A community bank with $600 million in assets gets hit with ransomware. The IT team responds quickly. Backups are intact. The bank notifies its regulator within 36 hours. The board is briefed. The bank files a claim under its cyber policy: $5 million limit, reputable carrier.
The carrier assigns breach counsel and a forensics firm.
The attacker gained access through a legacy VPN without multi-factor authentication. The bank’s cyber application, signed 14 months earlier, said MFA was deployed on all remote access points.
The VPN was scheduled for decommissioning. Its replacement was already running. But the old one was still active, still accepting single-factor logins.
The carrier pulls the application. The fine print at the bottom says every answer is a promise the carrier relied on when issuing the policy. One outdated VPN turned one answer from true to false.
The carrier sends a reservation of rights letter (legal for “we might not pay this”). Then a rescission notice. The entire policy is void. Not just the VPN-related claim. The entire $5 million in coverage. Gone.
This has already happened. In 2022, Travelers filed suit to rescind a cyber policy after the insured misrepresented its MFA deployment. The insured consented to rescission. The policy was voided (Travelers v. International Control Services, C.D. Ill., 2022).
Two Standards, One Bank, No Cross-Check
The bank passed its IT examination. The bank passed its insurance application. Nobody checked whether the answers matched.
Same Bank. Two Different Questions.
The examiner and the carrier never compare notes. The bank finds out when it files a claim.
Rescission vs. Denial
Most people assume a denied claim is the worst outcome. It is not.
The carrier does not need to prove the bank lied. An honest mistake, a control that lapsed, a vendor-managed system that changed without the bank’s knowledge. Any of these can be enough.
Banks Get Hit Twice
When a carrier rescinds a bank’s cyber policy, the bank does not just lose coverage. It gains a regulatory problem.
The incident costs money. The rescission costs insurance. And the examiner who was told the bank had adequate cyber coverage now wants to know how a false statement ended up on the application, and why nobody caught it.
The No-Rescission Clause
There is a fix. A no-rescission clause (sometimes called a severability endorsement) limits the carrier’s ability to void the entire policy based on an application error.
With this clause, the carrier can still deny coverage related to the specific misrepresentation. But it cannot void the entire policy. The remaining coverages stay in force.
Without it, one inaccurate answer on a 15-page application can erase $5 million in coverage at the moment the bank needs it most.
In the bank cyber policies I have reviewed to date, none included a no-rescission clause. Some carriers offer it as standard on their commercial forms. It is worth asking for at renewal.
What to Do Before Your Next Renewal
Security warranties are one of the first things examiners will question after a breach. For more on what they expect, see What Your Bank Examiner Expects From Your Cyber Insurance.
Your bank probably spends more time reviewing the premium than the application behind it. If nobody has compared your cyber application to your current IT environment, a Risk Intelligence Report will catch the gap before a claim does. Get in touch.
