Reed Smith Client Alerts

This past May, Illinois-based electronics manufacturing services company International Control Services, Inc. (ICS) fell victim to a ransomware attack – apparently the second of its kind in two years to impact the company. Although ICS reported the incident to its cyber insurer, the insurer denied its claim for coverage and then filed a lawsuit against ICS alleging that the cyber insurance policy was in fact null and void based on information that ICS purportedly provided in its application for the policy.

The lawsuit

ICS’s cyber insurer, Travelers Property Casualty Company of America (Travelers), filed its lawsuit on July 6, 2022 in the Central District of Illinois. By way thereof, Travelers asks the court to issue a declaration that the $1 million cyber policy it issued to ICS is rescinded because, in its application for insurance, ICS allegedly misrepresented its protocols regarding its use of multifactor authentication (MFA).

Travelers alleges that ICS represented on its policy application materials that the company requires MFA for employees and third parties to access email, remotely access the company’s network, and gain access to endpoints, servers, network infrastructures, directory services, and the like. Travelers claims that ICS was in fact only using the MFA protocol on its firewall and that access to its other systems – including its servers, the target of the ransomware attack at issue – were not subject to MFA’s heightened protections. Had Travelers known this, it argues, it wouldn’t have issued the policy to ICS in the first place. Accordingly, Travelers argues the court must “rescind the policy and declare that there is no coverage for any losses, costs or claims submitted by ICS to Travelers for coverage under the policy.”