Cyber Insurance

While cyber insurance is increasingly widespread, there are still companies that do not purchase dedicated cyber insurance, instead relying on limited cyber coverage in more traditional business policies or concluding that their cyber risk does not need to be covered. However, cyber insurance is a must-have for any company shifting to a permanent remote workforce, as that change will make the company more vulnerable to hacks, social engineering schemes and data privacy incidents. Even if the company already has dedicated cyber insurance, the policy should be reviewed to ensure the terms match the actual risk exposure of the company’s remote operations.

The sudden increase in remote working in response to COVID-19 has come with a corresponding increase in cyberattacks. The Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency, along with other government agencies, have warned that with so many people accessing networks via remote connections, hackers are seeking out any flaws in network security and targeting vulnerabilities in virtual private networks (VPNs) and other remote work tools and software. Government agencies have also warned that phishing attacks, using COVID-19 as a lure, are on the rise. Hackers are preying on the public’s COVID-19 fears and thirst for information, using COVID-19-themed emails to entice recipients to click on links to visit websites that hackers use to steal data, including login information, or to entice recipients to download malware, including ransomware, inadvertently. Hackers also are exploiting the increased use of communication platforms like Zoom and Microsoft Teams, using those as additional lures in phishing emails. The sudden switch to a remote work environment also means that sensitive data is being sent across companies’ networks in ways it ordinarily would not, thereby increasing the risk of breach.

While specific issues associated with the COVID-19 pandemic will end at some point, the fact remains that there is more vulnerability inherent in a dispersed network operating on home systems than a centralized network in offices. Remote workers’ VPNs run on home networks with additional non-company workers, IoT devices and less robust security. Hacking of virtual communications networks will always be an increased risk over in-person meetings.

Cyber policies typically insure against a company’s losses and its liability to third parties resulting from a failure or breach of network security, such as malware, ransomware, distributed denial-of-service attacks, or other methods used to compromise a company’s network and sensitive data. Such covered losses typically include:

• Liability arising out the unauthorized use, disclosure, access or destruction of protected information, including personally identifiable information or confidential/proprietary third-party corporate information such as trade secrets, or the failure to implement or comply with policies regarding protected information.
• Costs incurred to comply with a breach notice law, including related legal fees, or to provide voluntary notice to affected individuals.
• Costs to hire a computer forensics consultant to investigate a breach and assess disclosure of protected information.
• Costs to minimize reputational harm in the event of a breach, including the cost to set up call centers and provide credit monitoring services to affected individuals.
• Monies paid in response to a cyber extortion demand in which a hacker threatens to attack or disrupt the policyholder’s network or website or release protected information.
• Liability arising out of a failure or breach of network security, including impacts to a third party’s network, such as infection through virus or malware, the inability of an authorized third party to access your network, or the unauthorized use, disclosure, or destruction of data or software.
• Business interruption in the event the policyholder’s network is shut down or rendered unusable due to a cyberattack.

Companies with remote workers using personal devices to access company networks should make sure that their cyber policy includes such devices within the scope of covered computer systems for cyberattacks, with language such as “including employee or independent contractor owned devices authorized by the Insured to access the Insured’s computer network.” Companies should also estimate expected costs of repairing or restoring their network after a cyberattack—costs that will likely be higher where user systems are decentralized at remote work locations—and evaluate their cyber policy’s limits accordingly.

A risk related to, but distinct from, direct cyber hacks is social engineering fraud. A classic example is a scammer contacting an employee as a vendor or other payee and providing “updated” payment information—to an account controlled by the scammer. COVID-19 has increased the possibility of such an effort being successful, as normal processes and interactions have been disrupted. There is an increased risk of social engineering loss whenever people are working remotely, as they are not having face-to-face interactions and relying more on email, instant messaging, and calls from unfamiliar numbers that can be easier to manipulate. As such, companies transitioning to a long-term remote work should make sure their coverage meets those risks. For example, social engineering coverage is often sub-limited to cover an amount that may be below amounts that the company routinely transmits in payments, raising the risk of excess uncovered loss.

There was increasing regulatory attention being paid to cybersecurity and privacy protection even before the COVID-19 outbreak. For example, the California Consumer Protection Act (CCPA), with its broad scope of privacy protections required by companies doing business in California, went into full effect this year. The pandemic has increased this scrutiny, for instance in connection with contact tracing. There is increased risk of unintentional violation of such privacy laws and regulations with remote work, which decentralizes the transmission of protected information and decreases the company’s control over its use. Many cyber policies are now including coverage for unintentional violation of privacy laws, covering loss such as liability and defense fees arising out of a regulatory proceeding alleging acts, errors or omissions that result in the violation of law governing protected information or the violation of a breach notice law. Companies shifting to permanent remote work should ensure such coverage is provided in their cyber insurance to protect against this risk, as well.

Commercial Crime Insurance

Commercial crime insurance often provides coverage for losses that dovetail or overlap with dedicated cyber insurance, such as coverage for funds transfer fraud or computer fraud. Computer fraud coverage typically covers the taking or fraudulently induced transfer of money, securities, or property via a hack or other use of the policyholder’s network. As an example, this coverage may apply if a company is the victim of a social engineering attack such as described above.

Where there is such an overlap in a company’s coverages, they should carefully evaluate the policies’ “other insurance” provision, which dictate which policy provides coverage on a primary or excess basis. Some policies even provide that otherwise covered loss is excluded where it is covered under another policy. Coordinating cyber and commercial crime coverage is crucial to avoid unexpected gaps.

Further, commercial crime policy terms do not always apply to electronic processes or systems in ways that policyholders expect them to. Disputes have arisen where, for example, the policy covers the fraudulent transfer of money by the use of a computer and the policyholder was targeted by an email scam. Insurers have argued that such spoofing does not constitute computer fraud because such losses—unlike “hacking” incidents where an outsider actually commandeers and manipulates a company’s computers—do not involve the outsider’s use of company computers to execute the transfer. Rather, the insurers have argued, they involve tricking a company insider into doing so. In those situations, coverage may turn on the specific language of the policy. See, e.g., American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, 895 F.3d 455 (6th Cir. 2018) (rejecting the insurer’s arguments for limiting the definition of “Computer Fraud” to hacking-type events “in which a nefarious party somehow gains access to and/or controls the insured’s computer,” noting that if the insurer had wished to define computer fraud so narrowly, it could have used narrower language). Disputes have also arisen where these coverages are applied to the use of new technologies such as third-party electronic payment systems, with insurers insisting that funds diverted while being processed through such systems were not taken from the insured themselves, and are thus not covered. Seemingly small differences in policy language, which can be negotiated in advance of purchasing the company’s policy, can make a significant difference in coverage for these and other types of claims.

For example, requirements in some commercial crime policies that the company suffer a “direct loss,” and/or that the loss be “directly caused” by use of a computer, have been applied differently by different courts where intermediate steps were taken by employees to initiate a fraudulent transfer of funds. Compare Medidata Solutions Inc. v. Federal Insurance Co., 729 Fed. Appx. 117, 119 (2d Cir. 2018) (recognizing that New York law equates the phrase “direct loss” to “proximate cause,” the court found for the policyholder: “It is clear to us that the spoofing attack was the proximate cause of Medidata’s losses. The chain of events was initiated by the spoofed emails, and unfolded rapidly following their receipt. … [W]e do not see [Medidata employees’] actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred.”) with Apache Cor. v. Great American Insurance Co., 662 Fed. Appx. 252 (5th Cir. 2016) (applying Texas law, the court found that the policyholder’s loss was not covered because spoofed “email was merely incidental to the occurrence of the authorized transfer of money.”). Companies can reduce the likelihood of such disputes by seeking changes to such policy language when purchasing/renewing their policies to align with the company’s operations and anticipated risks, including purchasing specific social engineering coverage.

Employers’ Liability Insurance

Employers’ liability insurance typically covers an employer for bodily injury claims by workers not covered by workers’ compensation. Employers are generally responsible for providing a safe work environment, regardless of whether the employee works remotely or on-site. Coverage for injury to workers often turns on issues such as the categorization of the worker (e.g., employee or independent contractor), where the injury occurred, or the activity the worker is engaged in at the time of injury. These lines can become more blurred for remote workers.

Employee characterization generally hinges on what party controls the work, which may be less clear in remote working situations. The general rule is that a worker is an independent contractor if the payer has the right to control or direct only the result of the work and not what will be done and how it will be done. Companies with remote workforces should ensure that the definition of covered workers under their employers’ liability policy encompasses the workers to whom the company or its additional insureds may be found liable for “workplace” injuries, including workers who could be characterized as independent contractors. Employers’ liability insurance is often used to provide “pass-through” coverage for contract partners who are sued by a company’s employees. If the company’s employers’ liability insurance does not cover all its categories of workers, the company may be without coverage for indemnity obligations to such third parties.

When remote work is instituted on a permanent basis, logic would suggest that the location of the worker does not matter. But insurance policies typically provide coverage for loss or injury within a “coverage territory,” and in employers’ liability policies that territory is often limited. Companies should therefore make sure that their policies’ coverage territory includes everywhere their workers may be located. If, for example, an employers’ liability policy only covers injury in the U.S., Canada, and Mexico (which is fairly common), there may be a coverage issue if a remote employee is injured while working outside of those countries for any extended period of time. Companies that employ workers who regularly travel outside the U.S. on business or that employ workers in foreign countries should consider purchasing a foreign voluntary workers compensation policy.

Less control over activities of remote workers can also blur the line of what is covered injury and what is not. For example, a court found that a claimant’s injury “resulted from a risk of her work environment” and, thus, “arose out of” her employment where the claimant, at home but during work hours, tripped over her dog while going to her garage to retrieve fabric samples for work. See Sandberg v. JC Penney Co. Inc., 243 Or. App. 342 (2011). Other courts have routinely held that an employee who sustains an injury during minor deviations from work activities, such as going to the bathroom or getting lunch, may be considered to have sustained an injury in furtherance of the employer’s business. This is particularly true for injuries that occur in remote work locations approved by the employer, such as an employee’s home. See Verizon Pennsylvania, Inc. v. Workers’ Comp. Appeal Bd. (Alston), 900 A.2d 440 (Pa. Cmwlth. 2006) (finding for a claimant who was injured when she fell down the stairs of her home-office after getting a glass of juice from her kitchen). This changes the risk companies face for worker injury claims, and the specific terms and limits of employer coverage should be evaluated for consistency with this different risk.

Property Insurance

Property insurance typically covers commercial locations that a company rents or owns and property within those locations. However, it may exclude or significantly limit coverage for property located outside of specified covered locations, even if the company owns that property.

Most commonly in remote work situations, such property consists of equipment like computers and related devices. Companies transitioning to permanent remote work should evaluate whether their property policy terms cover such equipment and the potentially even more valuable data in it. Coverage disputes have arisen regarding whether property policies cover damage to electronic data residing on physical hardware or diminished performance of the hardware. For example, a federal court recently ruled that a claimant’s property insurance policy covered the replacement of its computer system following a ransomware attack. See National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Co., No. SAG-18-2138, 2020 WL 374460 (D. Md. Jan. 23, 2020) (findings that the claimant “can recover based on either (1) the loss of data and software in its computer system, or (2) the loss of functionality to the computer system itself,” where the policy does not limit coverage to “tangible property” and expressly includes “data” and “software” as categories of “covered property”). Coverage for physical and non-physical property will depend on the specific language of the policy, and should be evaluated in tandem with the company’s cyber insurance.

And while companies transitioning to a remote workforce may have less exposure to classic property damage loss, other coverages such as business interruption coverage are also typically tied to insured locations. This can raise issues with triggering such coverages if remote employees do have a work shutdown, but the cause is not at or within the required distance from an insured location. Companies transitioning to a remote workforce should carefully consider the business interruption losses they may face, and ensure their property policy terms respond to those expected losses.

Directors and Officers Liability Insurance

Directors and officers (D&O) liability insurance typically covers (1) individuals from personal losses if they are sued in their capacity as a director or an officer of a company and not indemnified by the company, (2) a company’s losses indemnifying its directors and officers in such lawsuits, and (3) certain direct lawsuits against the company. While a shift to remote work is not likely to directly impact D&O coverage triggers, such a shift may lead to claims against companies or their directors or officers asserting mismanagement, failures in policies and procedures, or other alleged wrongful acts relating to remote operations or network security. D&O policies may also apply to certain consequences of cybercrime, such as claims by shareholders that the company’s management failed to take adequate steps to protect the company and its customers. As a result, companies should confirm that they have sufficient D&O coverage in place to respond to such claims.

While remote work has been gaining traction for years, more companies are now considering or implementing the long-term change of requiring or allowing their employees to work remotely. It is crucial for companies making this change to evaluate their insurance policies in detail to make sure that they match what the company is actually doing and to seek modifications to policy terms as needed to align coverage with the companies’ remote work strategy.

And while this article necessarily discusses potential coverage issues arising from remote work in fairly broad terms, often seemingly minor details in policy language can mean the difference between a covered and uncovered claim. As more companies transition to permanent remote work, insurers may (and should) create new policy forms focused on companies whose workforce is primarily or entirely remote. Until then, many traditional forms include definitions and foundational terms that do not align properly with remote operations. Accordingly, companies must work with their brokers and experienced coverage counsel to identify potential gaps and necessary changes in coverage or policy language.