- Robert Stines
Technology Company Hit Twice By Ransomware
Even technology companies get hit with ransomware, or so says a lawsuit that was filed in Illinois.
Travelers Property Casualty Company of America filed a lawsuit against a technology company that provides electronics manufacturing services for various industries. Travelers seeks to rescind a Cyber Insurance policy because of alleged material misrepresentations on an application.
First Ransomware Attack
According to the Complaint, in December 2020, International Control Services ("ICS") was the victim of a ransomware attack. The bad guys gained access to an ICS server by using the username and password of an ICS administrator’s account.
We presume ICS solved the problem and moved on from the event. Then in March 2022, ICS submitted a CyberRisk Tech Application to Travelers. ICS disclosed the 2020 Ransomware Event to Travelers and represented that ICS had instituted cybersecurity improvements following the 2020 Ransomware Event.
The CyberRisk Tech Application had the following question:
Indicate whether the Applicant requires multi-factor authentication for Administrative or privileged access
ICS answered “Yes”
Additionally, in connection with the Application, and at Travelers’ request, ICS provided Travelers with a Multi-Factor Authentication Attestation.
Second Ransomware Attack
On or about May 25, 2022, ICS was hit with another ransomware attack, during which intruders gained access to an ICS server.
Travelers claims that during the course of investigating the 2022 Ransomware Event, Travelers learned that at the time ICS completed and submitted the Application Documents, (1) MFA was not being utilized to protect the Server and (2) ICS only utilized MFA to protect its firewall, and did not use MFA to protect any other digital assets.
Travelers Wants the Court's Assistance
Travelers believes that there was a material misrepresentation on the application, and if it had known the truth, it would not have issued the cyber policy. Specifically, Travelers states that:
As a result of the material misrepresentations, omissions, concealment of facts, and incorrect statements in the Application Documents, the Court should rescind the Policy and declare that there is no coverage for any losses, costs or claims submitted by ICS to Travelers for coverage under the Policy, including without limitation, losses, costs or claims relating to the 2022 Ransomware Event.
Early Days Of Litigation
Travelers filed the Complaint on July 6th, and ICS has not responded yet. So, we are in the very early stages of this lawsuit. ICS may have some solid defenses.
It will be interesting to learn if Travelers argues that it would have issued the cyber policy ONLY IF MFA was implemented on ALL digital assets. Or, was it necessary to implement MFA on SOME digital assets.
It seems that there is a critical causation element to this lawsuit. Meaning, would MFA have thwarted the bad guys. Or, even with MFA on the server, would the bad guys have still been successful.
I am curious to learn what vector or vectors the bad guys used to successfully hit the company with ransomware . . . . twice! If it was the same vector for both events, then the company may have some difficult questions to answer.
The Insurance Application
Cyber is a difficult risk to underwrite and insurance companies are trying their best to better manage the portfolio of risks they will agree to insure. The insurance application is one way to manage risks and insurance companies are requiring applicants to implement MFA and other related security protocols to prevent cyber-incidents.
This case is an example of why the application process is very important and should be considered a team effort between executives, IT specialists, risk managers and probably the legal department.
The Complaint in this lawsuit can be found here:
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP