The Pandemic Goes Virtual
It is undeniable that the COVID-19 pandemic has forced businesses large and small to adapt and rethink how they handle operations during this troubled time.
In the insurance industry, those pivoting to work from home have relied on the digital infrastructure that has emerged during the past few years. Lloyd’s of London syndicates, for example, have overwhelmingly adopted the market’s digital placement platform, Placing Platform Limited, with a record volume of risks placed by brokers on March 31, the final day of Q1. And in The Council’s Commercial Property/Casualty Market Index COVID-19 Supplement for Q1 2020, brokers reported that they had been making successful use of technological tools, such as virtual meeting software, to maintain good service for their clients. “Business as usual,” said one respondent.
However, this significant shift to digital comes with its own risks, ones unique to having so many employees working remotely. The ongoing pandemic may allow cybercriminals to infiltrate networks and systems they previously couldn’t due to an evolving threat landscape and new business practices.
Ransomware and Phishing on the Rise
According to a recently released report from insurer Beazley, the number of ransomware attacks on Beazley customers increased 25% between Q4 2019 and Q1 2020, with manufacturing experiencing the largest rise in number of attacks—a 156% quarter over quarter increase. Many of these attacks have been targeting vendors and managed service providers, and a successful attack on one of these third-party vendors can have significant downstream impacts. (See an article written for Leader’s Edge by Paladin Cyber for a deeper dive into managing third-party cyber risks.)
Cyber criminals have also increasingly turned to phishing scams (including smishing, text message phishing) in Q1 and Q2 2020, according to security awareness training experts KnowBe4. Social engineering, the main method of manipulation employed by attackers to get a victim to fall for one of these scams, works best when attackers can exploit situations like the pandemic. In these uncertain and dangerous times, people are ever more desperate for information and guidance, so if, for example, an attacker sends an email with a link that supposedly goes to a website with COVID-19 information, a victim is that much more likely to click on it.
The pivot to working from home also opens employees up to other forms of attack. At home, employee networks usually lack the robust protections a company network might have, adding a new cyber vulnerability. Employees at home also may often use their personal computers, tablets and cell phones which may not be regularly patched like company computers. Additionally, conversations involving sensitive personal information held over the phone or a virtual meeting at home carry the risk of being overheard by others, especially considering the popular virtual meeting application Zoom has been compromised by hackers in the past.
Emerging Risk Landscape
A recently released survey by ESI ThoughtLab, a research and analysis firm, provides another eagle-eye view of the emerging cyber risk landscape from the point of view of executives at over 1,009 companies across 13 industries and 19 countries. Much like the Beazley report, respondents agreed that malware (including ransomware) and phishing/social engineering are the main threats facing businesses today: 66% and 60% of respondents said malware and phishing/social engineering were causing the largest losses today, respectively, while 64% and 50% said businesses would face increased risk from malware and phishing/social engineering over the next two years.
Additionally, the vulnerabilities of home networks and personal computers are not the sole risks added by employees working from home (though 41% of respondents say IoT and connected devices will pose the biggest risk in two years). Telework may also create room for careless and untrained employees to make more cyber-related mistakes, and in conjunction with the rise in cybercriminals impersonating reputable organizations, this may lead to increased losses going forward.
In turn, as the ongoing crisis pushes companies to accelerate their digital transformation, they open themselves up to more risks beyond ransomware and phishing. According to results from the ESI ThoughtLab survey, a third of executives expect a rise in attacks through denial of service and web applications, while even more (38%) expect the risk posed by AI-enabled attacks to increase dramatically in the next two years. “As attackers learn how to deploy machine learning and AI, the speed of attacks will increase immensely. These programs will enable malicious actors to automate emails that look incredibly realistic—no longer just those from a Nigerian prince filled with misspellings,” said Ron Mehring, vice president of Technology & Security, Texas Health Resources.
Apart from cyber criminals and hackers, the ESI ThoughtLab survey report also mentions that insider attacks may rise in the coming quarters. With the US unemployment rate at 13.3% (up from around 4% before the crisis began), and all the layoffs that number implies, it becomes more likely that an employee, disgruntled and feeling left high and dry by their business during a pandemic, would act as a malicious insider. As these kinds of attacks cause some of the biggest losses, according to the report, it will be important for employers to keep in mind.
Lastly, as the pandemic has spread worldwide, more companies have found themselves in the crosshairs of nation-states as rival nations seek to sabotage one another. The US Department of Health and Human Services was hit by a denial of service attack, and in May, the FBI warned businesses that Chinese hackers may be trying to steal data on coronavirus vaccines. And in the Middle East, Israel claimed that Iran had attempted to cripple their water supplies during the pandemic through cyberattacks.
Clear Coverage Is Best Protection
From a risk management perspective, understanding your coverage, doubling down on compliance, and taking advantage of training and education opportunities seem to be the best approach.
Nick Sullivan, director of risk management at insurance agency Morris & Garritano, says cyber insurance coverage is essential in covering the losses that may arise from a cyberattack, but cautions that brokers and their clients should ensure they understand what exactly is covered by their policies.
He cites a recent claim in which a client was lured into wiring $235,000 to an unknown party through phishing. The client ended up without cyber coverage for the incident because it was they who initiated the transfer rather than the criminal. “What we’re seeing is that with a lot of these “throw-in” [cyber] coverages from carriers, which they may include as part of their property policy or standard crime policy, unless it’s endorsed properly, you’re not going to get those social engineering or phishing losses covered,” Sullivan said. “That’s what we’re trying to educate our clients on. You may think you have a crime policy, you may think you have data breach and cyber coverage, but these cyber criminals are utilizing deception to get you, as the insured, to initiate these payments, which aren’t typically covered under standard crime or cyber policies.
“We recommend a standalone cyber policy for all our clients,” Sullivan says. “They offer more robust coverage and more robust consulting services, rather than trying to piece coverage together through your package or liability policies.”
Sullivan also emphasizes that dual-factor authentication is key. “Make sure you have this in place not just for your computer systems but for requests you get, too,” he says. “Don’t just take one email from a vendor at face value—reach out to them via phone or some other form of communication to confirm that they sent it. If policies, mainly crime, have endorsements for social engineering coverage, they will typically have some warranty that says coverage will only apply if you reach out and confirm the request by phone or a second form of communication.”
Another important way to manage cyber risk is to take advantage of the services carriers provide. “Pretty much all carriers nowadays are offering some sort of cyber consulting, either pre-breach or post-breach, and some even go as far as offering training services such as phishing tests,” Sullivan says.
Brokers can also help their clients manage their risk by focusing on education, according to Sullivan, and by taking “more of an active role as an advisor.” Ironically, though the pandemic has opened up a new front of attack for cyber criminals, it has also provided an opportunity for brokers to help their clients understand just how serious cyber risk is, and to understand which steps they can take to guard against it. The cybercrime statistics mentioned above, and the examples of COVID-19 related phishing attempts will all serve as particularly illustrative examples for clients still unsure about purchasing cyber insurance.
Though Sullivan says he is still seeing a relatively low take-up rate for small business cyber policies, he hopes that number will increase. “It’s still very affordable, and carriers still seem to have the capacity for it,” he said. “It’s not just insurance; you get a whole suite of value-added services”—all of which clients may need as this pandemic pushes almost every industry that much further into the digital future.