Cleo File Transfer Alert | December 2024
Cleo customers could be at risk due to a critical security flaw. Here's what you need to know.
Probably, but the answer isn’t always simple.
As millions of Americans have shifted to working from home, one of the questions we hear every day from brokers is whether their client’s Corvus policy will respond if a cyber incident’s cause or vector is a remote-based worker.
One thing we can settle right away: when it comes to a Corvus Smart Cyber Insurance® or Smart Tech E+O® policy, the answer is yes. There is no language in our form that specifies a worker’s physical location at the time of an incident.
But beyond that short answer, it’s worth exploring some possible reasons why there is some confusion about this question, and why there may be issues with cyber insurance coverage limits from other policies.
Part of the perception of possible non-coverage stems from the legacy of other common P/C commercial policies.
In a Property Insurance policy, for instance, the buildings or equipment owned or leased by the company are the subjects of the coverage. If a situation arises that might be covered under a property policy, but the employee or customer is not on the physical premises covered in the policy, then that policy will not respond. For a lot of people, especially those who work in insurance, this principle is ingrained.
Cyber liability insurance policies are different. In covering losses from cyber risks and perils, they are often agnostic to the vector for attack. It could be an attack directly on the corporate system, one routed through a social engineering attack on an employee, a hack of an individual’s credentials, a ransomware attack, or even cyber extortion. In all of these situations, the cyber coverages will respond the same way to threat actors. This is the case with Corvus policies.
As stated above, Corvus policies contain no direct exclusions based on the location of the worker. There are, however, some common exceptions to look out for when dealing with other cyber forms.
First, some insurers will limit their exposure to infrastructure owned, or leased, by the insured. Look closely at policies for this language and make informed decisions. It presents legal ambiguity when it comes to situations where an employee was a vector for attack while using a personal device.
In the current Covid-19 environment, for example, a company that never had a formal BYOD security policy may be suddenly encountering scores of employees using personal devices to work — in fact, the company may be requesting that they do so out of necessity. If the company’s cyber policy contains exclusions that limit coverage to infrastructure owned by the company, cyber incidents that start via a remote employee using a personal device may be excluded, even if they end up impacting the business’s central IT infrastructure and computer systems.
Exclusions like the one described above could also impact third-party coverage as well, in the case of a security breach that results in the loss of sensitive data. If a breach stemmed from a company employee who divulged credentials or otherwise granted access, legally speaking it doesn't matter whose device the employee was using. The company is liable for the regulatory fines, notification responsibility, financial losses, and other costs, no matter what. So if a cyber policy’s exclusions limit the insurance response, the uncompensated third-party costs could be substantial.
Another exclusion to watch out for is one for unencrypted devices. This could be problematic for companies with remote workers using personal devices, even if their policy does not exclude personal devices outright. Apple iPhones are the only mainstream consumer technology that comes with cyber mitigation features, such as encryption, automatically. Macbooks can have encryption enabled easily, but it is done by default. And Windows laptops and Android phones have no built-in encryption at all — it must be affirmatively added by the company’s IT department or security team. That all adds up to many, many personal devices that are potential security risk vectors for catastrophic cyber attacks, and would potentially cause all costs to go uncovered because they are excluded.
One cost that is sometimes covered in a cyber policy is replacement costs for hardware that is completely ruined by a cyber attack, or “bricked” in IT speak. If an employee is using a personal device for work that is then damaged by a cyberattack, the replacement costs that individuals must pay to replace their own device will not be covered by Corvus, or by most other markets. That said, if a company-issued device is being used by a remote employee, there are no relevant restrictions, and the “bricking coverage” would apply normally to cover the costs of the new device.
This is a long response to a question that has a very simple answer if you’re underwriting cyber insurance with Corvus. Yes, your client’s remote workers are covered by Smart Cyber Insurance®!
Disclaimer: This blog contains summary information about Corvus policy language. Please refer to the Corvus Smart Cyber Insurance policy form for its full terms, conditions, and exclusions.