Insurance coverage for cyber risks resulting from increased home-office activities due to the coronavirus
Due to the novel coronavirus COVID-19, more employees are working from home than ever before. But working from home carries with it an increased IT security risk. This is because it can often be assumed that employees’ home networks do not offer the same standard of security as a company’s network. Many companies are also allowing their employees to use their personal devices, from their personal notebooks to personal network printers or other storage devices (e.g. flash drives or external hard drives). Another risk-increasing factor is that more and more households use everyday devices that are software-driven and connected to the Internet. This creates additional vulnerabilities if such devices – which often have known security vulnerabilities – use the same network as the mobile devices used for work. There is a real danger that cybercriminals will increasingly and intentionally take advantage of the current situation to leverage the weaknesses of home networks to gain access to companies’ networks so that they can tap into personal and/or company data or encrypt it for blackmailing purposes.
Besides these more technical vulnerabilities in conjunction with the coronavirus, cybercriminals are increasingly attacking “human” vulnerabilities. On 2 April 2020, the German Federal Office for Information Security addressed this issue in a press release, stating that an increase in cyber attacks related to the coronavirus has been observed. Cybercriminals’ attack strategies include requesting, e.g. via e-mail, that companies disclose personal or company data on fake websites, requesting that users download compromised files from websites that supposedly offer information on the coronavirus and exploiting the current increased demand for personal protective equipment (P Companies with insurance that covers cyber risks can hope to receive compensation in the event of a cyber attack via their teleworking employees in many cases PE) and face masks on fraudulent online shops.
Companies with insurance that covers cyber risks can hope to receive compensation in the event of a cyber attack on the home-office of their employees in many cases. However, such companies must also observe any existing notification obligations in order not to jeopardise their insurance coverage.
1. Insurance coverage for home-office activities
An examination of the question of whether and to what extent there is insurance coverage if cybercriminals gain access to a company’s network using vulnerabilities in employees’ home networks must differentiate between whether the mobile work devices are the employees’ personal devices or have been provided by the company.
While there is usually insurance coverage in the latter case, notwithstanding special provisions, in the former case, i.e. where employees’ personal information and telecommunications devices are used, this often depends on a specific stipulation in the terms of the insurance policy. Depending on the specific terms, there may be only limited insurance coverage (e.g. special coverage limits). It should also be kept in mind that insurance coverage is sometimes made contingent upon the fact that use by employees is only permitted based on the policyholder’s contractual or general written permission.
If there are no special coverage clauses, the insurance coverage can also be determined based on the general description of the insured risk. If this description states that the insurance only covers attacks on the policyholder’s IT systems, the initial decisive factor becomes whether, and if so, how “IT systems” are defined in the terms of the insurance policy. If there is no definition, the extent of the insurance coverage is determined based on the understanding of an average policyholder.
Determining the extent of insurance coverage is usually easier if and to the extent that the clauses refer to “information processing systems”, “computer systems” or “IT systems” belonging not to the policyholder but rather to the “insured”. In such a case, the scope of coverage for home-office activities can be determined relatively easily based on the group of insured persons. This is because if and to the extent that the policyholder’s employees are part of the defined group of persons that constitute the “insured”, the same scope of insurance coverage usually exists for the “insured” as for the policyholder. Additional questions regarding interpretation also arise if the term “insured” only includes the policyholder itself and co-insured companies – as is sometimes common on the market – but not also co-insured persons, such as employees of the policyholder.
However, it should not be forgotten that even when employees work from home, a comparable level of IT security and data protection must be ensured. Therefore, companies should not be too quick to allow standards of handling IT security and data protection to be loosened in light of the current exceptional circumstances. The crisis caused by the novel coronavirus does not release policyholders from compliance with their contractual obligations. However, it must also be kept in mind that the company itself actually has only a limited ability to influence the IT security standards of its employees’ personal home networks.
To avoid jeopardising their own insurance coverage, companies are urgently advised to define clear and binding rules for working from home. Precisely in light of the currently heightened threat from the increase in phishing attacks via e-mail, appropriate training and informational measures to raise employees’ awareness of these risks should be receiving increased attention.
3. Policyholders’ notification obligations due to increased risks
During the risk assessment phase before an insurance policy is taken out, some insurers ask about the use of personal devices for company purposes or the number of employees who regularly work from home. When a policyholder states that these situations do not apply to it as of the date on which the insurance policy is taken out but later permits such work, this constitutes an increased risk, and the policyholder must notify the insurer of it pursuant to section 23(1) of the German Insurance Contract Act. This also applies if the number of employees working from home changes in comparison to the situation on the date on which the cyber insurance policy was taken out and the insurer asked about this.
There is no one answer to the question of whether a notification obligation exists regardless of whether the insurer asked about working from home before the policy was taken out. It would have to be examined in each individual case whether there is merely an increase in risk which is to be regarded as co-insured under section 27 of the German Insurance Contract Act. The best way to avoid disputes in an event of loss or damage is probably to take the precaution of notifying the insurer of increased numbers of employees working from home.
4. Recommended action
1. Cyber insurance policies often provide insurance coverage for the risks of working from home. However, the scope and limits of such insurance coverage can only be determined by interpreting the terms of the policy at issue. For this reason, companies should examine the terms of their policies in the greatest possible detail so that they do not discover gaps in their coverage only after an event of loss or damage has occurred.
2. It should also be noted that the obligations stipulated in the terms of an insurance policy continue to be applicable without modification despite the coronavirus crisis. For this reason, companies should define clear and binding rules for working from home.
3. If more employees are working from home, the corresponding obligation to notify insurers should be kept in mind.
Do you have any questions? Feel free to contact: Thomas Heitzer, Oliver Sieg, Dan Schilbach
Practice Groups: Litigation, Arbitration & ADR, Insurance & Reinsurance