Almost four months have passed since the World Health Organization declared COVID‑19 a global pandemic on March 11, 2020. Continued social distancing and other precautionary measures have driven many organizations to expand work-from-home protocols for the foreseeable future or even permanently—in turn prompting many organizations to review their cyber insurance policies in addition to the rest of their insurance portfolios. While cyber risk policies are not widely standardized, there are several common traps that are found in many cyber risk policies, and early awareness of them can be the difference between a covered claim and a hard-fought coverage battle. While these traps are not specific to COVID-19 concerns, they may become increasingly important as organizational cyber exposures increase. Three of the more salient pitfalls are discussed in this post.
A couple months into the widespread shift to remote work for many employees on a temporary basis, an increasing number of companies are considering or already implementing a permanent shift to remote work for most or all of their employees. Unsurprisingly, this shift is rapidly occurring in the technology industry. For example, Twitter’s CEO announced this week that its employees will be allowed to work from home permanently. But it is also occurring across other industries, including the insurance industry. For example, Nationwide is planning to permanently exit its building space, other than four main campuses, before the end of the year and is moving its other employees to permanent remote-working status.
A few months into the COVID-19 pandemic, the insurance focus (understandably) has been on business interruption and event cancellation coverage. Various other coverages are in play as well, given the types of COVID-19-related claims and lawsuits being filed (and that will be filed in the future) against corporate policyholders, from bodily injury due to exposure to the virus, to breach of contract, to securities violations, to misrepresentations and consumer protection violations, just to name a few. However, cyber risks are also highly salient for companies in this “new normal,” and companies must consider the role their insurance plays in preparing for and responding to those risks.
Cyberattacks are an increasingly frequent and costly risk faced by almost every business today. While the availability and scope of cyber-specific insurance has developed exponentially over the past few years, it is important to remember that more traditional policies (such as general liability and first-party property insurance) can still be a source for coverage in connection with cyber incidents, as a recent court decision demonstrates.
Recent headlines have raised significant concerns about the possibility of cyberattacks on U.S. businesses as a result of the heightened tensions with Iran. The Department of Homeland Security, through its Cybersecurity and Infrastructure Security Agency (CISA), has published alerts and guidance recommending heightened awareness and vigilance. In “International Pressure Raises Cybersecurity Threats,” Tamara D. Bruno, Brian E. Finch and Cassie Lentchner explore some of the practical steps companies can take toward cybersecurity precautions, compliance and insurance when heightened tension in the Middle East or other events increase the threat of cybersecurity incidents.
In late August, the Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) issued a joint white paper proposing a “name-and-shame” approach to electric utilities that failing to meet NERC Critical Infrastructure Protection (CIP) Reliability Standards. The standards represent a baseline for protecting against cyber-attacks on critical infrastructures. FERC and NERC propose to depart from the historical practice of withholding most material details regarding CIP Reliability Standard violations, and instead to start disclosing the names of allegedly violating electric utilities in response to Freedom of Information Act requests—“naming and shaming them.” This development underscores the substantial cyber risks utilities face and, likewise, the importance of appropriate insurance for those risks.
Colleagues Matthew G. Jeweler, Cassie Lentchner and Brendan Hogan (along with Richard Mroz , managing director of Resolute Strategies LLC) examine the proposal more closely in “Name-and-Shame Proposal of Electric Regulators Highlights Need for Cyber Insurance.” They also outline a few key points electric utilities should keep in mind with respect to securing the right kinds of insurance coverage for cyber-related incidents.
Packed stadiums? Check.
Players and teams with huge followings? Check.
Massive social media appeal? Check.
But here, the events that spectators are so eager to attend aren’t live basketball or football games. Instead, fans are lining up to watch others competitively play video games, more commonly known as esports. In 2018, esports garnered 258 million unique viewers globally, compared to 204 million for the National Football League’s 2016 regular season. In 2019, esports are predicted to draw 299 million viewers and hit $2 billion in revenue, up from $1.5 billion in 2018. The International Olympic Committee is even considering adding esports to the 2024 Olympic Games.
A data breach may cost a company millions in recovery and liability damages, but rarely does a breach force a company into bankruptcy. However, a months-long data breach at American Medical Collection Agency (AMCA) in 2018-2019 did just that, forcing its parent company, Retrieval-Master Creditors Bureau Inc., into Chapter 11 bankruptcy. AMCA has not stated whether it had cyber insurance, but the situation presented by this breach and bankruptcy filing serves as a cautionary tale for those without adequate cyber insurance coverage—or any at all.
Recently, the Board of Governors of the Federal Reserve System has indicated it may move forward with enhanced cybersecurity standards for large financial institutions and the third-party vendors that serve them. Over on Pillsbury’s SourcingSpeak blog, colleagues Andrew L. Caplan, Meighan E. O’Reardon and Curtis A. Simpson examine just what those standards might be in “The Fed May Increase Cybersecurity Standards for Large Financial Institutions and their Service Providers.”
Experts are full of advice about the importance of designing and implementing a robust cyber breach response plan. They opine frequently on its key components, such as identifying the roles and responsibilities of the response team, steps for investigating and containing the breach, internal and external communications regarding the breach and the response, and applicable legal requirements. For the most part, however, their advice focuses on the information-technology aspects of the plan, with some attention given to the roles of senior management and the legal department. But few commentators offer tips on one of the most consequential components of a cyber response plan: insurance.