How COVID-19 Will Compel Cyber Insurance Coverage to Adapt
COVID-19 has created the inevitable “new normal” of forcing employees to work from home. While that may allow for some advantages, it certainly comes with some risks. As for risks, at the top that list is cyber security and potential hackers to corporate networks.
As the business world adjusts to COVID-19, companies are using work from home networks which are (likely) recently created to adjust to restraints by COVID-19, or have been created previously but are not equipped to handle all employees working on the network full-time. As such, cyber hackers are certainly aware that companies are adjusting from an IT perspective, leading to an increased risk of cyber incidents for remote employees.
While working from home (WFH) some employees are using company computers while others are using their personal devices. It is nearly impossible for IT departments to protect personal computers from hackers as there is no way to know what they have been exposed to previously. In addition, employees using their own computers may use less secure hardware and unsecured Wi-Fi, making it easier for cyber attackers to infiltrate a corporate network. As a result, one of the questions is – how will insurance companies modify their policies to deal with the increase in claims?
Some cyber insurance policies will only cover data breaches and losses to devices owned by the insured company, which would not necessarily apply to BYOD practices that many small and mid-sized enterprises tend to employ. To that end, many policies have specific coverage exclusions for data breaches to employee owned devices.
We expect that insurance providers will adapt and modify the wording in their cyber polices moving forward, and will undoubtedly look to offer more insurance products in light of the increase in demand for insurance in the post-COVID-19 world we are all now navigating. Many cyber insurance policies already require “reasonable” IT measures to qualify for coverage. Some have predicted that insurance providers will not only interpret “reasonable” differently in light of the pandemic, but will add additional IT requirement in their policies in order to obtain coverage. In addition, while insurance companies may continue to exclude coverage to cyber-attacks on employee owned devices, the volume of BYOD practices will almost certainly prompt insurers to offer new products to respond to the marketplace. As more and more companies are likely to have employees working from home after COVID-19 subsides, insurers will likely place additional cyber requirements on employees working from home, even if using a company owned device.
COVID-19 has created a landscape where WFH and BYOD practices, which many businesses utilize, creates increased cyber risk, and with increased risk comes the increased demand for insurance products. Expect much to be published in the next few months about the insurance industry’s response to that demand.
Thanks for Corey Morgenstern for his contribution to this post. Please email Brian Gibbons with any questions.