Affinity – an affiliate of Lockton Cos., the world’s largest privately held, independent insurance broker – to find out more. What they told me was eye-opening. 

In a 2022 case, an insurer sued a manufacturing company policyholder in federal court alleging the coverage was null and void. The reason: The policyholder misrepresented the extent to which it utilized multifactor authentication — or MFA, a layered approach to securing online accounts, where users must provide a combination of two or more authenticators to verify their identity before gaining access.  

Just the facts 

The insurer alleged that MFA was not being used to protect a server and that the policyholder only used MFA to protect its firewall and did not use it to protect any other digital assets. In August 2022, the policyholder agreed to allow the court to issue a judgment rescinding the policy. The lawsuit was dismissed, and the judgment was in favor of the insurer. 

“Cyber insurance applications have become longer and more complex, and completing them accurately requires great care and focus, and a thorough understanding of what is being asked,” said Jeff Severino, senior vice president and producer at Lockton Affinity. “If an application proves to be incorrect, it can be cumbersome for the insurer to process the claim.” 

It is not uncommon for companies to unintentionally overstate their deployment of MFA solutions, according to Severino. “And that can be a problem if the shortcoming is only discovered after a policyholder has been successfully hacked.” 

Nathan Borghardt, assistant vice president of business development at Lockton Affinity, noted that another common policy application error occurs “when a company incorrectly says it has periodic ‘air gap’ backup procedures — or backups that are stored in a secure location offsite from the business, such as in a secure server facility.” 

Air gap backups can be used to restore data in the event of a natural disaster, like a fire or flood, or if data is lost or corrupted due to a software glitch, hardware failure, or ransomware attack. “But if a policyholder asserts, in their initial application, that they have air gap backups, but they do not, or if they are not backed up periodically, then the policy coverage may be denied or rescinded after the true condition is discovered.” 

More Tech Intelligence


The two cautioned that the underwriting process for cyber insurance policies is rigorous, with a sharp focus on essential controls that can help mitigate overall exposure to data breaches and ransomware events.  

“MFA is critical and will likely remain as a vital control for organizations,” observed Severino. “But other cybersecurity controls are also pertinent to policy applications and the underwriting process. These include conscientious and regular patch management, periodic backups, isolating cloud backups, recognizing and replacing unsupported software; and email scanning and filtering.” 

Added Borghardt, “Other application questions to closely review before completing a cyber insurance application include email authentication, the use of secure remote access solutions, encryption of sensitive information, and the degree to which administrative privileges are restricted; all of these should be well understood and confirmed with your IT provider.” 

A managed IT services provider can provide tailored advice and training on these and other issues, improving a company’s odds of withstanding a cyber-attack while demonstrating compliance with insurance, regulatory and other obligations.  

It is essential that “organizations accurately convey the current status of their controls when they respond to relevant questions in policy applications,” added Severino. “As some court cases have shown, the failure to do so can be costly. While legal remedies available to insurers may vary from one jurisdiction to another, organizations should assume that incorrect answers in applications will have significant and unfortunate consequences.” 

Carl Mazzanti is president of eMazzanti Technologies in Hoboken, providing IT consulting services for businesses ranging from home offices to multinational corporations. 


Click Here For The Original Source.

National Cyber Security