A distributed workforce, while trendy, was not the norm pre-2020. The COVID-19 pandemic forced an inconceivable number of businesses to choose between the adoption of a remote workforce or the interruption of their operations. Understandably, the majority of these organizations chose the former, loosening their grip over the computer hardware that employees were permitted to use while working from home. Naturally, these organizations had (and continue to have) questions with respect to the effect that a newly adopted remote workforce has on their cyber insurance coverage.
Well, we’re here to help. Let’s walk through it together.
The insured “Computer System”, and why it matters
Most cyber insurance coverages available in the market today are triggered by a similar, yet differently defined, series of incidents. At the core of these incidents sits the insured’s “Computer System”. For example, the Resilience cyber policy may include coverage for “Insured Interruption”, meaning coverage for income loss and extra expense resulting from a “Security Failure” or “System Failure” incident impacting the insured’s “Computer System” (these are examples of triggers).
With a “Security Failure” incident being the unauthorized access or use of an insured’s “Computer System”, and a “System Failure” incident being the unintentional and unplanned interruption of an insured’s “Computer System”, the importance of what actually constitutes the insured’s “Computer System” begins to surface.
Many cyber insurance policies limit what constitutes an insured’s “Computer System” to hardware operated by and owned by/leased to the insured organization. Historically, this way of defining the insured’s “Computer System” wasn’t an issue. Many of the legacy cyber insurance products were initially driven by coverage for liability arising out of “Data Breach” incidents that had much less to do with what constituted an insured’s “Computer System” and much more to do with the types and amounts of data in the care, custody or control of an insured organization. It was the data, not the hardware, that mattered. As the cyber insurance landscape evolved, the spotlight shifted away from “insured liability” to illuminate “insured loss” as an equal or greater concern. As illustrated above, the “Security Failure” and “System Failure” incidents that trigger the majority of these “insured loss” coverages largely depend upon how broadly the insured’s “Computer System” is defined.
In a pre-pandemic world, where a remote workforce was the minority, an insured’s “Computer System” being limited to hardware operated by and owned by/leased to the insured organization aligned with the operations of the majority of organizations. Typically, employees needed to be present in an office, at a desk, using company-issued computer hardware to get their work done. Today, we no longer live in the pre-pandemic world and the minority has become the majority.
What constitutes an insured “Computer System” under the Resilience cyber policy?
Resilience is proud to have released an “Employee-Owned Hardware” endorsement that is available to all insureds, effectively broadening our definition of “Computer System” to include hardware operated by and owned by any past, present, or future employee (including part-time, temporary, leased or seasonal employees, interns, and independent contractors) of the insured organization utilizing such hardware in the performance of duties on behalf of the insured organization (and yes, this extension also applies to “Hardware Replacement” or “Bricking” coverage included in the Resilience cyber policy).
We at Resilience believe the hardware that employees are using should matter less than the fact that such hardware is being used to drive the continued success and viability of the organizations that purchase insurance through us. Times are tough, the quality of their coverage should be one less thing that Resilience insureds have to worry about.