Cyber Insurance Tested by COVID-19
Since the start of the pandemic, different lines of insurance coverage have come under intense scrutiny as policyholders and insurers alike search for ways to argue a claim is legitimate—or not.
A wave of litigation over business interruption coverage seeks to determine whether or not contamination by a virus qualifies as covered property damage. Employees intending to file workers compensation claims find they have to prove they contracted the disease through duties unique to their job, a tall order in the best of times.
Though it may not be immediately apparent, cyber insurance is also an important line of coverage to consider during these uncertain times. With lockdown measures being implemented across the country, forcing the majority of the workforce into their homes, the crisis offers cybercriminals another way to get their foot in the door through social engineering. What’s more, the lack of standardization in cyber policies means different coverage terms can trip up policyholders.
COVID-19 has triggered an undeniable shift in the dimensions of the cyber threat landscape for companies. Now that many more employees are working remotely, their personal devices and personal networks broaden a company’s attack surface, making it that much more vulnerable to cyber incidents, including breaches, which can come with heavy regulatory penalties.
Commonly used telework software may also have implications for cybersecurity. Zoom, a company that provides a commonly used virtual meeting platform, was recently sued by one of its shareholders for “overselling its privacy standards and failing to disclose that calls were not end-to-end encrypted.” And according to Michael Costello, principal of Evolve MGA, “Businesses using VPNs right now are being hit the hardest, as they have significant security holes and allow for the entire organization to be hacked in one go.”
Companies seem to be aware of this heightened vulnerability. Cyber analytics firm Arceo says, “The most common questions we’re getting are about mitigating cybersecurity risks. How should we advise our users to discern what’s suspicious vs. legitimate? How should we configure our security settings? With so many people working from home and great variability in the level of security they’re using, organizations are generally more interested in cybersecurity solutions.”
However, good cyber hygiene, such as password changes, software and hardware updates, and limiting admin access to only those who need it, will only go so far, as the attack methods cybercriminals are using now target individuals, rather than the organization’s systems. According to Barracuda Networks, phishing emails have spiked by over 600% since the end of February, 54% of which were scams, 34% brand impersonation attacks, 11% blackmail, and 1% business email compromise.
Organizations are also seeing an increase in other scams based on COVID-19, said Mike Convertino, chief security officer of Arceo. “Cybercriminals are pretending to be public health officials, medical experts, or even business executives asking users to click links or open attachments containing malware.” These attacks rely on the technique known as social engineering, which involves preying on widespread fear and anxiety during times of crisis to manipulate employees into making mistakes or giving away sensitive information. Training employees on how these types of attacks function will be crucial when it comes to making organizations more resilient—as Costello explained, “Employees are the #1 cause of cyber claims via phishing attacks.”
Another top-of-mind issue for companies with cyber insurance is whether or not their existing policy will cover losses incurred while their employees are working from home. According to Trent Cooksley, co-founder and COO of cyber insurance company Cowbell Cyber, “the most frequent questions [from clients] are related to policies in place and whether the new normal—employees working from home and connecting to their work environment through personal devices and WiFi networks—could invalidate their coverage.”
Contributing to the confusion is the fact that most other major coverages that may (or may not) be triggered by COVID-19 losses, such as commercial property, cover only property owned or leased by the insured. As such, if a situation where property coverage would be triggered arises, but the employee or customer is not on the covered property, then the loss will not be covered.
Fortunately, cyber liability policies tend to be “agnostic to the vector for attack,” according to a blog post by cyber insurance company Corvus. “It could be an attack directly on the corporate system, one routed through a social engineering attack on an employee, or a hack of an individual’s credentials. In all of these situations, the cyber coverages will respond the same way.”
However, cyber insurance policies are not standardized across the market. “The cyber market lacks uniformity on this coverage, as competing markets wildly vary as to whether or not they cover remote employees on personal devices,” said Costello of Evolve MGA. Some insurers may limit the exposure in the policy to infrastructure owned or leased by the insured, according to Corvus Insurance. In that case, a cyber incident resulting from an employee’s use of their personal device would not be covered. And if the cyber incident results in a data breach, the subsequent regulatory fines would not be covered either.
Some cyber insurance policies may also exclude coverage for unencrypted devices. Again, that could lead to issues if employees are obligated to use their personal devices. As Corvus puts it, “Apple iPhones are the only mainstream consumer technology that comes with encryption automatically. Macbooks can have encryption enabled easily, but it is not done by default. And Windows laptops and Android phones have no built-in encryption at all—it must be affirmatively added by the company’s IT department.” A company with a policy that covers personal devices may find itself without coverage if that policy also excludes unencrypted devices.
And that’s not even touching on coverage for devices rendered completely unusable (bricked) by a cyberattack. Some policies will respond to this loss if the hardware is owned by the business or is issued to an employee in the event they need to work from home. However, in the event a personal device is bricked by a cyberattack, the cost to replace it is rarely covered by common existing cyber insurance policies, if at all.
Cyber Insurance Claims
Though the new normal of telework offers cybercriminals more avenues of attack, Mike Convertino of Arceo suspects we may not start seeing pandemic-related claims for weeks or months, not least because it often takes organizations some time to discover a breach has even occurred. However, both Convertino and Trent Cooksley from Cowbell Cyber agree: it is a matter of when, not if, we start to see an increase in cyber insurance claims.
Michael Costello of Evolve, on the other hand, has already seen cyber claims begin to increase. “The value of bitcoin dropped nearly in half over the past couple of months, dropping hackers’ annual salaries in half,” he said. “This is a perfect storm for businesses to fall victim to hack attacks. Hackers are doubling the amount of ransomware attacks focusing on penetrating weak work from home security environments with COVID-19 phishing clickbait.”
“Many hackers are exploiting security vulnerabilities during COVID-19 to do reconnaissance on targets, conduct phishing and harvest credentials for future attacks” and “some cybercriminals also might be waiting to see what kinds of sensitive data are exchanged,” in hopes they may find a way to target higher-value targets, said Convertino. “In the coming weeks and months, cyberinsurers are likely to see more claims from targeted ransomware attacks, data breaches, and cyber extortion.”
Looking for more on cybersecurity?
Check out this webinar hosted by Jody Westby, “What Brokers Need to Know about Cybersecurity for their Clients.”