Published on May 20th, 2020 📆 | 7444 Views ⚑
0COVID-19: Does Your Cyber Policy Cover Remote Working Cyber Risks? | K&L Gates LLP
https://www.ispeech.org/text.to.speech
Working from home has quickly become the new normal, but it may also be the reason your cyber insurer denies coverage for the next cyberattack. With most of the United States currently under or just emerging from some form of stay-at-home guidance, the number of people working remotely likely has never been higher. While work-from-home capabilities have allowed many companies to maintain productivity during the current global pandemic, those same capabilities may simultaneously increase your companyâs cyber risk and (at least according to your insurer) limit the protection provided by your cyber insurance policy.
COVID-19-Related Cyberattacks on the Rise
According to the U.S. Department of Homeland Security, malicious cyber actors are already taking advantage of the work-from-home environment by launching COVID-19-related phishing campaigns and exploiting publicly known vulnerabilities in remote networking software. For example, some cybercriminals are using an app that promises to provide real-time coronavirus tracking information to trick the user into providing administrative access to install âCovidLockâ ransomware on their device. To create the impression of authenticity, cybercriminals may spoof sender information in an email to make it appear to come from a trustworthy source, such as the World Health Organization. In several examples, cybercriminals are sending phishing emails that contain links to a fake email login page. Other emails appear to be from an organizationâs human resources department and advise the employee to open an attachment. It may be months before we know how many of these attacks were successful.
The Definition of âComputer Systemâ in Your Cyber Policy
In the meantime, policyholders would be well-advised to review their cyber insurance policies and consider whether they have adequate coverage for cyberattacks in the current work-from-home environment. Most cyber policies provide coverage for loss that results from a âSecurity Eventâ (or some similar term) where that term is defined to mean the failure or violation of the security of a âComputer System.â While the specific definition varies from policy to policy, one common cyber form defines âComputer Systemâ to mean:
computer hardware or software or any components thereof that are linked together through a network of two or more devices that are accessible through the Internet, internal network or connected with data storage or other peripheral devices (including, without limitation, wireless and mobile devices), and are under the ownership, operation or control of the Insured.
Other policies define âComputer Systemâ to include hardware or software âowned by your employees and operated on behalf of you.â In addition, some policies define âSecurity Eventâ to include a failure or violation that results from the theft of a password from the âInsuredâs premisesâ or âComputer System.â
Does Your Cyber Policy Cover Security Failures Involving Personal Computer Systems?
Any definition of âSecurity Eventâ or âComputer Systemâ that provides coverage for security failures involving hardware or software under the âownership, operation, or controlâ of the âInsuredâ or the theft of a password from the âInsuredâs premisesâ may be problematic (at least according to your insurer) in the current work-from-home environment, particularly if your employees are using their own personal laptops, smartphones, or wireless routers. Even a definition of âComputer Systemâ that expressly includes hardware or software âowned by your employees and operated on behalf of youâ could be problematic (again, according to your insurer) if the security failure occurs when your employee was using the hardware or software for personal activities. These issues may be further complicated by the fact that many cyber policies define âComputer Systemâ to include the computer systems of service providers whose own employees may be working from home using their own personal laptops, smartphones, and wireless routers. That said, policyholders may be able to argue that they exercise some form of control over their employeesâ personal computer systems or that an uncovered security failure involving a personal computer system led to a covered security failure involving the policyholderâs âComputer System,â so there may still be paths to coverage. Accordingly, no policyholder should simply accept a coverage denial at face value.
Conclusion
The recent, rapid shift to remote working and the corresponding increase in cyber risk involving personal computer systems may represent a significant new cyber exposure for many companies. Policyholders would be well-advised to review their current cyber policies to determine whether they have coverage for the remote working cyber risks identified above and take steps to address any potential gaps in coverage (e.g., policyholders may decide to limit or exercise some form of control over personal computer systems used for work purposes). Policyholders may also want to address remote working cyber risks with their cyber insurer at renewal.
Gloss