The district court for the Central District of Illinois has been asked to rescind a policy and issue declaratory judgment following an insured’s alleged misrepresentation of its use of multifactor authentication (MFA) in its application for cyber coverage.
MFA is an electronic authentication method that requires users to successfully present two or more pieces of evidence before being granted access to a site or application.
In its application for cyber coverage, International Control Services Inc. (ICS) allegedly informed Travelers that it used MFA to protect access to its computer systems, as required by the policy.
Following a ransomware attack on ICS in May 2022, Travelers discovered ICS had only been using MFA to protect its firewall, and not its server and other digital assets, contrary to ICS’ policy application, which stated that MFA would be used for all administrative and privileged access.
Travelers stated that ICS made statements in its application that amounted to, “misrepresentations, omissions, concealment of facts, and incorrect statements” and that this “materially affected the acceptance of the risk and/or the hazard assumed by Travelers”.
“Travelers said it wants the court to declare the insurance contract null and void, rescind the policy, and declare it has no duty to indemnify or defend ICS for any claim.”
Under English law, fair presentation of risk is covered under Section 3 of the Insurance Act 2015, which requires insureds to disclose all material circumstances they (including their senior management) know or ought to know, after having carried out a reasonable search.
Rather than relying on arguments relating to the presentation of risk, in many cases a straightforward exclusion of the peril underwriters don’t wish to cover can be more effective and easier to enforce.