Insurance plans that cover costly damages caused by electronic threats to a company’s systems or sensitive data might have counted on a company’s employees working within the palisades of a corporate office …
Not, as it turns out, working on the family computer — with a screen that regularly blinks in popups that betray a child’s recent download spree.
Given that the average cost of a data breach is about $3.92 million, according to a 2019 report from IBM, the coverage provided by cybersecurity insurance plans might be all that stands in the way of a company having to declare bankruptcy when it’s victim of a hacker’s havoc.
But cybersecurity legal expert Eric Levine said that, in a remote work-driven environment, businesses might not be as safe as they think under those plans right now.
“Most businesses or people when they purchased cyberinsurance policies didn’t envision being in a situation like this — one day, the government would shut down our office and, the next, we’re all working from home,” he said. “Now, what they thought policy would cover is a little different than they expected or need right now.”
Levine, who serves as an executive vice president and a member of the executive committee at the Westfield-based Lindabury, McCormick, Estabrook & Cooper, said it might be that a cybersecurity plan establishes that coverage will be provided when the breach occurred as a result of activities on a company-issued laptop, but not personal devices. Or it might not factor in remote work at all.
The only way to know for sure, he added, is to check your policy.
“It might behoove a company to actually go back and take a look at their policy and start to think about that,” he said. “Perhaps, if it’s clear something wasn’t covered, when the policies are coming up for renewal, that’s something to consider. Because this could happen again. Like it or not, when a pandemic comes around, it’s now clear shelter-in-place is an option governments will take.”
William Roberts, executive vice president of Brown and Brown Metro LLC, a Roseland-based insurance company, said his company has experienced an uptick in claims being filed for cybersecurity coverage during the past two months of employees working from home en masse.
And Roberts explained that there’s no definitive answer as to whether a given insurance plan will cover situations in which the source of the attack involves a remote working situation, perhaps not on a laptop or other device provided by the company.
“The tricky part is, it’s not always the same answer,” he said. “Every carrier may have a different stance on that. Every cybersecurity insurance program is different.”
In general, insurance plans are split into two categories: First-party cyber liability insurance that helps businesses with breaches on their own network or systems; and third-party plans that pay for lawsuits caused as a result of attacks on a client’s network or systems.
Whatever the incident or coverage plan might be, an attack is going to result in a company being asked what reasonable steps it took to preemptively mount a defense against cybercrime, Levine said.
A mainstay of Levine’s advice is to ensure every employee has some basic training in the area of data privacy — and that they’re being as diligent as they can be. If at all possible, that also might mean not having people work from the family’s part-time Fortnite gaming station or connecting to unsecured Wi-Fi networks at home.
There’s also the more complicated matter of how diligent the vendors a business works with are being. That can matter just as much.
“Because you may have taken steps to satisfy your insurance carrier, but it may be like leading the fox into the henhouse if you’re working with someone that hasn’t put those same measures in place,” Levine said. “Insurance companies are increasingly saying that, as a condition of coverage, everyone you work with has to have the same level of protections as you do. If they don’t, it will affect ability to get coverage.”
Levine said one of the most high-profile data breaches in recent years — and the most costly, with the affected company, Target, paying an $18.5 million multistate settlement — was the result of an HVAC contractor without adequate security measures logging into the retail giant’s network.
So, it’s important in dealing with vendors to know their security measures beat yours, Levine said. That can be made part of a company’s contract with vendors as well.
Levine said there’s no denying that the funds provided in response to cybersecurity claims can be significant, which is why businesses pay for those insurance plans.
“For that reason, from an insurance standpoint, you should be making sure everything you’re doing increases the likelihood of you actually getting insurance coverage when something goes wrong,” he said.