BYOD: Does A Cyber Insurance Policy Cover Remote Workers?
Probably, but the answer isn’t always simple.
Remote Work & Cyber Coverage
"Silent Cyber" risk is looming over the insurance industry. Read about this persistent issue, and what carriers and brokers can do to avoid its impacts in our whitepaper.
Disclaimer: This blog contains summary information about Corvus policy language. Please refer to the Corvus Smart Cyber Insurance policy form for its full terms, conditions, and exclusions.
As millions of Americans have shifted to working from home, one of the questions we hear every day from brokers is whether their client’s Corvus policy will respond if a cyber incident’s cause or vector is a remote-based worker.
One thing we can settle right away: when it comes to a Corvus Smart Cyber or Smart Tech E&O policy, the answer is yes. There is no language in our form that specifies a worker’s physical location at the time of an incident.
But beyond that short answer, it’s worth exploring some possible reasons why there is some confusion about this question, and why there may be issues with coverage from other policies.
First-Party Cyber Coverage: Not Your Father’s Property Policy
Part of the perception of possible non-coverage stems from the legacy of other common P/C commercial policies.
In a Property Insurance policy, for instance, the buildings or equipment owned or leased by the company are the subjects of the coverage. If a situation arises that might be covered under a property policy, but the employee or customer is not on the physical premises covered in the policy, then that policy will not respond. For a lot of people, especially those who work in insurance, this principle is ingrained.
Cyber Liability policies are different. In covering losses from cyber perils, they are often agnostic to the vector for attack. It could be an attack directly on the corporate system, one routed through a social engineering attack on an employee, or a hack of an individual’s credentials. In all of these situations, the cyber coverages will respond the same way. This is the case with Corvus policies.
Beware of Policy Exclusions
As stated above, Corvus policies contain no direct exclusions based on the location of the worker. There are, however, some common exceptions to look out for when dealing with other cyber forms.
First, some insurers will limit their exposure to infrastructure owned, or leased, by the insured. Look closely at policies for this language. It presents legal ambiguity when it comes to situations where an employee was a vector for attack while using a personal device.
In the current Covid-19 environment, for example, a company that never had a formal “BYOD” policy may be suddenly encountering scores of employees using personal devices to work -- in fact, the company may be requesting that they do so out of necessity. If the company’s cyber policy contains exclusions that limit coverage to infrastructure owned by the company, cyber incidents that start via a remote employee using a personal device may be excluded, even if they end up impacting the business’s central IT infrastructure.
Exclusions like the one described above could also impact third-party coverage as well, in the case of a breach of sensitive data. If a breach stemmed from a company employee who divulged credentials or otherwise granted access, legally speaking it doesn't matter whose device the employee was using. The company is liable for the regulatory fines, notification responsibility, and other costs, no matter what. So if a cyber policy’s exclusions limit the insurance response, the uncompensated third-party costs could be substantial.
Another exclusion to watch out for is one for unencrypted devices. This could be problematic for companies with remote workers using personal devices, even if their policy does not exclude personal devices outright. Apple iPhones are the only mainstream consumer technology that comes with encryption automatically. Macbooks can have encryption enabled easily, but it is done by default. And Windows laptops and Android phones have no built-in encryption at all -- it must be affirmatively added by the company’s IT department. That all adds up to many, many personal devices that are potential vectors for attack and would potentially cause all costs to go uncovered because they are excluded.
A Caveat for Personal Data and Device Replacement
One cost that is sometimes covered in a cyber policy is replacement costs for hardware that is completely ruined by a cyber attack, or “bricked” in IT speak. If an employee is using a personal device for work that is then damaged by a cyberattack, the replacement costs that individuals must pay to replace their own device will not be covered by Corvus, or by most other markets. That said, if a company-issued device is being used by a remote employee, there are no relevant restrictions, and the “bricking coverage” would apply normally.
This is a long answer to a question that if you work with Corvus, has a very simple answer. Yes, your client’s remote workers are covered by Smart Cyber Insurance!
Welcome to another edition of our Cyber Coverage Explained series. This week, we're discussing sub-limits and coinsurance as it impacts our current market. For more coverage explainers, you can find our past posts on Social Engineering and Crime Coverage, Business Interruption, and Contingent Business Interruption.
Back in 2020, we saw ransomware hit the mainstream like never before. The pandemic brought more of us online from our homes, cyberattacks were higher-profile than ever, and news coverage of hefty ransoms encouraged more threat actors to try their hand. But if 2020 was the year that propelled ransomware to center stage, 2021 was the year that organizations began to strengthen their defensive lines against the evolving threat landscape.