By David Derigiotis, CIPP, Corporate Senior Vice President, National Practice Group Leader, Professional Liability, Burns & Wilcox
Cyber Liability is one of the fastest growing segments of business insurance in the market today. That was true before the arrival of COVID-19 and is certain to be the case for businesses of all sizes in the months ahead.
The reason is simple. Cyber was evolving daily long before the pandemic arrived. As new technologies develop to combat cyber threats, cyber criminals also adapt by changing their illicit strategies. Yet with COVID-19, more employees are working from home than ever before, with an estimated 66 percent of remote workers doing so because of virus concerns, according to a Slack nationwide survey in late March.
With statewide stay-at-home and social distancing orders in place for weeks at a time, online threats have risen six times their usual levels over the past four weeks, according to Cloudfare. Additionally hacking and phishing attempts were up 37 percent over the last month.
The risk exposure for cyber-attacks is clearly increasing in this environment. Not only is there a massive need for businesses to operate from home-based worksites, but given the focus on pandemic impact, there is a concerted effort by hackers to tap into vulnerable networks. Anything generating media buzz or online search activity presents a prime target for criminal opportunists. Right now the stage is set with a redeployed and remote workforce for many organizations, increased internet usage and a topic dominating the headlines filled with anxiety, uncertainly and fear.
With whole families staying home, spouses, kids and other immediate family members may be using each other’s devices, creating cross contamination between work, education and personal use. When doing so they unknowingly allow access to malware by mistakenly clicking on links or responding to phishing emails. For example, a middle school student completing a math assignment from home on a parent’s work laptop opens the door to ransomware or viruses. Alternatively, a spoofed mass email or text might closely represent an employer’s IT announcement.
Furthermore businesses are relying more heavily on online sales because of COVID-19 which can lead to direct website attacks, compliance issues, and fraud.
Before COVID-19, many small to midsize businesses that had passed on Cyber Liability coverage in recent years had gradually begun to understand its value. The pre-conceived notion that only large businesses are targeted by cyber-attacks has faded for many entrepreneurs. In addition, the less talked about feature of a policy which addresses regulatory non-compliance and privacy violations will afford much needed coverage in an environment of increasing privacy regulation. As demand for polices has increased, premiums have remained extremely competitive for most business segments, excluding Fortune 1000 type of companies with globally recognized brands and therefore higher exposure and severity losses. Huge FTC penalties imposed on Facebook and massive data breaches by companies like Capital One are examples of the attention that large-scale cyber breaches have received in the media.
The potential for these imposed penalties is another reason why Cyber Liability is a must-have policy. Failure to comply with the Payment Card Industry Data Security Standard can result in fines that range up to $500,000 while FTC related fines can be much higher.
In a remote work environment, which is new territory for many organizations, failure to properly train employees about security best practices can trigger FTC investigations (See LightYear Dealer Technologies, LLC., C-4687). A redeployed workforce can also create inadequate data protection practices for organizations, again triggering FTC complaints and investigations (See FTC v. Wyndham Worldwide Corp., 799 F.3d 236). In other words, businesses trying to adapt to these challenging times could be met with additional adversity from regulators if the changes made result in security and privacy vulnerabilities for consumers.
Even as premiums have stabilized, coverage within Cyber Liability policies have been expanded. Cyber policies historically excluded coverage for damaged computer hardware but even that has changed with ‘bricking’ being written into policies. Bricking refers to a loss of use or functionality of hardware (such as servers, laptops or phones) resulting from a security incident.
Cryptocurrency mining can also be covered by policies. This type of malware can impair a company’s system performance, create significant energy consumption and associated costs for the compromised organization, and contribute to overall systems degradation. Cyber criminals use cryptocurrency mining malware to generate revenues by tapping into a system’s computing resources. Another key exposure addressed by leading Cyber Insurance providers is cyber terrorism, or state sponsored attacks attributed to a foreign entity’s politically motivated actions.
It all comes back to supply and demand. As more businesses have sought Cyber Liability policies, carriers increasingly have been competing for that business. The result has been a buyers’ market based on high business demand and greater desire for carriers to grow their portfolio.
The bottom line is that right now, every business needs to assess how a growing remote workforce has changed its security posture. Companies should be working with their IT teams and third party vendors to understand where exposures have changed and new vulnerabilities might have surfaced, employee education and training may need to be prioritized, and the accessibility of corporate and client data reevaluated. Cyber Insurance policies should be reviewed as current coverage may no longer be adequate. Items for consideration will include how “covered employees” are defined and how it applies to remote workers including independent contractors. The definition of computer network should stretch to include the use of cloud service providers. Revisiting the regulatory and PCI fines and penalties insuring agreements will also be important to a business that has altered its operations.
Businesses should also ensure that its corporate-wide IT training matches the current remote working environment. Organizations may need to conduct remote training sessions through video conferences and update its content to keep employees aware and educated about cyber security best practices.
For many years, cyber criminals have wreaked havoc on businesses’ systems and networks. Now the COVID-19 pandemic is doing the same, creating additional threats. Businesses going forward will likely need to create new operational standards that will impact its networks and workforce. Remote offices, online selling and the use of video conferencing are just among a handful of examples of technologies that will be increasingly relied upon in the foreseeable future. Ironically, these technologies also increase exposure to cybercrimes. We’re here to help you make decisions that can financially protect you against these evolving and ever-present threats.
This commentary is intended to provide a general overview of the issues contained herein and is not intended, nor should it be construed, to provide legal or regulatory advice or guidance. If you have questions or issues of a specific nature, you should consult with your own risk, legal, and compliance teams.