A few months into the COVID-19 pandemic, the insurance focus (understandably) has been on business interruption and event cancellation coverage. Various other coverages are in play as well, given the types of COVID-19-related claims and lawsuits being filed (and that will be filed in the future) against corporate policyholders, from bodily injury due to exposure to the virus, to breach of contract, to securities violations, to misrepresentations and consumer protection violations, just to name a few. However, cyber risks are also highly salient for companies in this “new normal,” and companies must consider the role their insurance plays in preparing for and responding to those risks.
COVID-19 Has Increased Cyber Risk
Companies were at high risk for cyber hacks before COVID-19; the pandemic exacerbates the problem. Many employees are working remotely, creating additional vulnerabilities. With so many people accessing networks via remote connections, hackers will seek out any flaws in network security. Many companies had to rapidly deploy new networks and IT infrastructure to shift their workforces to a remote work environment, and hackers are exploiting resulting security gaps. Hackers are targeting vulnerabilities in VPN and Citrix remote work software. The remote work environment also means the possibility that sensitive data is being sent across companies’ networks in ways it ordinarily wouldn’t, thereby increasing the risk of breach and possibly unintentional violation of privacy regulations. And, quite simply, hackers may perceive that companies’ cybersecurity is weakened because the security professionals are working from home and may not have full use of their anti-hacking tools.
The Department of Homeland Security and other government agencies have warned that phishing attacks, using COVID-19 as a lure, are on the rise. Hackers are preying on the public’s COVID-19 fears and thirst for information, using COVID-19-themed emails to entice recipients to click on a link to visit websites that hackers use to steal data including login information, or to entice recipients to download malware, including ransomware, inadvertently. Hackers also are exploiting the increased use of communication platforms like Zoom and Microsoft Teams, using those as additional lures in phishing emails. Likewise, it has been reported that COVID-19-related spoofing is becoming prevalent and increasingly sophisticated, with hackers disguising emails to look like they come from health organizations and relate to the virus, or to convincingly appear to be from individuals within the recipient’s company. As to intra- or inter-company social engineering, the possibility of such an effort being successful is heightened when people are working from home, not having face-to-face interactions, and relying more on email, instant messaging, or calls from unfamiliar numbers.
Insurance Can Mitigate Cyber Risk
Strengthening network security measures and monitoring are critical to combat this increased cyber risk. It also is important that, in the event a company falls victim to a cyberattack during this unprecedented time, the company take all mitigative measures, including pursuing applicable insurance. With that in mind, it is worthwhile to understand the different types of insurance you will want to consider obtaining (if the company does not already have such insurance in place) or reviewing to make sure it aligns with the current risks faced by your company.
Start with dedicated “cyber” insurance, which is not a standardized product but rather comes in many different forms and may go by many different names. Cyber policies frequently include several coverages that could come into play in a COVID-19-related incident, for both liability and first-party losses, such as coverage for:
- Liability arising out of a failure or breach of network security, including impacts to a third party’s network, such as infection through virus or malware, the inability of an authorized third party to access your network, or the unauthorized use, disclosure, or destruction of data or software.
- Liability arising out the unauthorized use, disclosure, access, or destruction of protected information, including personally identifiable information or confidential/proprietary third-party corporate information such as trade secrets, or the failure to implement or comply with policies regarding protected information.
- Liability and defense fees arising out of a regulatory proceeding alleging acts, errors, or omissions that result in the violation of law governing protected information or the violation of a breach notice law.
- Business interruption in the event the policyholder’s network is shut down or rendered unusable due to a cyberattack.
- Costs incurred to comply with a breach notice law, including related legal fees, or to provide voluntary notice to affected individuals.
- Costs to hire a computer forensics consultant to investigate a breach and assess disclosure of protected information.
- Costs to minimize reputational harm in the event of a breach, including the cost to set up call centers and provide credit monitoring services to affected individuals.
- Monies paid in response to a cyber extortion demand in which a hacker threatens to attack or disrupt the policyholder’s network or website or release protected information.
One issue to be sensitive to in the current environment is whether employees are using personal (non-company) computers for work purposes. If so, and if such a personal computer is involved in a hack, that could create a coverage issue. Coverage will depend on the specific wording of your cyber policy and the specific facts of the event.
Other Potentially Applicable Insurance
In addition to cyber coverage, consider whether there is coverage under your crime policy. Commercial crime policies typically cover, among other things, computer fraud, which includes the taking or fraudulently induced transfer of money, securities, or property via a hack or other use of the policyholder’s network. As an example, this coverage may come into play if your company is the victim of a spoofing or other social engineering attack in which an employee is tricked into transferring company funds to a hacker instead of the legitimate, intended recipient. There is helpful case law supporting coverage in those situations. Note that insurers now commonly offer specific social engineering coverage as part of their crime policies.
Other coverages may also come into play, depending on the nature of the liability that stems from a cyber incident. For example, if a third party asserts a privacy injury arising from a breach, look at your general liability policy. Today, general liability policies commonly contain one or more exclusions relating to electronic data and the like, but the wording of any such exclusion should be analyzed in light of your specific circumstances to assess potential coverage. As another example, your D&O policy may apply if your company, or individual directors or officers, face a claim asserting mismanagement, failures in policies and procedures, or other alleged wrongful acts relating to network security during COVID-19. Along the same lines, your errors and omissions policy may respond, depending on its wording and the facts of your situation.
The last thing any company needs during the pandemic is to be hacked. The economic fallout from a substantial cyberattack, compounded with the economic strain imposed by COVID-19, could be devastating. Insurance can help mitigate the loss. If your company falls victim to a cyberattack during the pandemic, move swiftly to analyze all potentially relevant insurance policies, provide notice under all such policies, and comply with all policy conditions to avoid giving the insurer additional bases to deny coverage. It’s a good idea to work closely with your broker and qualified coverage counsel, both in obtaining policies and in the event of a claim, to ensure that no stone is left unturned and all policy requirements are met.