Cyber Insurance Coverage Case – Travelers Insurance vs. International Control Services (ICS)

As cyberattacks continue to evolve and grow, it’s more important than ever to ensure that your business is protected. While prevention is the best defense, you may also want to consider purchasing a cyber insurance policy to give your business coverage in the case of an attack. However, it is vital to remain transparent, compliant, and honest about how your business handles your cybersecurity while purchasing insurance policy coverage. Otherwise, it is possible that your insurance company may deny coverage when it matters most.

These are the basics behind the case of Travelers insurance vs. International Control Services (ICS). ICS is an electronics manufacturer based out of Illinois that was the victim of a massive cyberattack.  When it sought coverage for the attack, Travelers denied the claim based upon ICS’ cybersecurity practices.  Specifically, Travelers asserted that, when it applied for its insurance policy, ICS misrepresented its use of multi-factor authentication (MFA) claiming that they used it for “administrative or privileged access”.  Travelers asserted that upon investigation it found that ICS was not only not using MFA to secure its  server, but in fact only used MFA to protect its firewall.  Travelers claimed that, had they known this, they would not have issued the policy.  

There have been few cases of this type so far, but we can expect to see a rise in them as cyber insurance coverage becomes more prevalent. With cyberattacks increasing, it’s important that you consider not only obtaining cyber insurance, but that you carefully review every aspect of your coverage. Insurance companies often deny claims based on misrepresentation and based on this case, we can assume that they will continue to do so with matters of cyber insurance.

Let the Travelers v. ICS case be a lesson to help guide you and your business to avoid similar outcomes. When applying for cyber insurance policies, the best way to approach the insurance company it with factual information, a good understanding of your cybersecurity practices, and a determination to read all of the fine print.

If you need guidance on this and any other cybersecurity issues, I would be happy to help.  Feel free to reach out.

The information presented here is for general educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship.