InfoSecurity Professional INSIGHTS
InfoSecurity Professional INSIGHTS is (ISC)²'s bi-monthly e-newsletter, associated with our members-only digital publication, InfoSecurity Professional. Similar to the magazine, it will deliver timely, compelling content written with the professional development of infosecurity practitioners in mind.
InfoSecurity Professional INSIGHTS August Sponsor
Online MS in Cybersecurity from Drexel University
Drexel University’s online MS in Cybersecurity utilizes the College of Computing & Informatics and College of Engineering’s network of professionals to give students access to the latest research, tools and insights, and prepares students to meet the workforce needs through rigorous academic and experiential practical training. Learn More!
Panacea or Placebo? Business Interruption Insurance (and Vulnerable VPNs) in the Wake of COVID-19BY SHAWNA McALEARNEY
Disaster recovery and business continuity spending rarely is an easy sell to a C-suite always seeking quick quantification of ROI. It tends to be one of the less glamorous expenses of a risk management plan that you hope you will never use. After all, who wants to go through a major fire or flood? And what about a pandemic? If you carry business insurance, will it be the magic pill for COVID-19 business losses?
In theory, it seems quite simple: You carry business interruption insurance, your business suffers significant losses that you can document, and your coverage does not exclude viruses. Still, legal experts say fulfilling such claims may be an uphill battle.
“Insurers are denying the vast majority of claims, and many policyholders have already filed lawsuits seeking court rulings that their COVID-19-related losses are covered,” said Tamara Bruno, a partner at the global law firm Pillsbury Winthrop Shaw Pittman.
Business interruption insurance is designed to help compensate for income lost when a disaster, usually physical, befalls a company and causes it to incur expenses and lose money by being unable to serve its customers. Potential COVID-19 losses might include event cancellations, temporary relocation costs, disruptions in the supply chain, clean-up costs and so much more. Some organizations may even have coverage under the Civil Authority clause within a business income or business owner policy, as they often cover unforeseeable losses when civil authorities force businesses to close. It pays to thoroughly check your policies—they vary, and exclusions are commonplace.
Law firms across the United States say many insurers believe that claims related to COVID-19 are not covered, either because of a lack of physical damage to property or because policy provisions exclude virus coverage.
For example, on June 9, Pillsbury Winthrop Shaw Pittman filed a lawsuit on behalf of In-N-Out Burger against Zurich American Insurance Company for breach of contract for disputing its COVID-19 claim.
In-N-Out holds The Zurich Edge “All Risk” Commercial Property Policy, effective from June 1, 2019 to June 1, 2020, for business interruption losses that “expressly includes coverage for many types of contamination, including radiation, ammonia, virus, pathogen or pathogenic organism, and disease-causing illness or agent.” However, its claim for damages caused by COVID-19 was denied without further investigation, asserts the lawsuit.
Pillsbury’s lawsuit said that even prior to claims being filed for damages caused by COVID-19, Zurich attempted to modify its existing policy language to exclude the virus. “In December of 2019, just before the novel coronavirus was discovered, Zurich filed a regulatory request to modify its policy language,” according to the lawsuit. “Buried in the edits, and without reference to the significance of the change, Zurich’s filing sought to add back an exclusion for viruses.”
In mid-May, “Zurich’s CFO George Quinn announced Zurich’s position that virtually all (more than 99%) of its policies in the United States exclude losses for virus (even though its broadly marketed Edge form does not exclude virus losses),” the lawsuit stated.
And Zurich isn’t the only insurance company trying to get ahead of pandemic claims.
“Insurers rushed to declare a lack of coverage even before they saw the first claim,” according to a Pillsbury client advisory. “Such urgent, premature protests should be viewed with great skepticism. Too much is at stake. Policyholders should examine their policies carefully in light of their circumstances, and should insist on coverage where appropriate.”
Larger firms may be better prepared, but nationwide, small businesses are fighting to survive as they face an estimated combined loss of as much as $383 billion a month according to the American Property Casualty Insurance Association. The insurance industry is asserting that paying claims for such substantial losses will damage it to the point of collapse.
“We don’t expect to see insurers pay disputed claims until after such decisions and likely appeals as well—the timing of which differs by court system and by case—but it will likely be a couple of years,” said Bruno.
A lack of liquid capital isn’t the only significant issue businesses are facing.
“We are working with several nationally recognized information security auditors and all are seeing a substantial uptick in malicious activity,” said Michael Overly, a CISSP and an attorney at the international law firm Foley & Lardner. “In particular, phishing is exploding. What is interesting is that in tests, employee populations that had previously done quite well in identifying phishing messages were found to be far more vulnerable while working remotely.”
With many organizations still closed and the majority of employees working from home wherever possible, a new and powerful attack vector has opened—millions of less-wary remote workers.
“The increase in remote working in response to COVID-19 has come with a corresponding increase in cyberattacks,” according to a Pillsbury client advisory. “The sudden switch to a remote work environment also means that sensitive data is being sent across companies’ networks in ways it ordinarily would not, thereby increasing the risk of breach.”
Government agencies have warned that with so many people accessing networks via remote connections, hackers are seeking out any flaws in network security and targeting vulnerabilities in VPNs and other remote work tools and software, the advisory continued. This includes communication platforms like Zoom and Microsoft Teams, increased phishing attacks and COVID-19-themed attacks that download malicious code.
When looking to better protect your organization, Overly and Bruno suggest companies:
- Make sure a policy is updated and remains aligned with a company’s operations
- Shift risk onto suppliers or other contract partners under the terms of your agreements
- Provide better training for remote workers, particularly with regard to malicious attacks
- Obtain more complete insurance coverage, including pandemic coverage
- Ensure that commercial property policies are reviewed by an expert for potential coverage gaps and terms that could be improved
“COVID-19 is the seventh pandemic or epidemic of the 21st century—it was not an unforeseeable event,” Bruno said. “But now insurers are arguing that general language in policies that do not have virus or pandemic exclusions—which they could have added to their policies—should be interpreted not to cover business income losses from this pandemic, in an attempt to protect themselves from large-scale liability exposure at the expense of their policyholders.”
SHAWNA McALEARNEY is a freelance writer and frequent contributor based in Las Vegas.
For all past issues see the archives.