By Michael Mullin, Integrated Business Systems, Inc.

As the financial leader of an organization, you’ve likely always trusted in predictability. Numbers do not deceive—they exist, telling their story with stark honesty.

But what happens when the variables are as unpredictable as a cyberattack or a compliance misstep? Imagine, for a moment, the intricate network of our systems, each aspect relying on the others to remain functional. Now, imagine a single, overlooked error, a missed digit, an unchecked box.

This case involving Travelers Insurance and ICS struck a far-reaching chord with both large and small businesses, illustrating how a single “yes” answer on the cyber insurance application triggered a cascading impact, ultimately resulting in not only a denied claim but also a lawsuit and the rescission of the entire cyber insurance policy.

Today’s fact: Cyber insurers lost money until they changed three key aspects: their application questions, compliance requirements, and the level of scrutiny they applied to the first two in the event of a claim.

Guess which one bit Travelers Insurance?

Reading Between the Lines

The courtroom drama surrounding the Travelers/ICS matter reveals a simple yet daunting truth: accuracy is paramount when dealing with cyber insurance.

Here lies the paradox: While your team may believe the answers they provided in the initial cyber insurance application or the renewal process are accurate, the finer details of your cyber defenses demand thorough inspection, as that is where the actual risks often lurk.

The most critical piece is this: what your company states in the initial or renewal application must remain valid for the life of the policy, and you must be able to prove your compliance on demand as long as the policy remains in force.

And if you have a cyber insurance claim, the most critical piece is the PROOF piece.

Travelers said they had multi-factor authentication in place for all critical systems. This was an inaccurate answer, and Travelers could not prove their compliance. This turned out to be a significant error with long-ranging financial implications.

The Power of Preparedness

Reflecting on the ICS ordeal, a question arises: How truly prepared are we? The challenge lies not only in implementing policies but also in ensuring procedural fidelity. Could regular checks and balances provide that coveted peace of mind?

What strategies can we employ to enhance not only the accuracy of our applications but also the resilience of our systems?

What if our cyber defenses included a methodology that consistently and regularly measures internal policies against our cyber insurance requirements?

What if we could quickly adapt to new threats, requirement changes, and real-world scenarios through our ongoing checks and balances?

Beyond the Surface: Getting and Keeping Your Coverage

We’ve seen it happen when well-meaning insurance advisors suggest that “yes” is the right answer to every question asked in the cyber insurance application process.

Not so.

The correct answer is the accurate one; otherwise, you risk being denied coverage due to the dreaded phrase that Travelers has heard too many times: material misrepresentation. The finding was that their assertion that they had MFA in place was a material representation that made it possible for Travelers to deny their claim definitively.

Suppose the accurate answer will cause your premium to be higher. In that case, you’ll need to evaluate whether the higher price is worth paying compared to the cost of implementing the policies and procedures, the technological solution, or both, including an assessment of the potential costs if you are the victim of a cyberattack.

In most cases, the cost of implementing a cybersecurity solution will be significantly less than the cost of self-funding recovery from a cyberattack.

All the Last Details

Here’s what happened: Travelers Property Casualty Company of America filed a complaint in federal court for rescission and declaratory relief against its insured, International Control Services, Inc. (ICS). The lawsuit was dismissed, with judgment entered in favor of Travelers, after ICS agreed to allow the court to issue a judgment rescinding the policy.

In other words, ICS ended up with no cyber insurance policy and 100% on the hook to pay every cost associated with recovery from their ransomware attack.

All because they allegedly “materially misrepresented” the extent to which they had implemented multi-factor authentication.

Inviting Reflection and Action

As you consider your cyber insurance status and the need to not only remain compliant but also demonstrate compliance, consider aligning your business with an external third party. Such a relationship can help you navigate the increasingly complex waters and be an asset to you should you ever have a challenge to your insurability.

One thing is for certain: the steps needed to obtain a cyber insurance policy and maintain a cyber insurance policy are not going to get any easier.

Michael Mullin is president of Integrated Business Systems, Inc.