Law360 (May 14, 2020, 4:27 PM EDT) -- More companies are looking to cyber insurance to help manage the fallout from a wave of coronavirus-related cyberattacks, highlighting the need for businesses to pay close attention to internal data security shortcomings and policy limits that could spark coverage fights.
Insurance brokers and industry attorneys say they're seeing a spike in both cyber insurance claims and more general inquiries about how such policies can offset some of the liabilities they're confronting as hackers aggressively move to exploit the security vulnerabilities created by the mass shift to remote working the pandemic has necessitated.
"Cyber was already a hot area where we were seeing a lot of claims before the pandemic hit," said Tamara D. Bruno, a Pillsbury Winthrop Shaw Pittman LLP partner who represents policyholders. "Now with the massive abrupt change of so many working from home, that's just thrown gas on the fire."
And in the coming months, as society begins to take stock of the pandemic's legacy beyond the obvious public health and economic repercussions, "the impact of these data breaches and whether they're covered by cyber insurance will certainly be the subject of litigation, no doubt about it," according to Jeff Dennis, head of the privacy and data security practice at Newmeyer & Dillion LLP.
"Carriers have a lot of exposure coming out of the pandemic, so we'd expect carriers to be strong and stringent about what they cover or don't cover," Dennis added.
This new reality should prompt policyholders to take a close look at their current cyber risks, particularly new security gaps exposed by the coronavirus pandemic, and ensure the policies they have adequately cover these risks.
"This is a good time, especially if a company is making a longer-term change to working from home, to really look at cyber policies in detail from a legal standpoint to make sure that they match what the company is actually doing," Bruno said. "And if they don't have cyber insurance, they should really talk to a broker about cyber insurance or at least think about a different way to shift that risk, because companies really can't afford to not be thinking about this issue right now."
Whether coverage exists for the recent rise in ransomware, social engineering and other cyberattacks that use coronavirus-related topics to entice people to click on links or give up information that they shouldn't is likely to turn on several factors, including the company's cyber posture and the parameters of key policy terms, experts say.
Bob Parisi, U.S. cyber product leader at insurance broker Marsh, said he's yet to see carriers push for COVID-19-specific exclusions in cyber insurance policies. But he has witnessed carriers "start to ask more questions" about prospective and existing cyber-policy holders' business continuity and disaster recovery procedures.
Catherine Bertheau, cyber solutions business development lead for Aon Risk Solutions in Eastern Canada, agreed that there's been "more scrutiny" during the underwriting process about whether companies have adequate measures in place to deal with the specific cybersecurity issues raised by the rapid shift to remote working. These concerns include employees using personal devices and home networks that may be less secure and software not being patched as often as it should.
"This remote working environment had to be deployed rather fast for most companies, and that definitely created a structure that's a little more porous and has for sure amplified cyber risks," Bertheau added.
Many insurance policies already require companies to maintain certain reasonable security measures in order to qualify for coverage, a stipulation that's likely to gain additional attention as pandemic-related cyberattacks continue to emerge, attorneys say.
In other coverage areas, such as claims for property damage, most of the major risks and effective ways to deal with them have been identified, noted Joshua A. Mooney, who chairs the cyber law and data protection group at White and Williams LLP and regularly advises insurance carriers.
But in the cyber realm, the technology and risks are constantly changing, with bad actors quickly figuring out how to counter most fixes that companies put in place, Mooney said. Having a robust cyber program in place that allows a company to identify and report a potential incident to its insurer quickly is therefore vital, he said.
"It's clear that the longer these successful attacks go unnoticed by the insured, the greater the damage can be," Mooney added.
Global insurer Zurich stressed in comments provided to Law360 that it's "critical" that businesses confronting cyber-related risks stemming from the pandemic focus on risk mitigation and conduct cyber risk assessments to understand their unique risks.
How cyber policies define key terms such as the "computer network" that falls within the scope of coverage as well as limits put on certain types of risks and exposures will also be pivotal in coronavirus-related cyber insurance disputes, experts said.
Zurich stressed that each policy and claim "is unique and must be reviewed on the underlying facts, policy language and applicable law."
"One of Zurich's priorities is to encourage insureds to submit their claims as quickly as possible so that our knowledgeable claims professionals can, in turn, evaluate those claims for potential coverage eligibility as quickly and thoroughly as possible," Robyn Ziegler, manager of media and public relations at Zurich North America, said in an email Wednesday. "We believe this customized service is more helpful to our customers than providing hypothetical or blanket statements that may not apply to every customer's situation."
One factor that could impact whether coverage is available is how the cyber liability policy defines a covered computer network or hardware, and if this definition encompasses the range of personal devices and networks that employees are increasingly tapping into from home during the pandemic.
"We're likely going to see some instances where people have been hacked through their home office, and that's going to test some of these insurance policies because every policy is different when it comes to defining what's the covered computer network or system, and insurers may argue that an employee's devices being used at home don't qualify as part of the insured computer system," said Joshua Gold, chair of Anderson Kill PC's cyber insurance recovery practice group.
While Gold views that argument as "beatable" from policyholders' standpoint, "that won't stop some insurance companies from making it," he added.
Policyholders also need to be careful when it comes to provisions that might limit coverage for risks such as social engineering attacks, replacing equipment damaged by a breach or allowing employees to bring their own devices, in order to avoid thinking they have more coverage than they actually do.
"Rather than broadly cover losses due to a cyber event, policies typically drill down on specific events and types of liability, and it's pretty rare at least in my experience for policyholders to understand that sublimits will apply until either the carrier raises it or the policy arrives months later," said Scott Godes, a Barnes & Thornburg LLP partner who represents policyholders.
Companies also need to be mindful of the coverage they have for breach response costs and consider whether the expenses they incur when investigating an incident remotely may be different from those they encountered before the pandemic hit, Aon's Bertheau said.
"Breach investigations or recovery processes that have to be conducted remotely may require companies to invest way more leg work than usual, which could end up increasing their costs and add up to them eroding their coverage limit faster than pre-COVID," she said.
The pandemic has also heightened attention on the extent to which coverage is available for fines and penalties that arise out of the growing global patchwork of privacy and data security laws, including California's new Consumer Privacy Act, which took effect Jan. 1.
"Many cyber policies include broad language for coverage for fines and penalties, but it appears to very much still be an open question about how that plays out with indemnification for liabilities under specific laws like CCPA," said Farella Braun & Martel LLP partner Tyler Gerking, who's based in San Francisco and represents policyholders.
Mooney said he expects to see requests for carriers to defend and indemnify against the fines and penalties that arise from the CCPA, similar to the push that happened after the European Union's landmark General Data Protection Regulation took effect in 2018.
Those asks are expected to start flowing in as the California attorney general is allowed to begin enforcing the law starting July 1 and as new proposed privacy class actions filed against Zoom in the wake of the pandemic, which are testing the limits of the narrow private right of action under the California law, play out, attorneys say.
Experts also advised that businesses check other policies, like property and crime coverage, to see if some of their cyber-related losses are covered there. They added that many carriers in recent years have moved to address the issue of "silent cyber" coverage by explicitly defining what cyber-related risks are and aren't included in these types of policies.
"It should be an all-hands-on-deck approach when it comes to insurance for cyber claims," Gold said.
The fresh cyber risks exposed by the pandemic come at a time when the market for cyber insurance had already been rapidly expanding. Parisi noted that over the past two decades, cyber insurance has grown from being "a discretionary purchase to being pretty close to as non-discretionary as property insurance."
In a pair of recent trend reports, Marsh disclosed that 42% of its U.S.-based clients purchased cyber insurance in 2019, up from 38% in the previous year, and the number of clients purchasing standalone cyber insurance for the first time grew from 12% to 18% during that time period. The broker's research also showed that cyber insurance pricing rose 6% in the first quarter of this year, the largest increase since 2016.
Experts agree that, fueled by the rise in pandemic-related cyberattacks, these numbers will only continue to grow. They also predicted cyber insurance offerings may start to look a little different in the coming years, particularly if more companies follow the lead of businesses like Twitter and move to permanently shift work remotely.
"There are differences in underwriting a centralized network than a scattered network," Bruno said. "It will be interesting to see if there will be changes made to insurance policies, such as carriers asking for heightened or different security protocols, to lessen their risks when it comes to having more scattered networks and the security issues that go along with that."
--Editing by Philip Shea and Kelly Duncan.
For a reprint of this article, please contact firstname.lastname@example.org.