Multi-Factor Authentication and Cyber Insurance: What is the problem and what should you do to keep your cyber insurance?

What is the problem?

In the UK, as a result of the Insurance Act 2015, applicants for insurance are subject to the “duty of fair presentation”. This replaced what was known as the “duty of utmost good faith”.

In short, the duty of fair presentation requires applicants for insurance to provide information an insurer would want to know when considering incepting a policy and setting the premium. Importantly, the duty also includes the requirement that “each material representation as to a matter of fact is substantially correct”.

The consequences of a failure to fulfil the duty of fair presentation are that if an insurer can show that had insured fulfilled their duty of fair presentation it would not have written the insurance at all, or would have only done so on different terms, the insurer will have a remedy against the policyholder.

If the breach of duty was deliberate or reckless, the insurer will be able to avoid the policy without returning any of the premiums paid and refuse all claims.

If the breach was not deliberate nor reckless, the remedy is determined by what the insurer would have done had the duty of fair presentation had been complied with:

1. If the insurer would not have issued the policy, it will be permitted to avoid the policy and refuse claims, but it will have to return the premiums paid;
2. If the insurer would have issued the policy on different terms, the policy will be treated as if those different terms were put in place at the outset.

Following on from ii., if the insurer would have charged a higher premium, the insurer is permitted to reduce the amount to be paid out in relation to any claim made on the policy in proportion to the underpayment of premium.

Also, in Germany applicants for insurance are subject to a duty of disclosure: according to the German Insurance Contract Act, the applicant/policyholder must disclose to the insurer before making his contractual acceptance the risk factors known to him which are relevant to the insurer's decision to conclude the contract with the agreed content and which the insurer has requested in writing. If, after receiving the applicant’s/policyholder's contractual acceptance and before accepting the contract, the insurer asks such questions, the applicant/policyholder must also be under the duty of disclosure as regards these questions. If the policyholder breaches his duty of disclosure, the insurer may withdraw from the contract.

Breach of the duty of disclosure is the typical objection raised by insurers. Cyber insurers regularly refuse cover on the grounds of (allegedly) grossly negligent incorrect answering of a pre-contractual risk questions and withdraw from the insurance contract on the grounds of breach of the duty of disclosure. In addition, the insurers usually try to reduce the benefits by arguing that the company caused the insured event through gross negligence due to inadequate IT security, which made the attack possible in the first place.

Multi-factor authentication

Through the forensic investigation of cyber incidents, a natural and essential part of response to a cyber incident, insurers are finding evidence that MFA is not in fact in place across all applications and APIs. The prime suspects where MFA is not applied are self-hosted applications, line of business applications and opensource tooling.

From a UK perspective, if an insured has confirmed in the application process that MFA is in place across all applications – or, for example, over administration and remote access applications -, when forensically it is shown that it was not, the insured is clearly in breach of its duty of fair presentation and that brings the consequences detailed above. The net effect is that it is entirely possible that, due to an incorrect response to the MFA question in an insurance application form, the insured will be declined cover at the very moment it desperately needs it.

Also from a German law perspective, policyholders are well advised to answer the questions on MFA and their security status correctly when an insurance company conducts a risk assessment. However, should there be an allegation of a breach of the duty of disclosure, the current ruling of the Regional Court of Tübingen on the topic of cyber security shows that insurers do not always succeed in their argumentation.

In short, the court ruled that the insurer must compensate for the damage caused by a successful phishing attack with subsequent encryption of the IT systems, even though some of the systems were not equipped with the latest security updates. This is because the possible breach of a duty of disclosure in this respect was neither causal for the occurrence or determination of the insured event nor for the determination or the scope of the duty to pay benefits. This ruling makes it clear that in cyber insurance cases, the nature of the attack and the security measures to be taken by the company must always be assessed on a case-by-case basis.

The main points of the ruling are as follows:

• The insurer cannot subsequently interpret its pre-contractual risk questions narrowly. A broadly formulated question must also be interpreted broadly, so that the insurer's broadly formulated question alone precludes the company from providing an incorrect answer and losing the insurance coverage.
• Furthermore, an insurer’s withdrawal fails due to the lack of the fault if the insurer indicates in the pre-contractual phase that it does not have high IT security requirements.
• The policyholder could also argue that the specific breach of obligation was not causal for the success of the cyberattack. In the present case, the company had failed to install security updates. However, the attackers exploited a software weakness ("design weakness") that would have existed even if all updates had been installed. According to the Regional Court of Tübingen, the insurer was therefore still obligated to provide insurance coverage and could not withdraw from the contract if the company's conduct in compliance with its obligations would also have led to the damage.
• The insurer also has no right to reduce benefits if the relevant risk situation already existed at the time of conclusion of the contract and was or could have been the basis for the insurer's risk assessment. The policyholder is not obligated to improve the risk situation.

What should you do as a matter of priority to keep your cyber insurance?

• Comprehensively document the security measures taken and the pre-contractual communication with the insurer to be able to demonstrate, if necessary, that the insurer has received all relevant documentation on the IT system.
• Check the accuracy of your response to the MFA and other security questions.
• Make sure with your CTO and IT team that your response was and is correct.
• If your response was inaccurate in whole or in part, then you should notify your broker/insurer without delay and clarify the correct position.
  This may lead to a withdrawal of cover or possibly the adjustment of cover to address the revised information.
• You may wish to remedy the deficiency by ensuring MFA is in operation as required by the terms of your policy.
  If you can remedy the situation or show an urgent programme in operation to do so, you will be in a better position to seek to avoid a withdrawal of cover.
• In the event of a cyber-attack, carefully document the facts of the case and involve an IT expert as soon as possible.

You cannot predict when a cyber incident may hit. So, act on this without delay.