The COVID-19 global pandemic has impacted all areas of personal and business life and the call for remote working, in particular, has underlined the need for, and reliance on, technology – and the danger of cyberattacks and blunders. This, in turn, has greatly accelerated changing perceptions about the need for cyber cover for all sizes of business and like many other aspects of the pandemic, those changed perceptions will become part of “the new normal”.
From a society perspective, the COVID-19 pandemic has had a number of universal impacts including wholesale working from home, a surge in home entertainment use, the mass take-up of platforms such as Zoom, Teams and WhatsApp for virtual conferences and social interaction, and an increased use of digital wallets. And there is one common theme running across all of these changes which is, of course, they rely on digital technology and digital infrastructures.
For business and government this acceleration in the move to conducting business online is unprecedented and has been accompanied by an ever-increasing use of artificial intelligence (AI) for processing information and applications, and a growing reliance on internet and telephone banking.
The legal profession has also – along with the insurance market - been dragged into the 21st Century with lawyers and their clients regularly holding virtual mediations and court hearings and finding that, in many cases, they are just as effective as, and far cheaper than, physical meetings.
Whilst there will be a return to some of the old ways, once the pandemic has been tamed if not beaten, many of these changes will become permanent. In fact, many were already taking place and have just been rapidly accelerated due to pure necessity, in the process overcoming cultural resistance and driving forward acceptance. Online interactions and digital infrastructures will become an integral part of the new normal for reasons of practicality and economy, and because they create new opportunities.
Exponential growth in risk
The corollary of all these changes has been an exponential growth in cybercrime, the development of new cybercrime “variants” and proliferation in human error when using the internet. As a law firm, we are already seeing these risks turn into claims, and our experience is mirrored by our partner law firms in the international network, Global Insurance Law Connect (GILC).
Overall, and globally, GILC members have witnessed the impact of the pandemic on insurers and policyholders in the context of both standalone cyber policies and those policies where some cyber cover is included alongside public liability or professional indemnity insurance.
Size is not an issue
In the UK there has been a spike in activity from hackers, particularly in relation to an increasing number of ransomware attacks on businesses and organisations of all types and sizes. Latterly these attacks have often combined freezing the victim’s computer network with the theft of sensitive personal and commercial data which the hackers have threatened to auction on the dark web if their demands are not met.
The hackers appear in many cases to be well organised and professional in their approach and conscious that if they do not uphold agreements, they will be less likely to get paid by their next victim.
We are also finding that notwithstanding the publicity given to GDPR and the need for effective computer security many organisations are still running redundant servers and operating systems and/or obviously ineffective defences and have still not effectively trained staff.
The increase in cyber incidents has also stress-tested regulation, commercial and domestic contracts, and insurance policies. This increase in risk has also been accompanied by a greater awareness by potential victims, both corporate and personal, of the dangers posed by cyber incidents and their rights. As Sandra Lodewijckx of Belgium-based GILC member, Lydian explains: “As a result of the pandemic, consciousness of GDPR and contractual obligations in respect of personal and commercial data has certainly grown and the days when data protection and privacy were seen as somehow esoteric to everyday working practices now seem part of a distant era.”
Prior to the pandemic, insurers, prompted by the Lloyd’s Market Association (LMA) were already reviewing their policies in efforts to clarify the extent to which cyber cover was or was not provided. In fact, the LMA stipulated that: “All Lloyd’s policies need to provide clarity regarding cyber coverage by either excluding or providing affirmative coverage. It is common for excess layer, facultative reinsurance, and deductible buy-back policies to be written on a follow-form basis (either of the primary policy or the underlying insurance contract). In many cases the primary/underlying policy includes language addressing cyber exposures.”
Fears of over exposure
This review process, along with everything internet-related, has been accelerated as a result of the pandemic as many policyholders without standalone cyber cover have been making insurance claims based on their PI and Public Liability policies. As a result, insurers have become increasingly concerned about the extent to which they are exposed to “the new normal” by policy wordings frequently drafted decades ago which were subsequently extended to address cyber liability at a time when cybercrime was relatively rare.
The concerns over exposure are by no means limited to the UK. Giorgio Grasso of Italian GILC member BTG comments that it has also seen a rush to revision and review. “In recent years we have been working closely with insurers in Italy and the UK, assisting them to review and perfect their stand-alone cyber and PI and PL wordings. As a result of the pandemic and the proliferation of cybercrime the process of creating more certainty and clarity has become more urgent for both insurers and their policyholders.” In particular, Giorgio confirmed that carriers have requested to adapt policy wordings and proposal forms in light of the developed market “for example, by inserting a bring your own device coverage in the text or by adding specific queries on VPN connections or remote working in the proposal forms”.
An Indian variant
India, presently in the eye of a pandemic storm, has seen internet usage become more widespread with schools and colleges conducting classes online and most businesses allowing for work from home or hybrid models. From an insurance perspective, those individuals and businesses that do use the internet are more often than not in the high value/high net worth bracket. And, for Indians, cybercrime is not just an urban issue, with the risk in rural areas heightened by poor awareness. As Sakate Khaitan, of Indian GILC member Khaitan Legal Associates, comments: “Although internet banking use, use of social media and reliance on the internet for daily activities have increased, awareness about cybercrimes has not kept pace in rural or urban areas. Hackers have many easy targets and inadequate cybersecurity is leading to immense data leakages in large corporates in India. There is a huge protection gap and cybersecurity is necessary for both corporates and individuals.”
In the final analysis, it is clear that cyber risk has come into its own as an everyday threat and that change is something that insurers and policyholders are analysing and addressing. The pandemic may eventually pass, and the demand for social distancing and restrictions on travel fade into the past, but the changes it has wrought on society, in the form of the new normal will remain. As Colin Pausey of Australian GILC Member firm Sparke Helmore puts it: “There has been a real focus in Australia on how life has changed due to Australia’s border closures and other pandemic-response policies. The fact that our borders have been closed for so long is both a manifestation of the seriousness with which we, as a country, have responded to the pandemic, and a driver of future business practices and social behaviour. The tools Australians have used during this time are unlikely to be forgotten or abandoned and, in many cases, will remain the new normal.”
Content from this article was published in Insurance Day and can be accessed here.