2 April 2020
Mike Karbassi

BYOD: Does A Cyber Insurance Policy Cover Remote Workers?

Probably, but the answer isn’t always simple.

Disclaimer: This blog contains summary information about Corvus policy language. Please refer to the Corvus Smart Cyber Insurance policy form for its full terms, conditions, and exclusions.

As millions of Americans have shifted to working from home, one of the questions we hear every day from brokers is whether their client’s Corvus policy will respond if a cyber incident’s cause or vector is a remote-based worker. 

One thing we can settle right away: when it comes to a Corvus Smart Cyber or Smart Tech E&O policy, the answer is yes. There is no language in our form that specifies a worker’s physical location at the time of an incident.

But beyond that short answer, it’s worth exploring some possible reasons why there is some confusion about this question, and why there may be issues with coverage from other policies.  

First party Cyber Coverage: not your father’s property policy

Part of the perception of possible non-coverage stems from the legacy of other common P/C commercial policies. 

In a Property Insurance policy, for instance, the buildings or equipment owned or leased by the company are the subject of the coverage. If a situation arises that might be covered under a property policy, but the employee or customer is not on the physical premises covered in the policy, then that policy will not respond. For a lot of people, especially those who work in insurance, this principle is ingrained. 

Cyber Liability policies are different. In covering losses from cyber perils, they are often agnostic to the vector for attack. It could be an attack directly on the corporate system, one routed through a social engineering attack on an employee, or a hack of an individual’s credentials. In all of these situations, the cyber coverages will respond the same way. This is the case with Corvus policies. 

Beware the Exclusions

As stated above, Corvus policies contain no direct exclusions based on the location of the worker. There are, however, some common exceptions to look out for when dealing with other cyber forms. 

First, some insurers will limit their exposure to infrastructure owned, or leased, by the insured. Look closely at policies for this language. It presents legal ambiguity when it comes to situations where an employee was a vector for attack while using a personal device. 

In the current Covid-19 environment, for example, a company that never had a formal “BYOD” policy may be suddenly encountering scores of employees using personal devices to work — in fact, the company may be requesting that they do so out of necessity. If the company’s cyber policy contains exclusions that limit coverage to infrastructure owned by the company, cyber incidents that start via a remote employee using a personal device may be excluded, even if they end up impacting the business’s central IT infrastructure.

Exclusions like the one described above could also impact third-party coverage as well, in the case of a breach of sensitive data. If a breach stemmed from a company employee who divulged credentials or otherwise granted access, legally speaking it doesn’t matter whose device the employee was using. The company is liable for the regulatory fines, notification responsibility and other costs, no matter what. So if a cyber policy’s exclusions limit the insurance response, the uncompensated third-party costs could be substantial. 

Another exclusion to watch out for is one for unencrypted devices. This could be problematic for companies with remote workers using personal devices, even if their policy does not exclude the personal devices outright. Apple iPhones are the only mainstream consumer technology that comes with encryption automatically. Macbooks can have encryption enabled easily, but it is done by default. And Windows laptops and Android phones have no built-in encryption at all — it must be affirmatively added by the company’s IT department. That all adds up to many, many personal devices that are potential vectors for attack and would potentially cause all costs to go uncovered because they are excluded. 

A Caveat for Personal Data and Device Replacement

One cost that is sometimes covered in a cyber policy is replacement costs for hardware that is completely ruined by a cyber attack, or “bricked” in IT speak. If an employee is using a personal device for work that is then damaged by a cyberattack, the replacement costs that individual must pay to replace their own device will not be covered by Corvus, or by most other markets. That said, if a company-issued device is being used by a remote employee, there are no relevant restrictions, and the “bricking coverage” would apply normally.

 


 

This is a long answer to a question that if you work with Corvus, has a very simple answer. Yes, your client’s remote workers are covered by Smart Cyber Insurance! 

Mike Karbassi

Mike Karbassi is Vice President and Head of Cyber Underwriting at Corvus. He specializes in Network Security, Privacy Liability, Technology E&O, Media Liability, and Miscellaneous Professional Liability. Karbassi has over a decade of experience in insurance and is a graduate of the Boston University Questrom School of Business.

Gerritt Graham

Gerritt is the Chief Commercial Officer at Corvus. He has over 20 years of sales and marketing experience, primarily focused on technology and data solutions for the financial services industry.

James McElhiney

James co-founded Corvus and is the company’s Chief Technology Officer. A 30+ year technology veteran, Jaimie most recently served as CTO of Iora Health and previously co-founded Gazelle.

Mike Lloyd

Mike Lloyd is the Co-Founder and Chief Product Officer of Corvus Insurance. Previously, Mike co-founded Poncho, a personal lines agency InsurTech startup, and was a venture investor at FJ Labs. Mike has an MBA from Harvard Business School and engineering degrees from Virginia Military Institute and MIT.

Phil Edmundson

Phil is the founder and CEO of Corvus. A 30+ year insurance veteran, Phil co-founded broker William Gallagher Associates (acquired by Arthur J Gallagher in 2015) and was an active leader in both the Worldwide Broker Network and Council of Insurance Agents and Brokers. Phil is the Managing Partner of Edmus Ventures where he invests in InsurTech companies including Verifly, Wellthie, Agentero, and Cover Wallet, and serves on the board of Cover Wallet.

Play Video