Businesses Should Re-examine Cyber Insurance Coverage due to COVID-19


Cyber Security Insurance

UPDATED AUGUST 23, 2020 –  A federal judge in Kansas has ruled that three Missouri restaurants can proceed with their claims against Cincinnati Insurance Company alleging that the policies also covered “physical loss,” which the insurers failed to define in the policies.  The insurance company’s argument is that the policies provide coverage “only for income losses tied to physical damages to property, not to economic loss caused by governmental or other efforts to protect the public from disease.” In other words, they cover direct physical damages or losses from events like storms or fires.  This argument was rejected by the federal district court judge.

August 10, 2020 –  The sudden expansion of remote work arrangements in the wake of the COVID-19 crisis has created a buffet of opportunities for would-be cyber criminals. And the newly reconfigured, decentralized satellite workplaces in people’s homes look to be with us for some time.   In addition to protecting themselves from the network vulnerabilities created by these off-site offices, businesses need to undertake a thorough review of their cyber insurance policies to ensure that if a malicious actor causes them harm, they are protected on the fiscal front.

Cyberattacks have surged in recent months because of the much greater use of personal devices, exponential expansions of access points, and inability to centrally control data. But many cyber insurance policies do not completely protect the policy holder from intrusions such as data breach, network shutdown, and civil or regulatory actions.

Data breaches can lead to tens of millions of dollars in financial exposure, and yet policy language for cyber policies has not matured into a standardized set of protections, and there is little caselaw interpreting cyber policy coverage.

Most policies do cover at least some costs related to data breaches, such as legal fees, forensic investigation and customer notification, and they address network interruption by reimbursing companies for lost profits along with any additional related expenses.

Policies also generally contain some amount of coverage for privacy and network security liability, the defense and settlement related to third-party claims or class actions, and legal fees incurred due to governmental regulatory investments, along with any civil fines, penalties and/or settlements.

But even companies with these protections should consider optional coverage for issues like data restoration, payment card liability, and ransomware attacks, in which hackers encrypt digital assets using malware and extort a cryptocurrency payment in exchange. During COVID-19 there has been a surge in ransomware, as well as wire fraud schemes in which hackers forge emails and induce unsuspecting employees to transfer money to offshore accounts.

Companies should review their cyber policies to make sure \wording is precise and, if needed these types of coverages should be specifically added by endorsement. And businesses should make sure their policies don’t specifically exclude certain events, either, including such (allegedly) negligent network security as delays in software patches, the use of portable devices that are not fully encrypted, and design errors that impact the network’s traffic capacity.

Businesses should consult with experienced  business lawyers and insurance specialists to ensure that the proliferation of endpoint devices that’s occurred since COVID-19 – and which is likely to persist through the end of this year and beyond – doesn’t lead to a proliferation of economic pain due to data breaches, network interruption, ransomware attacks and more that might slip through the cracks of their current cyber insurance policies.  Experienced Chicago area business lawyers should be able to help you in the event of an attack or in consult about your specific coverage issues.