The Impact of COVID-19 on Cyber Security Insurance

A remote workforce on COVID-19 lockdown has made many organizations more exposed to cyberattacks. Cyber security insurers have realized that the risk equation has changed dramatically for their customers, and they’re closely scrutinizing companies’ security arrangements and existing insurance policies.[1] As a result, some enterprise risk managers may soon find themselves paying noticeably more for cyber insurance protection—and turning to their CISOs to find out why.

Fertile Ground for Cyberattacks

The COVID-19 pandemic increased the potential for cyber threats. Phishing attacks have continued to rise as malicious actors use COVID-related lures to exploit users’ fears and desire for information about the pandemic. At the same time, a remote workforce using less-secure home networks and personal devices can increase the company’s attack surface. That increases the likelihood that cybercriminals will prey on employees working from home, using phishing emails to hack their credentials and cause other major disruption. Also, VPNs, once a lifesaver for remote workers who needed to connect to a company’s private network, have become something of a cautionary tale because some products have security holes that leave an organization vulnerable to hacking.[2]

According to one legal expert, some cyber security insurance policies draw a line between company-owned computers and personal devices, and may not cover hardware owned by employees—which means the company could be exposed in the event of a breach. Some insurers may also require companies to have a formal written policy for the use of personal devices.[3]

How are Cyber Liability Insurers Responding?

Cyber liability insurers are reacting to the changing risk equation created by the pandemic. According to the Wall Street Journal, insurers are asking to see policyholders’ business continuity plans, and determining whether they’ve been revised to include working-from-home scenarios.[4] Insurers are also escalating their scrutiny of policyholders’ other security practices. In some cases, that means obtaining proof that companies are practicing good digital hygiene, such as ensuring that remote access is secured correctly, that operating systems are kept current with security patches, and that email servers are configured to shield against possible phishing attacks. Overall, insurers are becoming more proactive, alerting policyholders to new exposures and vulnerabilities in their network that might trigger a breach—before a cyber threat wreaks havoc and causes major financial losses.

Cyber Insurance Costs Could Escalate

The greater risk caused by the COVID-19 public health crisis and home working could drive insurers to increase prices, according to the Journal. That’s partly because cyber security insurers are worried that home networks and personal equipment could introduce cyber risks that might not have been a concern when policies were drawn up. Insurers might even deny coverage if companies fail to provide evidence that they are implementing security best practices such as multi-factor authentication, according to the Journal.[5]

Increased recognition of the impact of cyber security events has been driving more businesses to buy cyber security insurance in recent years—and demand continues to rise, according to Fitch Ratings, an American credit rating agency. However, even before the COVID-19 pandemic, cyber security insurers were raising prices as losses increased due to ransomware attacks and other breaches. Fitch noted that the direct loss ratio (the percentage of premium income that insurers pay out in claims) rose from 34% in 2018 to 47% in 2019—and insurers responded by increasing premiums by 2.9% in the fourth quarter.[6]

Cyber security insurers are attempting to improve risk-modeling techniques and trying to enhance their understanding of fast-moving cyber risks. For example, companies face greater scrutiny from their insurers due to the potential impact of far-reaching security and privacy laws at state, federal and international levels. Those laws, such as GDPR and California’s new privacy regulations, impose bigger fines and penalties for cyber-related events.[7]

The Bottom Line

COVID-19 has dramatically changed the risk landscape and working practices—and is causing cyber security insurance providers to closely examine companies’ security arrangements and existing insurance policies. Insurers are scrutinizing companies’ security arrangements for employees working at home, and some are proactively alerting policyholders to new vulnerabilities in their network. For some companies, this scrutiny could mean higher cyber liability insurance rates or even denial of coverage.  

[1] “Cyber Insurers Get Tough on Risk Assessments Amid Coronavirus Pandemic,” Wall Street Journal

[2] “Cyber Insurance Tested by COVID-19,” Leader’s Edge

[3] “Will the Pandemic Complicate Cyber Insurance Claims?” Dark Reading

[4] “Cyber Insurers Get Tough on Risk Assessments Amid Coronavirus Pandemic,” Wall Street Journal

[5] “Cyber Insurers Get Tough on Risk Assessments Amid Coronavirus Pandemic,” Wall Street Journal

[6] US Cyber Insurance Market Will Be Tested by Coronavirus Fallout, Fitch Ratings

[7] “Cyber Insurers Get Tough on Risk Assessments Amid Coronavirus Pandemic,” Wall Street Journal