Multi-factor authentication (MFA) is more than an annoying popup or text message when logging onto a company’s website or platform. Not only is using MFA a sound security practice and good business, it is frequently becoming a prerequisite to procuring (and keeping) cyber liability coverage. Following the May 2021 Colonial Pipeline ransomware attack which shut down the country’s largest oil pipeline for several days, more cyber insurers are now requiring policyholders to implement MFA. Last month, one tech manufacturer learned this lesson the hard way when its insurer filed suit for rescission of its insurance policy and a declaration that the insurer owed no coverage for the company’s losses stemming from a ransomware attack. Travelers Property Casualty Co. of America v. International Control Services Inc., No. 22-cv-2145, complaint filed, 2022 WL 2532994 (C.D. Ill. July 6, 2022).
Travelers’ complaint contains the following allegations: International Control Services, Inc. (ICS) applied for a cyber insurance policy with Travelers. As part of the insurance application, the CEO of ICS was required to sign a “Multi-Factor Authentication Attestation” form. By signing the form, the CEO represented that ICS would require MFA for employees to access email through a website or cloud-based service, for remote access, and for administrative access to directory services, network backup, network infrastructure, and to its endpoints/servers. Travelers issued the policy and the following month, ICS reported to Travelers that it was the victim of a ransomware attack, during which hackers gained access to an ICS server and infected it with a computer virus known as “ZEON.” When Travelers began investigating the incident, it learned that ICS was only using MFA to protect its firewall, but not to protect its server and other digital assets. Travelers refunded ICS’s premium and filed suit in federal court seeking rescission of the policy on the ground that ICS misrepresented the extent to which it used MFA to protect its system.
In general, an insurer may rescind an insurance policy if the policyholder makes a material misrepresentation or conceals facts, even if the policyholder did not actually intend to deceive the insurer. Whether a misrepresentation is material is determined by the effect that the truth would have had on the insurer. Here, Travelers asserts that, had it known that ICS was not using MFA to protect its server and digital assets, Travelers would have not issued the policy.
Travelers has the burden of proving its allegations to succeed on its claims, and it is presently unclear whether it will be able to do so. Needless to say, however, the insured would rather have the insurer pay its claim instead of filing a coverage lawsuit, so this case highlights an important issue for policyholders to focus on when buying or renewing their cyber insurance. Policyholders should carefully review applications for new cyber coverage and renewals to ensure that their security controls meet the minimum standards required by the insurer. Many insurers also offer recommended vendors or resources to help policyholders implement MFA. Not only can using MFA help prevent a data breach, but using MFA to the full extent required will ensure that policyholders actually have the coverage they are depending on to respond to the breach.
 According to a year-long study conducted by Google, New York University, and the University of California, San Diego, MFA blocked 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks on users’ Google accounts. Google Security Blog, New Research: How Effective Is Basic Account Hygiene at Preventing Hijacking (May 17, 2019), https://security.googleblog.com/2019/05/new-researchhow-effective-is-basic.html. According to the U.S. Cybersecurity & Infrastructure Security Agency, businesses should implement MFA “across all networks, systems, and applications[.]” CISA, Capacity Enhancement Guide: Implementing Strong Authentication (Oct. 8, 2020), https://www.cisa.gov/sites/default/files/publications/CISA_CEG_Implementing_Strong_Authentication_508_1.pdf.