Many cyber insurance policy application forms include a question for the applicant to confirm whether multi-factor authentication (“MFA”) is in place for all applications and APIs. Insureds’ answers to that question are now commonly under considerable scrutiny when an incident is notified, and the insured is hoping for their cyber insurance to come to the rescue. The article provides an overview of the topic from a UK and German perspective and gives a practical advice on what you should do as a matter of priority to maintain you cyber insurance.
In the UK, as a result of the Insurance Act 2015, applicants for insurance are subject to the “duty of fair presentation”. This replaced what was known as the “duty of utmost good faith”.
In short, the duty of fair presentation requires applicants for insurance to provide information an insurer would want to know when considering incepting a policy and setting the premium. Importantly, the duty also includes the requirement that “each material representation as to a matter of fact is substantially correct”.
The consequences of a failure to fulfil the duty of fair presentation are that if an insurer can show that had insured fulfilled their duty of fair presentation it would not have written the insurance at all, or would have only done so on different terms, the insurer will have a remedy against the policyholder.
If the breach of duty was deliberate or reckless, the insurer will be able to avoid the policy without returning any of the premiums paid and refuse all claims.
If the breach was not deliberate nor reckless, the remedy is determined by what the insurer would have done had the duty of fair presentation had been complied with:
Following on from ii., if the insurer would have charged a higher premium, the insurer is permitted to reduce the amount to be paid out in relation to any claim made on the policy in proportion to the underpayment of premium.
Also, in Germany applicants for insurance are subject to a duty of disclosure: according to the German Insurance Contract Act, the applicant/policyholder must disclose to the insurer before making his contractual acceptance the risk factors known to him which are relevant to the insurer's decision to conclude the contract with the agreed content and which the insurer has requested in writing. If, after receiving the applicant’s/policyholder's contractual acceptance and before accepting the contract, the insurer asks such questions, the applicant/policyholder must also be under the duty of disclosure as regards these questions. If the policyholder breaches his duty of disclosure, the insurer may withdraw from the contract.
Breach of the duty of disclosure is the typical objection raised by insurers. Cyber insurers regularly refuse cover on the grounds of (allegedly) grossly negligent incorrect answering of a pre-contractual risk questions and withdraw from the insurance contract on the grounds of breach of the duty of disclosure. In addition, the insurers usually try to reduce the benefits by arguing that the company caused the insured event through gross negligence due to inadequate IT security, which made the attack possible in the first place.
Through the forensic investigation of cyber incidents, a natural and essential part of response to a cyber incident, insurers are finding evidence that MFA is not in fact in place across all applications and APIs. The prime suspects where MFA is not applied are self-hosted applications, line of business applications and opensource tooling.
From a UK perspective, if an insured has confirmed in the application process that MFA is in place across all applications – or, for example, over administration and remote access applications -, when forensically it is shown that it was not, the insured is clearly in breach of its duty of fair presentation and that brings the consequences detailed above. The net effect is that it is entirely possible that, due to an incorrect response to the MFA question in an insurance application form, the insured will be declined cover at the very moment it desperately needs it.
Also from a German law perspective, policyholders are well advised to answer the questions on MFA and their security status correctly when an insurance company conducts a risk assessment. However, should there be an allegation of a breach of the duty of disclosure, the current ruling of the Regional Court of Tübingen on the topic of cyber security shows that insurers do not always succeed in their argumentation.
In short, the court ruled that the insurer must compensate for the damage caused by a successful phishing attack with subsequent encryption of the IT systems, even though some of the systems were not equipped with the latest security updates. This is because the possible breach of a duty of disclosure in this respect was neither causal for the occurrence or determination of the insured event nor for the determination or the scope of the duty to pay benefits. This ruling makes it clear that in cyber insurance cases, the nature of the attack and the security measures to be taken by the company must always be assessed on a case-by-case basis.
The main points of the ruling are as follows:
You cannot predict when a cyber incident may hit. So, act on this without delay.