July 13, 2022
Matthew Kirkland

Cyber Insurance denied because of MFA

In what may be one of the first court filings of its kind, insurer Travelers is asking a district court for a ruling to rescind a policy because the insured allegedly misrepresented its use of multifactor authentication (MFA) – a condition to get cyber coverage.

Multi-Factor Authentication (MFA) use and ransomware

The case serves as a reminder that insurance companies are increasingly scrutinizing companies’ cybersecurity practices when it comes to underwriting policies and that companies need to be honest about their MFA use – or lack thereof.

MFA is an authentication method that requires more than one factor to verify a user’s identity. The most common form of MFA is two-factor authentication, which combines something the user knows (like a password) with something the user has (like a physical token or fingerprint).

Travelers Property Casualty Co. of America v. International Control Services Inc., No. 22-cv-2145

“Travelers said it wants the court to declare the insurance contract null and void, rescind the policy, and declare it has no duty to indemnify or defend ICS for any claim.

According to a July 6 filing in U.S. District Court for the Central District of Illinois, Travelers said it would not have issued a cyber insurance policy in April to Decatur, Illinois-based, electronics manufacturing services company International Control Services (ICS) if the insurer knew the company was not using MFA as it said.

ICS allegedly informed Travelers that it was using MFA to protect access to its computer systems, which is a requirement for the policy, and that its alleged lack of enforcement was a “misrepresentations, omissions, concealment of facts, and incorrect statements.”

Travelers said it wants the court to declare the insurance contract null and void, rescind the policy, and declare it has no duty to indemnify or defend ICS for any claim.

The importance of Multi-Factor-Authentication

In today’s business landscape, more and more companies are turning to MFA to protect their data and systems. As we’ve seen in high-profile breaches like the one at Equifax, even large organizations with extensive security measures can be vulnerable to attack if they don’t have MFA in place.

For smaller businesses, MFA can be an important line of defense against ransomware and other cyber threats. By requiring multiple layers of authentication, MFA makes it more difficult for hackers to gain access to systems and data.

While the use of MFA is not a guarantee of security, it is a strong deterrent against cyber attacks. For companies seeking to protect their data and systems, MFA is a critical tool in the fight against cybercrime.

Not all authentication is the same

Insurance companies require MFA, but, there is some confusion between 2-factor authentication (2fa) and MFA. 2fa is a subset of MFA, and not all MFA is 2fa.

MFA requires at least two different independent credentials: typically, something the user knows (password), something the user has (smartphone), or something the user is (biometrics).

2fa only requires two different credentials—but they can be the same type of credential, like two passwords. So, while all 2fa is MFA, not all MFA is 2fa.

If you’d like to know more about the differences between 2fa and MFA, feel free to check out our recent article: 2FA vs. MFA – What’s the difference?

The bottom line

MFA is a vital tool in the fight against cybercrime. Companies should be honest about their MFA use when seeking insurance coverage, as insurers are increasingly scrutinizing cybersecurity practices regarding underwriting policies.

For more information on MFA and how it can help protect your business, contact Nerds On Site Business IT Solutions today.

Need an IT professional? Request service today.