Propel provides innovative insurance solutions to thousands of companies across the country. We make it our business to know your world inside and out.
The coronavirus pandemic has forced many companies to transition to remote work. This is a scenario you probably did not expect, and therefore you may not be completely prepared for the cyber risks involved. You’re not alone.
The underwriters of cyber insurance policies weren’t expecting a massive work-from-home scenario either. So, while cyber risk is higher than ever before, many cyber liability policies may have exclusions related to remote work or unsecure devices. Whether those exclusions will be enforced remains to be seen. Regardless, if you have employees working from home, you may want to review your cyber liability policy with your broker to see how it addresses this new exposure.
Certain Devices May Be Excluded
Although the current situation is unprecedented, the cyber security and cyber insurance issues surrounding work-from-home setups are not new.
Some cyber policies may exclude or limit coverage for work-from-home and bring your own device (BYOD) arrangements, and some may limit coverage to computers owned by an employee.
Although this is restrictive, it is understandable under normal circumstances. A company can be expected to adhere to strict cyber security standards, while individual employees may not have the resources or expertise needed to avoid cyber threats. Their Wi-Fi networks might not be secure. Their computer programs may be outdated and plagued with vulnerabilities that hackers can exploit. They may use their personal devices to visit websites that are loaded with malware or a virus that can be passed along to your network or others while working on your behalf.
Each employee represents a host of unknowns, and carriers may not have expected to take on that exposure when they bound the policy. With these variables in mind, we are unsure of how cyber insurance carriers will respond to claims arising from remote work arrangements.
Even when BYOD arrangements aren’t excluded, other exclusions may limit coverage. For example, a cyber policy may exclude unencrypted or mobile devices. It is quite likely there were questions addressing this exposure on the application for insurance. You likely answered those questions based on your circumstances at the time, but those circumstances may have changed quite a bit. The options available to the carrier on how to respond to a changed condition vary greatly across policies.
Moreover, what happens if a data breach or other cyber incident is traced back to an unencrypted mobile device owned by an employee? Depending on the policy language, the insurer may have a case for rejecting the claim.
Employee Property May Not Be Covered
Many employees are now using their personal devices for work. They may not mind – until something goes wrong. If a personal device is damaged or destroyed during the course of work, the employee may feel entitled to a replacement.
But the commercial cyber insurance policy may not cover the replacement of property that does not belong to the company. It is important to understand what an employer and insurance companies obligations are to an employee using their own personal device.
The Policy Could Be Voided
Before securing a cyber policy, a company must complete an application that includes questions regarding the company’s network and cyber security. The application also includes a warranty statement signed by an officer of the company; which is almost always attached to and made a part of the policy. The answers to these questions are used in the underwriting process to help the carrier determine the appropriate coverage and rates. The warranty statement in turn may be tied to a cancellation provision or a severability provision that could significantly impact coverage.
So, what happens if, when a claim arises, the answers are no longer accurate because everyone has shifted to working from home? It is important to understand how these changes impact the policy and your expectation of coverage.
If a Cyberattack Occurs
The fact is that all of us are dealing with unprecedented situations. This includes employers and their employees, as well as their insurance carriers.
Practicing smart cybersecurity is the best course of action, but even with all the right precautions, a cyberattack could occur. Make sure you’re prepared. Talk to your broker to review your cyber policy and to see how it applies to the present situation.
If you have a claim, even if you think it might be denied based on work-from-home and BYOD exclusions, contact your insurance broker immediately. A good broker will work with your carrier and advocate on your behalf. While it’s true that many cyber policies may exclude work from home scenarios, this is uncharted territory and some carriers may show flexibility in how they respond to claims.
If you’d like assistance with reviewing your cyber insurance protection, contact us. We’re here to help!