Risk & Business Magazine General Insurance Services - Fall 2020 | Page 6

REMOTE WORKFORCE
REMOTE WORKFORCE
ATTRACTS NEW CYBER RISKS
BY: ALISON WILLIAMS
BUSINESS RISK ADVISOR,
GENERAL INSURANCE SERVICES
In response to the COVID-19 pandemic,
the world’s workforce saw an
unprecedented shift to remote work.
This has provided an ideal breeding
ground for both malicious cyber attacks
and unintentional data security incidents.
Various companies have done recent
research to identify the increased risks
associated with this sudden shift. One
study by BitSight (March 2020) saw that
as the number of employees and home IP
addresses associated with an organization
rises, the diversity of threats that their
devices are exposed to on the local home
network rapidly expands with it. It was
found that over 13% of companies had at
least one observation of malware on their
network, while 45% of companies had a
least one observation of malware on their
work-from-home networks, making them
3.5 times more likely to have a malware
infection present.
An article by Una A. Dean, Michael A.
Kleinman and Jasen Fears notes that
most businesses will have some degree of
coverage for losses associated with remote
work. Afterall, even before the pandemic,
companies made use of remote work
capabilities for after-hours work, work
travel and other out of office needs of their
employees without any special insuring
agreements. In fact, many cyber insurance
model forms do not specify a worker’s
physical location at the time of an incident.
Nonetheless, the scale and speed of the
workforce moving to remote working
triggered by the pandemic has generated
new attack and loss exposures not previously
contemplated. For instance, more employees
now work remotely on personal, rather than
company-issued computers. Also, many
more employees now access company
systems outside of a virtual private network
and use insufficiently secure hardware, such
as home wireless routers. Employees will
likely even work on devices accessible by
several people within their households. The
result of these behaviors may be a significant
departure from the company’s cybersecurity
and data privacy policies and procedures
as well as the representations made by the
business to its insurance carrier.
Two aspects of a typical cyber insurance
policy present the greatest potential gaps
in insurance coverage when supporting
a remote workforce: (1) whether the
company owns or operates the affected
network, device, and/or systems at issue in
the incident; and (2) whether the incident
stemmed from a departure from the
company’s information security and data
privacy policies and practices, as represented
in its insurance application.
One of the biggest coverage questions for
a claim arising from remote working is
whether the “network” is included within
the policy language. For example, an
employee downloaded and saved some
confidential company information. Now
the employee is working from home and
has a ransomware attack on his home
computer. Now add to the scenario that the
compromised materials contain information
that allows the attacker also to access the
company’s own network. Whether the
company has coverage for such incidents
may depend on whether the policy’s
definition of “network” is limited to software,
hardware, devices, and other infrastructure
owned, operated, controlled or leased by the
company. These specific words are key to
insurance coverage.
Cyber coverage for incidents occurring
during the pandemic could also be
complicated by the representations made
by the company in the applications for
insurance, new or renewal. Typical cyber
insurance applications require a prospective
insured to provide detailed information
concerning its information and data security
policies and procedures. These applications
often include questions about (i) policies
and practices related to password and antivirus
protection and encryption of devices
used for company business; (ii) information
concerning the number of remote-use
devices; (iii) restrictions on physical access
to computer systems and sensitive paper
records and (iv) the identity of internet
service providers used to access the network.
The response to each one of these questions
may be materially impacted by new practices
taken up by a company’s workforce in light
of the pandemic.
Widespread remote working appears here to
stay, even after the worst of the COVID-19
pandemic subsides. Many companies,
including GIS, have found that the transition
to remote work has not significantly
impacted productivity, and will choose to
keep at least some portion of their work
forces remote going forward. Considering
these factors, companies should revisit
the scope of their cyber coverage through
a review of potential policy issues and by
working with their Advisor to formulate a
customized company policy that meets their
needs and operational risks. +
Alison Williams was born and raised in
Chesterton. She attended Indiana University
earning her Bachelor’s degree. Prior to joining GIS
in 2016 Alison spent nearly 10 years in banking
helping clients with banking, investments,
business and loans. Alison lives in Chesterton.
has a son attending Indiana University
Bloomington, and is an active volunteer in
the community. She has been a member of the
Chesterton-Porter Rotary club and a Duneland
Chamber Ambassador since 2016 and a volunteer
with Porter County Court Appointed Special
Advocates (CASA) since 2015. In Alison’s spare
time she enjoys spending time with friends and
family, beach days and musical performances.
6