Specialty Podcast: Are Ransomware Payments Covered by Your Cyber Insurance Policy?
By Alliant
Policyholders need to ensure that the representations they make as part of the insurance application are accurate, or could face challenges obtaining coverage for a subsequent claim. In this episode, David Finz and Matia Marks, Alliant, discuss a pending case involving a ransomware attack on a luxury company with high-profile clientele data and whether or not there will be coverage for the multi-million dollar extortion payment. What will the outcome of this case mean for clients facing an increasingly complex underwriting process for Cyber insurance?
Intro (00:00):
You're listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.
David Finz (00:09):
Well, welcome to another edition of the Alliant Specialty Podcast. I'm your host David Finz, and with me today is our financial line's Product and Thought Leader, Matia Marks. We're here to talk about a concerning development in the world of insurance coverage litigation, without getting into the names of the particular parties involved. Matia, why don't you tell us a little bit about this recent court filing, where an insurance carrier is refusing or seeking to refuse to cover a policy holder's ransomware claim?
Matia Marks (00:43):
Sure. David, thanks so much. It's a pleasure to be here today with you chatting about this interesting development in the world of cyber. So, in this recently filed complaint, an electronic manufacturing services company that purchased a cyber liability insurance policy from a carrier in early 2022, completed an application, which contained a question concerning the company's use of multifactor authentication. And in response to the question, the company responded in the affirmative as well as to an attestation regarding the use of MFA. The application was signed by the company's Chief Executive Officer and submitted to the insurance carrier and the attestation required the insurer to confirm that multifactor authentication was required for all employees when accessing email through a website or cloud based service, for all remote access to their network provided to employees as well as contractors and third-party service providers, and, in addition to remote access, that multifactor authentication was required to gain access to third-party service providers for remote and administrative access to directory services, all internal and remote administrative access to network backup environments, all internal and remote administrative access to network infrastructure like firewalls, routers and switches, and all internal and remote administrative access to the organization's endpoints and servers. And then several months after this policy was bound, the company was a victim of a ransomware attack whereby intruders gained access to its server and infected it with a virus. And throughout the investigation of this ransomware attack, the insurance company found out that the multifactor authentication was not as the insured had represented.
David Finz (02:32):
Given their position right now. I mean, what is the amount in dispute? How much money are we talking about here, potentially?
Matia Marks (02:39):
Yeah, the insurance company's position is that they not only want to preclude coverage for this particular claim. They're looking to rescind the entire policy, which was a million-dollar policy for cyber insurance.
David Finz (02:53):
So, they're essentially asserting that there was a misrepresentation in the application.
Matia Marks (02:59):
Absolutely.
David Finz (02:59):
Right, now, isn't the standard for that basically that they would have to show that they would not have underwritten the coverage. I mean, is it that material on misrepresentation here, at least in theory?
Matia Marks (03:09):
It is. That's what the insurance carrier is arguing. They're attempting to say that had they known the truth, that they would not have underwritten the policy.
David Finz (03:17):
Okay. So, given the fact that the cyber insurance underwriting process has become much more arduous, you know, over the past couple of years with ransomware supplemental questionnaires and the level of detail that insureds are being required to put forward as part of the underwriting submission, you know, what does this mean for businesses that are applying for the insurance in terms of the importance of making sure that the information they furnish is accurate?
Matia Marks (03:45):
Yeah. It makes it the utmost importance. It's really important to be very, very clear in your responses to these questions. Make sure you understand what the question is asking, consult your insurance broker for assistance, if you don't understand, and if the question is asking for a simple yes or no answer, perhaps it makes sense to elaborate in some sort of supplemental attachment to the application to make sure that the response is as truthful as it possibly can be.
David Finz (04:13):
Well, that's interesting that you say that because I've seen a lot of these carrier applications and the simple, yes, no answer might not tell the whole story, right? It may be a situation where the question doesn't apply to their operations or they've come up with some other type of control, some other type of work around that is substantially equivalent, or it could be a work in progress. I mean, there could be all kinds of reasons that an insured cannot give a simple yes, no answer. And would you agree? I mean, these forms don't always provide that room for a narrative, right. So, what, as a broker, should we be doing to help our clients navigate that?
Matia Marks (04:53):
Yeah. I think that to the extent that the question simply asks for a yes or no answer, if that doesn't do your response justice, then you need to create your own supplemental and make sure that you're as clear as possible. And I also think too that if, to the extent that you're unable to provide an affirmative answer, you need to work with your underwriter to potentially get the coverage at a later point in time. So, it's important to keep these lines of communication open and make sure that you're, as I said, as truthful as possible, and that you're working with your broker and the potential markets in order to get the coverage as soon as it's available to you.
David Finz (05:33):
Is there a way if they put an exclusion on a policy because the insured is lacking a specific control to have that removed, once that issue has been remediated, like, is that something that can be done midterm?
Matia Marks (05:46):
Absolutely.
David Finz (05:47):
So, I mean, you know, the takeaway here, for our listeners, is to make sure that the information they provide is as accurate as possible and to not simply rely on the, yes, no answer to tell the whole story. From the standpoint, I know that you have some subject matter expertise in the area of representations and warranties, when an insured is applying for coverage, and they're asked to make a representation or warranty around this coverage. What is the difference between the two and how should they be comporting themselves with the underwriters in terms of what the application signifies, what the underwriting submission signifies?
Matia Marks (06:25):
Yeah, it's important to make sure that the application is stating that to the best of the individual who is signing the application, to the best of that individual's knowledge, that as of that particular date, that they have no knowledge of any representation that could potentially be untrue. And the difference between a representation and a warrant is that a representation is a statement of fact, as of that point in time, and a warrant is a promise that continues throughout the lifetime of the policy. So, it's important to make sure that you're not making those types of promises, especially when you can't represent that that's always going to be true at that particular time, and in the future.
David Finz (07:01):
That's an important point because on a cyber policy, at least for the first party loss, typically the operative date, is the date that the control group, the handful of folks in the C-suite discover an event. So, if something was perhaps accurate at the time that the application was submitted, but under a warranty, for some reason didn't apply on that particular date, could that jeopardize coverage at a later date?
Matia Marks (07:29):
It could, and so that's why it's important to make sure that not only do you understand the questions, but you understand what you're representing by signing that application.
David Finz (07:38):
Right, and so, you know, again, this is the type of stuff that as a risk advisor, we would want to make our clients aware of. Any parting thoughts for our listeners?
Matia Marks (07:47):
Yeah. I think that in light of the fact that underwriters are becoming more discerning with regard to the risks that they're willing to undertake and the type of underwriting information that's required, policy applications, like the one issue here, that are seeking more granular details, it's very, very important to make sure, as I said, that you understand the questions that you're going over, those security controls and procedures with your broker and that any representations that you're making in the application are as truthful as they possibly can be at the time they're made.
David Finz (08:18):
Well, this is definitely a case worth watching, and we will continue to monitor this litigation as it develops. And I want to thank you, Matia for taking the time to join us today and to help educate our listeners. Here at Alliant, we are always seeking to find ways to help our clients find the more rewarding way to manage risk. And if you'd like to learn more about our capabilities in all of the specialty lines, not just cyber, you can visit our website at www.Alliant.com. Thank you for joining us today. Take care.
Alliant note and disclaimer: This document is designed to provide general information and guidance. Please note that prior to implementation your legal counsel should review all details or policy information. Alliant Insurance Services does not provide legal advice or legal opinions. If a legal opinion is needed, please seek the services of your own legal advisor or ask Alliant Insurance Services for a referral. This document is provided on an “as is” basis without any warranty of any kind. Alliant Insurance Services disclaims any liability for any loss or damage from reliance on this document.
Thanks for your message.
We’ll be in touch shortly.