ICS’s cyber insurer, Travelers Property Casualty Company of America (Travelers), filed its lawsuit on July 6, 2022 in the Central District of Illinois. By way thereof, Travelers asks the court to issue a declaration that the $1 million cyber policy it issued to ICS is rescinded because, in its application for insurance, ICS allegedly misrepresented its protocols regarding its use of multifactor authentication (MFA).
Travelers alleges that ICS represented on its policy application materials that the company requires MFA for employees and third parties to access email, remotely access the company’s network, and gain access to endpoints, servers, network infrastructures, directory services, and the like. Travelers claims that ICS was in fact only using the MFA protocol on its firewall and that access to its other systems – including its servers, the target of the ransomware attack at issue – were not subject to MFA’s heightened protections. Had Travelers known this, it argues, it wouldn’t have issued the policy to ICS in the first place. Accordingly, Travelers argues the court must “rescind the policy and declare that there is no coverage for any losses, costs or claims submitted by ICS to Travelers for coverage under the policy.”