Cyber coverage amid COVID-19
Unfortunately, but predictably, the logistical issues and preclusions arising out of the COVID-19 pandemic has led to an influx of related cyber incidents, most commonly the result of phishing or other social engineering, and in some cases leading to significant compromises of systems and the exfiltration of data.
We have previously written on the greater cyber exposures and risks businesses and individuals should be aware of that arise from COVID-19 issues.
Businesses with cyber insurance policies and extensions are now claiming under those policies for incidents connected to COVID-19. Cover provided, particularly under cyber policies, is generally very broad and inclusive. However, there are particular coverage issues insurers and insureds should be alive to.
Covered Computer Systems and Networks
Almost all mass remote working solutions rely on the use of personal home networks and many businesses have turned to the use of personal devices. The influx in the use of personal devices and networks creates a significant potential coverage issue under cyber policies.
The extent of cover available for personal devices and networks and incidents arising from personal devices used as part of remote working solutions varies between policies. How computer system, business network or similar concepts are defined under a policy is generally critical in determining the extent of cover available.
Different cyber products take different approaches to cover for personal devices and networks. Some policies look to limit cover around organisation systems, whereas others cover personal devices and incidents arising from the use of personal devices in recognition of businesses incorporating flexible working arrangements.
However, policies that cover remote working scenarios are unlikely to have contemplated scenarios for businesses adopting mass remote working setups by utilising a significant volume of personal devices.
Insurers might wish to give consideration to the extent of cover provided for personal devices and incidents arising from the use of a personal device. Separately, insureds should consider whether there are any additional questions or requirements that they will need to address when they seek to renew their cyber cover.
Business Interruption due to mass remote working migration
Some businesses are looking to seek cover for downtime suffered as a result of issues they have faced in the transition to a mass remote working environment. This involves asserting that a company has suffered business interruption on account of human error, programming error or similar.
While it is questionable that such a scenario was ever intended to be covered by a cyber policy, cover under certain policies may be triggered where the insured can demonstrate there was a business interruption that was caused by a human error or programming error in the course of implementing remote working platforms. The relevant consideration will be what triggers business interruption cover under the relevant policy.
Business Interruption Loss generally
The scope of cover for business interruption loss under cyber policies has long been a point of confusion and frustration for insurers and insureds. This is due to a number of factors, including the “waiting period” before business interruption cover commences, the duration for which business interruption cover is provided, and how business interruption loss is to be assessed, each of which differs under various policies.
Further complications arise when business interruption loss is to be assessed for a cyber incident that has occurred in the wake of COVID-19. Business interruption losses due to the impact of COVID may be difficult for insureds to separate from those suffered as a result of a cyber incident.
Somewhat confusingly, policies that set out with greater specificity how to assess business interruption loss with reference to metrics from previous financial years may result in more favourable outcomes for insureds than policies that are less specific about specify how business interruption loss should be assessed.
How cyber policies have approached betterment (the replacement of impacted hardware or software with a superior version) has evolved over time from generally excluding it entirely, to incorporating some element of cover for it.
This is in recognition of the speed of technological advancements, the difficulty and cost of replacing old or outdated hardware and software with an equivalent as compared to a newer superior option, as well as the acceptance that newer options often facilitate more secure systems at similar price points.
Businesses have been forced to expose their often-ageing internal hardware and software systems to mass remote working setups in a manner never intended or contemplated. The personal device endpoints of many mass remote working setups are also potentially older hardware and software systems. There is therefore a greater prospect of older systems becoming embroiled in a cyber incident and cover then being sought to repair or replace those systems. How betterment is dealt with under the relevant cyber policy will come into sharp focus.
The reliance on utilities and network infrastructure for mass remote working will mean infrastructure exclusions in policies are likely to be tested. Employees who are unable to connect to office systems due to failures on the part of utilities and internet service providers for any extended period may look to claim under cyber policies. Infrastructure exclusions will go some way towards excluding such claims.
The coverage issues raised above should be carefully considered for claims made in the current environment. As additional claims for incidents connected to COVID-19 are made, there will likely be other coverage issues that arise.
Looking further ahead, there are likely to be policy wording changes or changes to the renewals process to account for the fallout from COVID-19, particularly to account for an increase in remote working arrangements.
Gilchrist Connell’s Cyber team has assisted insurers and insureds on all legal aspects of cyber risk and cyber incidents to minimise the damage and help businesses recover as quickly as possible.