Cybersecurity Vigilance During the COVID-19 Pandemic: Check Your Insurance Policy

Technology in business, and everyday life, is intangible now more so than ever for many Americans as we confront the COVID-19 pandemic. As people try and find some semblance of normalcy, technology is a lifeline to stay informed about the changing landscape around the virus, socialize with friends and family, entertain and educate kids kept out of school, and for those who can, continue to work at home.

In my city of Denver, Colorado, as of 5:00 P.M. on March 24, 2020, I am now required to work from home for at least three weeks; for me, technology will be a link to staying on top of work and my sanity. As I drove into the office on Tuesday morning for the last time for the foreseeable future, I began to think about cybersecurity threats. Even under normal circumstances, cyberattacks have become an unfortunate part of doing business and insurance needs today (see Chip Merlin’s blog post: Computer Fraud, Phishin, and Cyber Insurance Claims Pose Significant Risks and Coverage Issues). As stated by Toni Scott Reed in a great article I came across in the Tort Trial & Insurance Practice Law Journal:

The fact that technology and cyber operations are central to modern business means only one thing: someone will look for ways to steal, damage, or interrupt that cyber world for his or her own financial benefit or other purposes.¹

There will likely be millions of people working from home and accessing business records in a less secure environment, cybersecurity-wise, than they would on a usual basis, and IT security professionals will likely face an uphill battle to maintain cybersecurity. To that end, cybercrimes very likely could increase due to the expanded number of vulnerabilities. Cybercrimes can be carried out through extremely sophisticated measures (Distributed Denial of Service or DDoS²) as well as extremely unsophisticated measures (a simple email phishing scam³). Businesses have to be prepared to face the potential increase in cybercrimes including, “theft, fraud, misdirection of communication, identity theft, intellectual property theft, corporate espionage, system sabotage, data destruction, money laundering, and terrorism.”⁴

Due to the state and federal government recommendations and requirements of “social distancing” between people who are, and property that is (yes, property, if you did not have a chance to watch my colleague Larry Bache’s Facebook Live event on first-party property insurance coverage and COVID-19, I highly recommend you watch the replay), infected by COVID-19 to help stop the spread of the disease, businesses are seeing significant financial losses. Sadly, some are even confronting the potential of shutting the doors for good.

To add insult to injury, cybercriminals will only compound the tragedy:

First-party losses from cybercrime are those that an owner sustains when cybercrime damages, destroys, or deprives the insured of the use of insured property … First-party risks include the cost of replacing data that are lost through corruption of the system, loss of stolen property, the cost of replacing systems that become inoperable, and the labor expenses from reentering data. Additionally, an insured faces first-party risks of defenses expenses, fines, or penalties from state and federal statutes and regulations that require companies to report breaches. Finally, there may be risks of loss of the insured’s money, as well as lost income, consequential damages, and crisis management costs.⁵

To that end, businesses need to be prepared for the potential of losses due to cyberattacks. Part of that preparation needs to include a review of your property insurance policy to ensure you have the appropriate type and level of coverage to confront the risk. Business owners should ensure protection through both first-party and third-party coverage with their insurance providers to avoid cybercrime losses to their business and their customers. Business owners should discuss with their insurance carrier how their equipment, websites, company goodwill, finances, and other property is covered under their standard insurance policies. Business owners should also discuss the availability of cybersecurity risk-specific supplements, riders, or endorsements to their standard policy coverages. For instance, Errors and Omissions coverage could provide protection from accusations of professional negligence, which cause financial loss to clients. Or cyber insurance supplements that protect against data breaches or ransomware⁶ costs could provide much-needed relief for the financial exposure these cyberattacks cause, such as notifying customers, recovering compromised data, or assistance in paying the ransom to unlock your computer systems.

Today’s businesses not properly covered for cybersecurity crimes are always at risk of a detrimental loss. But the additional vulnerabilities associated with the many individuals now forced to work in atypical environments due to the COVID-19 pandemic may expose many businesses to more serious risks. Business owners need to review their insurance coverage to make sure they are protected.
___________________________________________
¹ Cybercrime and Technology Losses: Claims and Potential Insurance Coverage for Modern Cyber Risks – 54 Tort Trial & Ins. Prac. L.J. 153, 155 (Winter, 2019) Tonie Scott Reed.
² What is a distributed denial of service attack (DDoS) and what can you do about them? https://us.norton.com/internetsecurity-emerging-threats-what-is-a-ddos-attack-30sectech-by-norton.html
³ What is phishing? How to recognize and avoid phishing scams. https://us.norton.com/internetsecurity-online-scams-what-is-phishing.html
⁴ Cybercrime and Technology Losses, at 155.
⁵ Cybercrime and Technology Losses, at 164-165.
⁶ A type of cyberattack that blocks access to a victim’s data, website, client services systems, or other critical resources. The ransomware is then used to demand payment of monies in return for unblocking access to the victim’s resources.