Travelers Property Casualty Company of America took a customer to court after learning that the company, International Control Services, Inc. (ICS), provided false information on its policy application. Specifically, ICS claimed to have implemented multi-factor authentication (MFA), but when they filed a claim following a ransomware attack, forensic investigators found that ICS had not implemented MFA. The contract was voided. Insurers are likely to insist on third-party verification for applicants’ self-attestations.
Note
- Some insurance policies already require third-party assessment or at least spot checking of self-attestations. But the cost of doing so often is close to equal to the prices of some small contracts. This issue is similar to “low or no-doc” loans that crashed the economy around 2008 and is what has derailed cybersecurity industry grown projections for the last 15 years. Good piece to show CXOs, especially the line that captures it all: “…organizations should not expect a payout for poor cybersecurity policies and practices…
- This makes a lot of sense and is in line with other insurance products that often require some form of inspection before a policy is issued, or may void a policy if after an incident undisclosed deficiencies are found.
- Regardless of context, if you’re self-attesting, be brutally honest and have supporting documentation to support your conclusion. While you could still be challenged, you will be in a much stronger position. If challenged, control the fist of death and embrace the opportunity to learn and explain, strengthen the relationship for the future.
Read more in
