March 25, 2020
In what has often been referred to as the “wild west” of the insurance industry, the cyber insurance marketplace offers a wide variety of policy forms that vary significantly in the scope of coverage provided. With COVID 19 now added to this mix, along with the evolving cyber risk created by the increase in the number of employees remotely connecting to a company’s internal networks as part of the company’s remote work option plan (telework), the risk of a cyber insurer denying coverage based on one of the many exclusions in a typical cyber insurance policy has never been greater.
Now is the time for a company to carefully review its cyber insurance policy, understand the policy’s exclusions, and, where possible, take steps to implement practices and procedures to ensure that all company activities, notably telework plans, do not fall within the enumerated list of exclusions. Many cyber insurers are willing to modify exclusions in cyber policies to carve back certain coverages, but only if requested by an insured to do so.
To assist in such a review, discussed below are two typical pre-COVID 19 exclusions that now require a new level of attention given the evolving cyber risks associated with increased employee telework stemming out of COVID 19 concerns.
- Minimum Security Standard Exclusion.
Cyber policies typically exclude coverage for claims based upon the insured’s failure to maintain minimum security standards, for example, failure to comply with “industry standards,” failure to comply with specifically listed “minimum required practices” and/or failure to comply with the security procedures identified by the company in its initial cyber insurance application.
Unfortunately, given the recent drastic increases in the level of telework, there may be no defined industry standard for telework related safeguards, a cyber policy’s listed minimum required practices may not address telework safeguards and/or the company may not have specifically addressed telework safeguards in its initial application for cyber insurance.
If a company cyber policy has this type of exclusion language, the company should request that it be removed or, alternatively, that any ambiguities be clarified by the carrier in an endorsement. In certain cases, a company might seek to supplement its application to address safeguards to be put in place for its teleworkers. In that event, the company should implement sound telework policies that set forth the required security protocols and level-set the company’s expectations with respect to the security and privacy of company information during telework scenarios. Examples of telework related safeguards to be included in such a policy are:
- Encryption. Sensitive information, such as certain types of personal information (for example, personnel records, medical records, financial records), that are stored on or sent to or from remote devices should be encrypted in transit and at rest on the remote device and on removable media used by the remote device.
- Training Related To Phishing And Related Social Engineering Attacks. All employees working remotely should receive training on how to detect and handle phishing attacks and other forms of social engineering attacks involving remote devices and remote access to company internal networks. The company should document such telework security training as well as follow-up with security “reminders” and testing.
- Separation of Devices. The sharing of work remote devices should be prohibited. If an employee brings a work remote device home, that remote work device should not be shared with or used by anyone else in the home.
- Virtual Private Networks (VPNs). VPNs ensure that internet traffic is encrypted, especially if connected to a public Wi-Fi network. If the company has a VPN in place, it should require that employees exclusively use the VPN when working remotely.
- Prohibition On Downloading. Company information should never be downloaded or saved to an employee’s personal device or non-work cloud service, including employee personal computers, personal thumb drives, or personal cloud services such as an employee’s personal Google Drive or Dropbox account.
- Security Software. Security software should be installed on all remote devices accessing company internal networks and all security software versions should be up to date with all necessary patches.
- Prohibition On Use Of Public Wi-Fi. A company may want to consider prohibiting remote access to company internal networks through public Wi-Fi. In the event the company office is closed, employees may be tempted to work from local cafes and coffee shops. Without a company VPN, this creates a significant cyber security risk.
- Remember Password Functions. “Remember password” functions should be turned off when employees are logging into company internal networks from remote devices.
- Multi-Factor Authentication (MFA). MFA should be implemented and enforced.
- Mobile Device Management (MDM) and Mobile Application Management (MAM). MDM and MAM solutions, if implemented, can help manage and secure mobile devices and applications. These tools allow a company to remotely implement a number of security measures, including data encryption, malware scans, and wiping data on stolen remote devices.
Note that once put in place, employees should receive documented training regarding such telework safeguards and the safeguards should be followed, monitored, updated as necessary and enforced.
- Lost Remote Device Exclusion.
Some cyber policies exclude coverage for claims based upon an employee’s lost remote device. Some insurers may be willing to remove this exclusion altogether. Other carriers may be willing to modify the exclusion to only apply to claims arising from the loss of an unencrypted remote device. The lesson here is that sensitive information that is stored on or sent to or from remote devices should be encrypted in transit and at rest on the remote device and on removable media used by the remote device.
If you have questions or would like to discuss your company’s cyber insurance coverage, contact information for the McGrath North Privacy and Cybersecurity Team can be found here.