Risk & Business Magazine General Insurance Services - Fall 2020 - Page 6

REMOTE WORKFORCE REMOTE WORKFORCE ATTRACTS NEW CYBER RISKS BY: ALISON WILLIAMS BUSINESS RISK ADVISOR, GENERAL INSURANCE SERVICES In response to the COVID-19 pandemic, the world’s workforce saw an unprecedented shift to remote work. This has provided an ideal breeding ground for both malicious cyber attacks and unintentional data security incidents. Various companies have done recent research to identify the increased risks associated with this sudden shift. One study by BitSight (March 2020) saw that as the number of employees and home IP addresses associated with an organization rises, the diversity of threats that their devices are exposed to on the local home network rapidly expands with it. It was found that over 13% of companies had at least one observation of malware on their network, while 45% of companies had a least one observation of malware on their work-from-home networks, making them 3.5 times more likely to have a malware infection present. An article by Una A. Dean, Michael A. Kleinman and Jasen Fears notes that most businesses will have some degree of coverage for losses associated with remote work. Afterall, even before the pandemic, companies made use of remote work capabilities for after-hours work, work travel and other out of office needs of their employees without any special insuring agreements. In fact, many cyber insurance model forms do not specify a worker’s physical location at the time of an incident. Nonetheless, the scale and speed of the workforce moving to remote working triggered by the pandemic has generated new attack and loss exposures not previously contemplated. For instance, more employees now work remotely on personal, rather than company-issued computers. Also, many more employees now access company systems outside of a virtual private network and use insufficiently secure hardware, such as home wireless routers. Employees will likely even work on devices accessible by several people within their households. The result of these behaviors may be a significant departure from the company’s cybersecurity and data privacy policies and procedures as well as the representations made by the business to its insurance carrier. Two aspects of a typical cyber insurance policy present the greatest potential gaps in insurance coverage when supporting a remote workforce: (1) whether the company owns or operates the affected network, device, and/or systems at issue in the incident; and (2) whether the incident stemmed from a departure from the company’s information security and data privacy policies and practices, as represented in its insurance application. One of the biggest coverage questions for a claim arising from remote working is whether the “network” is included within the policy language. For example, an employee downloaded and saved some confidential company information. Now the employee is working from home and has a ransomware attack on his home computer. Now add to the scenario that the compromised materials contain information that allows the attacker also to access the company’s own network. Whether the company has coverage for such incidents may depend on whether the policy’s definition of “network” is limited to software, hardware, devices, and other infrastructure owned, operated, controlled or leased by the company. These specific words are key to insurance coverage. Cyber coverage for incidents occurring during the pandemic could also be complicated by the representations made by the company in the applications for insurance, new or renewal. Typical cyber insurance applications require a prospective insured to provide detailed information concerning its information and data security policies and procedures. These applications often include questions about (i) policies and practices related to password and antivirus protection and encryption of devices used for company business; (ii) information concerning the number of remote-use devices; (iii) restrictions on physical access to computer systems and sensitive paper records and (iv) the identity of internet service providers used to access the network. The response to each one of these questions may be materially impacted by new practices taken up by a company’s workforce in light of the pandemic. Widespread remote working appears here to stay, even after the worst of the COVID-19 pandemic subsides. Many companies, including GIS, have found that the transition to remote work has not significantly impacted productivity, and will choose to keep at least some portion of their work forces remote going forward. Considering these factors, companies should revisit the scope of their cyber coverage through a review of potential policy issues and by working with their Advisor to formulate a customized company policy that meets their needs and operational risks. + Alison Williams was born and raised in Chesterton. She attended Indiana University earning her Bachelor’s degree. Prior to joining GIS in 2016 Alison spent nearly 10 years in banking helping clients with banking, investments, business and loans. Alison lives in Chesterton. has a son attending Indiana University Bloomington, and is an active volunteer in the community. She has been a member of the Chesterton-Porter Rotary club and a Duneland Chamber Ambassador since 2016 and a volunteer with Porter County Court Appointed Special Advocates (CASA) since 2015. In Alison’s spare time she enjoys spending time with friends and family, beach days and musical performances. 6