Rescission: A Cyber Insurance Time Bomb?
By: Alex Anglim
Part One: Understanding The Risk Of Rescission
As if increasing instances of ransomware, hacking, malware, and other threats were not enough, businesses might be facing a new cyber threat: the possibility that their cyber insurers will try to rescind (i.e., void) coverage after a cyber incident. But why would cyber insurance policies be more susceptible to rescission than other kinds of insurance? And what can policyholders do to prevent this from happening? In this series of articles, we will discuss those questions and provide actionable information for cyber policyholders.
We begin with a brief explanation of rescission and some key legal principles.
First, when a policy or other contract is rescinded, it is treated as if it never existed. It is said to be “void ab initio,” meaning, it was void from the very beginning. Investopedia.com provides the following concise definition: “Rescission is when a contract is rendered null and void, and so is no longer recognized as legally binding. The courts can free non-liable parties from their agreed obligations and, when possible, will effectively seek to restore them to the position they were in before the contract was signed.”
Second, the remedy of rescission is available only in limited circumstances, and rescission cases typically involve allegations of fraud in the application for insurance. In very general terms, an insurer seeking rescission will argue that (a) it was deceived by statements the policyholder made when applying for insurance and, (b) if the insurer had known the true facts it would have offered different terms or would have declined to issue the policy.
Consider the example of life insurance. Typically, before purchasing life insurance, an applicant must answer questions regarding his or her medical history. The answers may affect the cost (premium) and might even cause the insurer to decline coverage altogether. If an applicant truthfully discloses his or her history of heart disease, for example, an insurer could either calculate the premium to compensate for the increased risk or decline to provide a policy at all. However, if an applicant lies and claims to be healthy, then later dies prematurely, the insurer is likely to try to rescind (void) the policy.
Third, legal rules differ by state, but some states do not require an insurer to prove that the policyholder intentionally lied to get insurance. As a result, insurers sometimes attempt to rescind policies in situations where the policyholder did not intend to defraud them.
Why Might Cyber Policies Present An Enhanced Risk Of Rescission?
In the life insurance example discussed above, let’s assume the applicant suffered a previous heart attack and was under the care of a cardiologist at the time of the application. In that instance, assuming the insurer asked a clearly-worded question about whether the applicant had been diagnosed with heart problems, it should have been a simple matter for the applicant to disclose that information accurately. In other words, it suggests the applicant intentionally lied to the insurer.
By contrast — and as most cyber policyholders have learned — cyber insurance applications are far from simple.
This is true for several reasons. First, cyber insurance applications typically are lengthy, detailed, and require technical knowledge to complete properly. Second, for large organizations, it can be difficult to determine which individual (or individuals) knows the answers to certain questions. Third, technology is constantly changing, even to the point that the meaning of technical terms changes over time. Fourth, organizations are constantly changing and updating their hardware, software, service providers, security practices and procedures, and other IT-related matters.
As well, I infer the following from my conversations with business leaders: (a) they are concerned about cyber risks and are actively working to reduce those risks, including by deploying substantial capital and organizational resources and also by purchasing insurance; (b) they find cyber insurance applications to be challenging to complete and they worry about making inadvertent errors; and (c) importantly, they view those inadvertent errors as part of the risk they are insuring against, rather than something their insurer might seize upon to avoid paying a claim.
A Recent Example From The News
A case recently reported in the insurance press might be an early warning sign of what is to come. In Travelers Property Casualty Co. of America v. International Control Services Inc., U.S. District Court, Central District of Illinois, No. 22-cv-2145, the insurer alleged that the policyholder (ICS) said in its application that it used multi-factor authentication (“MFA”) for administrative or privileged access. When a claim was filed, the insurer allegedly discovered that ICS was not using MFA to protect its server. Instead, the insurer alleged that ICS “only used MFA to protect its firewall, and did not use MFA to protect any other digital assets.” On that basis, the insurer sued to rescind the policy.
Thus, based on the insurer’s complaint it appears that the policyholder was using MFA, but perhaps was not using it in the precise way that the insurer thought was sufficient based on the phrasing of the particular question in the application. It certainly seems possible that this was the type of mistake that ICS’s upper management wanted to insure against, only to find that its insurer would use it as a basis to rescind the policy.
If the possibility of mistakes in cyber applications is high (as it seems to be) and insurers might seize on inadvertent “misrepresentations” after a loss, then what can be done? The answers to that question are multi-faceted and will be discussed in future installments.