Insurance brokers and industry attorneys say that cyber insurance is heating up.
They are seeing both an uptick in CLAIMS and an uptick INQUIRIES, likely as a result of an uptick in attacks.
Actually, the uptick in attacks is more like a flood since Covid-19 came around. Note that many of them won’t be detected until business as usual resumes – whenever that is.
The issue is that the move to work at home has increased the attack surface, for a lot of reasons, including the fact that companies did not have the time to plan for it.
At least some of you have cyber policies, so here are some questions to be asking. For those of you buying, this is a great time to ask questions.
First of all, do you have the right coverages. We have seen many policies that do not include ransomware coverage. Kind of a problem these days.
Insurance broker Marsh says that they are not seeing Covid-19 exclusions (or more generally pandemic exclusions) – yet.
But they are seeing carriers asking more questions – for example about disaster recovery and business continuity – things that would be very important to have during a ransomware attack and which, if not in place, will definitely cost the carrier a lot of money to spin up in real time.
Aon says they are seeing more scrutiny during underwriting. The carriers are asking about whether prospects have adequate security measures in place for remote working.
Then there is that wonderful catchall – do you maintain reasonable security measures? That is something that your lawyer and your insurance company’s team of lawyers can argue about for a long (expensive) time.
Zurich insurance says that businesses who are dealing with the pandemic should focus on risk mitigation and conduct cyber risk assessments to identify their specific risks.
Then there are basic questions like the definition of a computer network. Is your employee, using his or her personally owned computer, running on his or her personally owned WiFi connection, considered part of your computer network? What about personally owned hardware? Is it covered?
Whether the carrier wins that argument or not, they may try to wear you down.
And you need to understand what coverage you have when it comes to breach response costs. There may be sub-limits and restrictions and those costs may be deducted from the total coverage available.
Will there be coverage if your employee’s home WiFi was compromised years ago, the employee didn’t do anything to secure it or detect the breach and you get hit for a CCPA breach lawsuit for data leaking out that way? Running, potentially, in the millions.
These are all risks that you need to understand and before a breach would be a really good time to do that.