Work is always changing, but the last two years have seen rapid and thoroughgoing change, the full impact of which has not yet been felt. Just where, for example, is the workplace today?
Important questions need to be asked given the pandemic saw a transition from the traditional office to remote working. This raises the spectre of exposure to not only cyber risk, but also claims against employers. After all, at the outset of the pandemic, many households were not equipped for the change in working practices and employers were left scrambling in the face of legal obligations.
“The health and safety of employees is of paramount importance irrespective of where they are working from, and among the legal duties on an employer include providing safe work, assessing risks and implementing appropriate control measures, providing safe equipment including personal protective equipment, where necessary, and having plans in place for emergencies,” Damian Smith, regional manager at Campion Insurance, said.
While this is still evolving, businesses should ensure that their employers’ liability policy provides cover for remote working, in order to mitigate the exposures to the company.
Other questions need to be asked, too, such as territorial risk.
All insurance policies will specify the policy territorial and jurisdiction limits, Smith said.
“These important clauses work together to specify where in the world the policy is providing cover and where it isn't.
“The 'territorial limits' are the countries and territories where the policy will provide cover to the policyholder,” he said.
Smith gave the example that oftentimes insurance policies will exclude work undertaken in the USA or Canada, because claims there can be significantly larger than elsewhere – and more costly to defend.
Similarly, “jurisdiction limits” are the countries and territories where a policy will accept the serving of formal legal action against the policyholder. For example, if a German client claims through the German legal system, 'worldwide' jurisdiction means that the policy will provide cover in the German courts.
“Jurisdiction limits are usually the same as territorial limits but not always, and as with territorial limits, they normally exclude the USA and Canada,” Smith said.
Given the massive increase in cyber-crime – 2020 saw 72 per cent increase in attacks compared to 2019 in the EU alone – businesses are increasingly turning to insurance to offer protection. Indeed, given the rate at which business operations have been digitised, something only increased by remote work, cyber insurance is now arguably a necessity.
“The recent Hiscox Cyber Readiness Report 2021 demonstrated how the cyber-security landscape has changed in Ireland and how organisations have fared through the Covid-19 pandemic. According to the Report, 39 per cent of Irish companies suffered a cyber-attack in the past 12 months, with 70 per cent of those companies targeted more than once. The report also found that 57 per cent of Irish businesses reported not having any cyber coverage as part of their risk management,” Smith said.
The level of cover afforded under a cyber insurance policy can vary greatly between insurers, but a robust policy will provide cover for incident response, privacy liability and business interruption.
However, insurers need to know their clients take threats seriously.
“These controls are essential in order to protect assets, customers, client details and confidential information – they are also indicative of a business’s desire to demonstrate safe and efficient behaviour,” Smith said.
At a minimum, insurers want to see regular backups of critical data and systems, operating systems that are supported by the manufacturer, updated and patched software including antivirus and firewalls, two-factor authentication on all remote access and revocation of access to systems when an employee leaves.
Straight to the top
Typically, boards are not involved in day-to-day risk management but, nonetheless, the c-suite should understand the businesses’ risk appetite. After all, risk can never be fully eliminated.
Smith said they should be aware of the kind of risks out there and integrate this into their strategic planning and operations, while ensuring it is the bedrock of company culture.
“Continuously auditing the company’s risks is crucial as these can change from time to time depending on a range of internal and external factors,” he said.
Nor can risk management be viewed solely as a compliance issue that can be solved by implementing rules and regulations. Procedures are important, but so is culture, and having the financial tools to protect against losses.
“This is why having the appropriate insurance is vital. With the right policy in place, businesses can showcase their commitment to protecting their customers, employees and themselves from potential harm; and demonstrate effective risk management,” Smith said.