Does your cyber liability insurance cover data breaches that occur while employees are working at home, using their personal devices such as tablets and laptops?
There’s no time like the present to look into this issue, with most employees telecommuting and hackers perhaps sensing new opportunities to do what they do—and in fact, cyber intrusions have been on the upswing in recent weeks.
The fact that employees are using their own devices increases the risks of both a potential breach resulting in data loss, as well as an event that falls outside the limitations of standard cyber liability insurance policies. Businesses should review their policies in detail to see whether and how they make reference to types of hardware in use—and the owner of said hardware.
Some estimates hold that cyberattacks and phishing attempts have soared by up to 4,000% since the beginning of statewide stay-at-home orders that have resulted in most people working from home, and bad actors are well aware of this.
In addition to their general awareness of people’s working arrangements, would-be hackers are getting “creative” in how they are attempting to perpetrate phishing scams, riffing off of the dynamics of the current environment.
One common scam involves sending out phony e-mails to coordinate e-meetings, which people are receiving large amounts of anyway. Based on the theory that employees won’t carefully scrutinize such e-mails, bad actors are attaching malware to these fake requests that is released into the company’s systems and compromises their environment.
To protect systems and data properly, employees working from home should be given the same strong security protocols and measures as they would in the office, such as access controls and multi-factor authentication. They should be urged to update programs and use antivirus software. And they should be made aware of the new categories of emergent threats.
But given that there’s always a risk of an incident, even with stringent protocols in place, businesses need to closely examine their insurance policies, many of which make sharp distinctions between company-owned and employee-owned computers and other devices.
This means equipment not owned by the company—which, after all, is the named insured on the policy, not the employee—might be excluded from coverage, or at least limited. At the very least, the policy might require that the company have a formal, written policy addressing the use of personal devices. So now might be the time to review that, as well.
Bottom line, during the pandemic companies might have no choice but to allow employees to work from home. And they might not have enough company-owned laptops and other devices to distribute to everyone so they can complete their work.
But if your cyber liability policy does not cover employee-owned hardware, and there is a breach, you will not be covered for damages such as data loss. And that’s probably not an extra symptom of coronavirus that you want to be hit with, in the midst of the many other challenges facing businesses and individuals during this difficult time.