As the global business community grapples with the myriad of challenges presented by the COVID-19 pandemic, the virtual workplace and remote connectivity have become necessary lifelines for business to continue in a pandemic environment. The heightened reliance upon technology escalates cyber security considerations and brings increased focus on the scope of cyber insurance and professional indemnity coverages in a dynamic global insurance market.
A careful review of both existing coverages and emerging market offerings can help insureds confidently assess their cyber and technology-based risk transfer strategies in a new remote-dependent business world.
Existing Insurance May Already Address Cyber Risks Amplified by the Remote Workplace
Although the need to work from a distance has transformed useful technological alternatives such as remote login, video connectivity and the ability to conduct business on personal devices to business necessities, many cyber and professional indemnity insurance policies already contemplate coverage for the risks attendant to these now critical technologies.
Both stand-alone professional indemnity policies and cyber policies with a technology errors and omissions (E&O) insuring agreement may insure against many of the types of third-party liabilities that may arise out of technology services that many businesses may be providing in greater volume during the pandemic. Insureds should review key policy definitions such as professional services or technology services to determine whether any new or augmented service offerings in the current environment are contemplated.
Increased technology reliance also brings increased opportunities for hackers and network security incidents which may trigger third-party and first-party losses. While the risks may have increased as the use of these technologies has scaled, the exposure is not necessarily new as many cyber insurance policies typically provide coverage for these events including coverage for ransomware demands, incident response costs, network security liability, privacy liability and regulatory liabilities. Likewise, first-party costs may also be a part of many robust cyber insurance policies, including income loss and extra expense from network interruption or contingent business interruption, as well as data recovery and restoration costs and income loss from system failure.
Critically Assess New Exclusions and Policy Wording
Insureds should pay careful attention to new exclusions that insurance markets may offer both during and following the COVID-19 pandemic. For example, language seeking to exclude “any” losses or claims “arising out of” or “related to” COVID-19 should be avoided, or at a minimum, negotiated so that losses and claims intended to be covered are not excluded simply because they are occurring during the pandemic. Similarly, an exclusionary effect can accompany changes to definitions which attempt to narrow what is in-scope as a “professional service,” or what constitutes a “computer system.” As a result, insureds should work with their broking team to critically analyse the impact of any proposed wording changes given the new necessity of conducting business in a remote work environment.
Organisations should consider the following as they review cyber and professional indemnity coverage during and following the COVID-19 Pandemic:
- Risk Assessment Review: Assess changes to business activities and technology partners to determine whether such circumstances are contemplated by the scope of existing insurance policies.
- Cyber Risk Quantification Review: Quantify the potential insurable and non-insurable financial impacts of a cyber loss.
- Stress Testing existing Risk Transfer Strategies in terms of coverage and limits purchased.
Regarding insurance language in particular, organisations should ensure the policy remains fit for purpose in a new remote-dependent business world:
- Work with your broking team in advance of a renewal to determine whether any desired language amendments would be appropriate to help meet evolving remote business activities.
- Critically analyse any proposed language changes or new exclusions from insurance carriers and seek to resist efforts by insurance carriers to use the COVID-19 pandemic to restrict or remove core coverages traditionally offered in many cyber and professional indemnity insurance policies.
- Seek to negotiate the narrowest wording possible on exclusions, avoiding broad terms that may lead to overly broad application of exclusionary wording.