By Trave Harmon, CEO — Triton Technologies

The application was signed by two people: the CEO and the employee responsible for the company’s network and information security. Both attested that the company “used multifactor authentication for administrative or privileged access.” That statement was false — and it cost them everything.

In 2022, International Control Services (ICS) suffered a ransomware attack. When Travelers investigated the resulting $1 million claim, they discovered that MFA was deployed in exactly one place: the company’s firewall. Not on any server. Not on any remote access point. Not on the system where the attack actually occurred.

Six weeks after the attack, Travelers filed suit to rescind the policy. Within weeks, ICS agreed. The policy was declared void ab initio — as if it had never existed. No coverage. No obligation to pay. No appeal.

This is not a story about a dishonest company trying to commit fraud. It is a story about an organization that checked a box it did not fully understand, and paid the maximum price. If your business carries cyber insurance, this case applies to you.

Case Snapshot: Travelers v. ICS

Case: Travelers v. International Control Services

Year: 2022

Policy: $1M CyberRisk coverage

What they claimed: MFA deployed for administrative access

What existed: MFA on one firewall. No servers. No remote access.

Result: Ransomware attack. Policy voided. $0 coverage.

Signed by: CEO and the company’s own head of network security.

Overhead flat-lay of cyber insurance application checklist with pen marking items

What ICS Wrote — and What Was Actually True

The Travelers CyberRisk policy application asked whether ICS used MFA for administrative or privileged access. The answer given was yes. Travelers issued a $1 million policy based on that representation, effective April 4, 2022.

Eight weeks later, a ransomware attack compromised ICS systems. The entry point: an administrative account with no MFA protection. Travelers sent investigators. Their findings were precise.

The Gap

MFA was deployed on the company firewall. MFA was not deployed on any server. MFA was not deployed on any digital asset used for remote or privileged administrative access. The server where the attack originated had zero MFA protection.

There was also a prior incident. ICS had suffered a ransomware attack in December 2020 — attackers gained access using a stolen administrator username and password. No MFA had protected that account either. ICS disclosed the 2020 breach during the application process and represented that its security posture had been strengthened. Six weeks after the 2022 attack, Travelers filed suit. ICS stipulated to rescission. The court entered judgment on August 26, 2022.

Policy voided. Coverage: zero. Defense costs: the company’s own problem.

The 7 Questions Your Insurer Is Actually Asking

Cyber insurance applications have become significantly more detailed since 2020. These are the standard questions that major carriers — including Travelers, Beazley, and Coalition — now include on declarations pages. Read them carefully. Each one is a potential rescission trigger.

  1. MFA scope — all email access. “Is MFA enforced for all users accessing email, including web-based email access?” This question is not asking about administrators. It is asking about every user. If a single employee can access company email without MFA, the correct answer is no.
  2. MFA scope — all remote access. “Is MFA enforced for all remote access methods including VPN, RDP, and remote desktop tools?” RDP is the single most common ransomware entry point. If your VPN uses MFA but your RDP sessions do not, the correct answer is no.
  3. MFA scope — privileged and administrative accounts. “Is MFA enforced for privileged or administrative access to servers, domain controllers, and cloud environments?” This was the exact question ICS answered incorrectly. A single unprotected administrative account is a no.
  4. Backup integrity and testing. “Do you maintain encrypted backups stored offline or air-gapped from your production network, and how frequently do you test restoration?” Online-only backups reachable by ransomware do not satisfy this question. Neither do backups you have never tested restoring from.
  5. EDR/MDR coverage. “Do you have endpoint detection and response or managed detection and response deployed across all endpoints, including servers?” The word “all” is not decorative. Servers are endpoints. Partial deployment is a partial no.
  6. Incident response plan. “Do you have a documented incident response plan, and has it been tested within the past 12 months?” A document that has never been formalized, approved by leadership, or walked through in a tabletop exercise is not an incident response plan. A plan tested two years ago does not satisfy “within the past 12 months.”
  7. Third-party and vendor access. “Are all third-party vendors with network access required to use MFA, and is vendor access logged and reviewed?” If your MSP, your accountant, or your payroll provider accesses your network without MFA, the correct answer is no.
Close-up of server rack network patch panel representing IT security infrastructure for cyber insurance

The Legal Standard: Why "I Didn't Know" Is Not a Defense

The most common reaction to the Travelers v. ICS outcome is: “But they didn’t intentionally lie.” That reaction misunderstands the law.

Under the majority rule across U.S. jurisdictions, an insurer can rescind a policy based on a material misrepresentation in the application whether the misrepresentation was intentional, negligent, or even an honest mistake. Intent is not an element of the standard. What matters is whether the statement was false and whether it was material.

Material

Whether a reasonable insurer would have considered the fact important when deciding whether to issue the policy — or on what terms.

Void Ab Initio

The policy is treated as if it never existed. The insurer has no duty to defend or indemnify. Prior claims under the policy may also be affected.

Reliance

The insurer must have issued the policy in reliance on the statement. If Travelers would not have issued a $1M policy without MFA being fully deployed — and it would not have — reliance is established.

The 9th Circuit reinforced this standard in Hughes v. First National Insurance (March 2024): “a material misrepresentation or concealment in an insurance application, whether intentional or unintentional, entitles the insurer to rescind the insurance policy ab initio.”

The Travelers v. ICS application was signed by two people — including the company’s own head of network security. Courts interpret co-signature by the security lead as a fully informed, knowing attestation. The “we didn’t know what we had deployed” defense does not survive that signature.

Two business professionals reviewing insurance compliance documents at conference table

Six Categories Where Businesses Most Often Get It Wrong

The Travelers case involved MFA, but it is one of six recurring categories where the gap between what businesses claim and what they have deployed invalidates cyber insurance coverage.

1. MFA Partial Deployment

MFA on email, but not on VPN, RDP, servers, or cloud consoles. The most common pattern leading to rescission. “We have MFA” answers yes to every question when the truthful answer is a conditional yes-for-email, no-everywhere-else.

2. Backups That Are Not Actually Offline

Online backups, cloud syncs, or network-attached storage reachable by ransomware are not “offline” or “air-gapped” backups. Neither are backups that have never been tested for restoration. Both answers will fail investigation.

3. EDR Installed But Not Monitored

An EDR tool installed on 80% of endpoints with no active monitoring console and no one watching alerts is not operational EDR. If your endpoint protection is self-managed and inactive between incidents, coverage for the gaps is at serious risk.

4. Security Training That Is Not Documented

Informal team conversations do not constitute a security awareness training program. Carriers expect a documented curriculum, delivery records, and employee acknowledgment signatures. If you cannot produce records, your affirmative answer to the training question is unsupported.

5. An Incident Response Plan That Has Never Been Tested

A template downloaded from the internet and placed in a shared drive is not an adopted incident response plan. Carriers want to see evidence of tabletop exercises, defined roles, and annual review. An untested document is a liability, not an asset, at claim time.

6. Uncontrolled Third-Party Access

Vendors, accountants, and IT contractors who access your network via shared credentials, without MFA, or through unmonitored sessions create the same exposure as unprotected internal accounts — and the same rescission risk when access controls are misrepresented.

The Era of Self-Attestation Is Over

For most of the 2010s, cyber insurance applications were checkbox exercises. An underwriter would read your answers, run a quick external scan, and issue a policy. What you said you had was, for practical purposes, what the carrier accepted as true.

That model is ending. Following a wave of rescission cases — Travelers v. ICS being the most visible — major carriers have moved to evidence-based underwriting. The checkbox is still there. But so is the evidence requirement.

What Carriers Now Require (2025–2026)

  • MFA configuration screenshots from your identity provider or VPN console
  • EDR deployment coverage reports showing percentage of endpoints protected
  • Backup system architecture documentation with restoration test records
  • Security awareness training completion logs for the prior 12 months
  • Incident response plan document with revision date and approval signatures
  • Third-party access inventory and MFA enforcement confirmation

Beazley, Coalition, and Aon have each publicly shifted toward requiring documentation at application and renewal — not as optional supplements, but as conditions of binding. Some carriers now conduct pre-binding technical assessments or require third-party security scores from platforms like SecurityScorecard or BitSight.

If your organization is approaching renewal and has not audited the accuracy of every answer on your cyber insurance application, you are carrying an underwriting risk you may not know about — and an insurer that may not pay when you need it most.

Wide shot of organized professional compliance office with structured filing system

What To Do Before Your Next Renewal

The Travelers v. ICS case is a template for what happens when organizations answer insurance application questions without verifying the underlying reality. The following steps are not optional enhancements — they are the baseline for maintaining enforceable coverage.

1. Conduct a Coverage Audit

Review every question on your current declarations page and verify the actual state of your environment against each answer. Do not rely on memory. Pull configuration records, deployment reports, and access logs.

2. Map Your MFA Deployment

Identify every access path into your environment — email, VPN, RDP, cloud consoles, remote management tools, third-party portals — and confirm MFA status on each. Any uncovered path is an application inaccuracy and a breach entry point.

3. Test Your Backups

Perform and document a full restoration test before your next renewal. Confirm your backups are offline or air-gapped. If you cannot restore from a backup in a test environment, you cannot claim offline backup protection on the application.

4. Formalize Your IR Plan

If your incident response plan has not been formally adopted by leadership and tested via tabletop exercise within the past 12 months, do not answer “yes” to that question. Run the exercise, document the results, and get signatures before your renewal date.

Triton Technologies works with businesses across the Northeast to audit their security posture against cyber insurance application requirements. We deploy Sophos endpoint protection and Sophos firewalls — the same stack that answers the EDR and perimeter questions carriers ask — and we produce the documentation that survives an insurer’s post-claim investigation.

If your business is approaching renewal and you are not certain every declaration is accurate, contact us before you sign.

Frequently Asked Questions: Cyber Insurance Declarations

The declarations page is the formal summary of your cyber insurance policy — it lists coverage limits, deductibles, effective dates, and the insured’s representations about their security practices. The application that precedes the declarations page contains the security questionnaire whose answers determine whether coverage is issued and on what terms. Misrepresentations on either document give insurers grounds for rescission.
Yes, under the majority rule in U.S. courts. An insurer may rescind a policy if a material misrepresentation was made in the application, regardless of whether the misrepresentation was intentional, negligent, or an honest mistake. The 9th Circuit reaffirmed this principle in Hughes v. First National Insurance in March 2024. What matters is whether the statement was false and whether it was material to the insurer’s underwriting decision.
Void ab initio means the policy is treated as if it never existed from the date of issuance. The insurer has no duty to defend against claims, no obligation to pay any covered losses, and the insured receives at most a return of premiums paid. In ICS’s case, a ransomware attack that would have triggered a $1 million response generated zero dollars in insurer payment.
A misrepresentation is material if a reasonable insurer would have considered the fact important when deciding whether to issue the policy or on what terms. For cyber insurance, MFA deployment is considered universally material — carriers have stated in pleadings that they would not issue coverage without confirmed MFA for administrative access. Backup status, EDR deployment, and incident response plan existence are similarly material to most carriers.
No. If an application asks whether MFA is deployed for “all” remote access or “all” privileged accounts, a partial deployment is a no. The Travelers v. ICS case is the controlling example: MFA on one firewall, when the question contemplated enterprise-wide deployment, was not sufficient to answer yes. When in doubt, the correct answer describes what actually exists, not what should exist.
Contact your broker immediately and disclose the inaccuracy. Most policies include a provision for mid-term corrections, and most brokers can help you amend the application or notify the carrier. Proactive disclosure is treated very differently from post-claim discovery. Attempting to correct the record after a loss and after investigation has begun is legally and practically far more difficult.
Triton conducts a full security posture audit mapped to cyber insurance application questions — covering MFA deployment scope, EDR coverage, backup integrity, IR plan status, and vendor access controls. We deploy Sophos endpoint protection and Sophos firewalls across your environment and produce the configuration documentation carriers now require during evidence-based underwriting. We work with businesses in Connecticut, Massachusetts, New York, and Rhode Island. Contact us to schedule a pre-renewal assessment.

Let's Discuss Your IT Needs

Triton Technologies delivers managed IT services, cybersecurity, and IT support for businesses across the Northeast. Contact our team today to start a conversation about your technology environment.

Contact Triton Technologies
Triton Technologies support engineer at workstation

related posts