The Hole in the Cyber Insurance Net
There is a hole in the cyber insurance net that stems from the insured’s inadvertent (hopefully not intentional) failure to understand its security measures and maintain them throughout the life of the policy. Unfortunately, too many insureds—law firms included—do not have a written information security policy (WISP) that sets forth the procedures for evaluating its electronic and physical methods for accessing, collecting, storing and protecting its data. Unless you know what you have and where it is located, it’s hard to know what you need to protect.
An insured’s failure to fully understand its data security practices and procedures can lead to material misrepresentations, omissions, and incorrect statements in the application for insurance. The consequences of misstatements or omissions in the policy application cannot be understated. Unfortunately, one business that had a large data breach suffered those consequences when it was denied coverage and had its policy rescinded.
In Travelers Prop. Cas. Co. v. Int’l Control Servs., Inc., 2:22-cv-02145, complaint filed, 2022 WL 2532994 (C.D. Ill. July 6, 2022), Travelers sought to rescind its cyber liability coverage of the insured, International Control Services (ICS), because of material misrepresentations allegedly made by the insured in connection with its application for the policy. The insured had represented that “to the best of [its] knowledge and belief, and after reasonable inquiry, the statements provided in response to this Application are true and complete … . (Id.). Travelers’ success in rescinding the policy was based on the fact that ICS, in its policy application, stated (and signed a separate attestation) that it required multifactor authentication to gain administrative access to its data. Upon investigation, Travelers determined that ICS misrepresented the scope of its authentication process, resulting in the breach. The parties agreed to rescind the policy and the lawsuit was dismissed with prejudice by a stipulated order.
The Travelers case clearly establishes the consequences of an insured’s failure to follow the policies and procedures claimed in its application. In fact, most insurance policies have a specific exclusion that precludes coverage for claims arising from the policyholder’s failure to maintain adequate security standards. As a result, insureds must regularly monitor, update, and test all cybersecurity requirements mandated in their policy.
The increase in data breaches, the costs resulting from them (which can include potential criminal and regulatory liability), the security measures and representations required by some law firm clients (banks in particular) and insurance companies, and the need to stay abreast of constantly changing threats, demand that law firms (and their clients) implement and closely monitor cybersecurity policies and practices. Best practices require at least an annual review of the written information security policies and practices.