BYOD: Does A Cyber Insurance Policy Cover Remote Workers?
Probably, but the answer isn’t always simple.
Remote Work & Cyber Coverage
"Silent Cyber" risk is looming over the insurance industry. Read about this persistent issue, and what carriers and brokers can do to avoid its impacts in our whitepaper.
Disclaimer: This blog contains summary information about Corvus policy language. Please refer to the Corvus Smart Cyber Insurance policy form for its full terms, conditions, and exclusions.
As millions of Americans have shifted to working from home, one of the questions we hear every day from brokers is whether their client’s Corvus policy will respond if a cyber incident’s cause or vector is a remote-based worker.
One thing we can settle right away: when it comes to a Corvus Smart Cyber or Smart Tech E&O policy, the answer is yes. There is no language in our form that specifies a worker’s physical location at the time of an incident.
But beyond that short answer, it’s worth exploring some possible reasons why there is some confusion about this question, and why there may be issues with coverage from other policies.
First-Party Cyber Coverage: Not Your Father’s Property Policy
Part of the perception of possible non-coverage stems from the legacy of other common P/C commercial policies.
In a Property Insurance policy, for instance, the buildings or equipment owned or leased by the company are the subjects of the coverage. If a situation arises that might be covered under a property policy, but the employee or customer is not on the physical premises covered in the policy, then that policy will not respond. For a lot of people, especially those who work in insurance, this principle is ingrained.
Cyber Liability policies are different. In covering losses from cyber perils, they are often agnostic to the vector for attack. It could be an attack directly on the corporate system, one routed through a social engineering attack on an employee, or a hack of an individual’s credentials. In all of these situations, the cyber coverages will respond the same way. This is the case with Corvus policies.
Beware of Policy Exclusions
As stated above, Corvus policies contain no direct exclusions based on the location of the worker. There are, however, some common exceptions to look out for when dealing with other cyber forms.
First, some insurers will limit their exposure to infrastructure owned, or leased, by the insured. Look closely at policies for this language. It presents legal ambiguity when it comes to situations where an employee was a vector for attack while using a personal device.
In the current Covid-19 environment, for example, a company that never had a formal “BYOD” policy may be suddenly encountering scores of employees using personal devices to work -- in fact, the company may be requesting that they do so out of necessity. If the company’s cyber policy contains exclusions that limit coverage to infrastructure owned by the company, cyber incidents that start via a remote employee using a personal device may be excluded, even if they end up impacting the business’s central IT infrastructure.
Exclusions like the one described above could also impact third-party coverage as well, in the case of a breach of sensitive data. If a breach stemmed from a company employee who divulged credentials or otherwise granted access, legally speaking it doesn't matter whose device the employee was using. The company is liable for the regulatory fines, notification responsibility, and other costs, no matter what. So if a cyber policy’s exclusions limit the insurance response, the uncompensated third-party costs could be substantial.
Another exclusion to watch out for is one for unencrypted devices. This could be problematic for companies with remote workers using personal devices, even if their policy does not exclude personal devices outright. Apple iPhones are the only mainstream consumer technology that comes with encryption automatically. Macbooks can have encryption enabled easily, but it is done by default. And Windows laptops and Android phones have no built-in encryption at all -- it must be affirmatively added by the company’s IT department. That all adds up to many, many personal devices that are potential vectors for attack and would potentially cause all costs to go uncovered because they are excluded.
A Caveat for Personal Data and Device Replacement
One cost that is sometimes covered in a cyber policy is replacement costs for hardware that is completely ruined by a cyber attack, or “bricked” in IT speak. If an employee is using a personal device for work that is then damaged by a cyberattack, the replacement costs that individuals must pay to replace their own device will not be covered by Corvus, or by most other markets. That said, if a company-issued device is being used by a remote employee, there are no relevant restrictions, and the “bricking coverage” would apply normally.
This is a long answer to a question that if you work with Corvus, has a very simple answer. Yes, your client’s remote workers are covered by Smart Cyber Insurance!
It starts with 5.25-inch floppy disks. Cue up Every Rose Has Its Thorn by Poison -- because it’s 1989. Computers aren’t a household necessity quite yet, the AIDS epidemic is ablaze, and a Harvard-taught evolutionary biologist, Dr. Joseph Popp, has mailed 20,000 copies of a computer-based questionnaire to the recent attendees of the World Health Organization AIDS conference.
A fresh face compared to other lines, cyber has taken many forms before — an easy add-on, a profitable afterthought, a tech-heavy nuisance — but was never a top priority. However, after headline-worthy ransomware attacks, data breaches, and serious losses for insurers, cyber insurance is getting the main character treatment.