Work from Home May Be Here to Stay
The coronavirus shutdowns made all companies realize how dependent they are upon the internet and information technology systems.
For many, technology saved them, enabling them to operate during stay-at-home mandates across the country. As companies begin to reopen and ramp back up, however, they are going to realize that fewer workers are going to be willing to make urban commutes into offices.
Employees are going to try to hang on to the work/life balance that they were able to establish while working from home, and their superiors are going to realize that productivity didn’t suffer; in fact, in many cases it increased. This will cause many companies to question whether they need all of the office square footage they have been paying for. The new normal for business operations is going to involve a lot more work from home and remote working sites that reduce urban commutes.
Companies are also going to realize that allowing workers to use their home computers and personal devices during the shutdown enabled operations to continue and that the company may not need to lease or buy workstations or laptops for employees, maintain them, cleanse them, and replace them. Businesses may not fully realize, however, that these operational shifts are having huge impacts on cyber security programs and will result in a new normal that catapults cyber security into a more prominent role.
Cyber Security Finally Gets the Attention It Deserves
If companies do not have a strong cyber-security program, they risk not being in business at all. As a general fact, most companies do not want to spend money on cyber-security programs. That strategy works…until they suddenly need strong cyber-security controls. That happened the first day employees were told to work from home. With coronavirus, the gaps and deficiencies in cyber-security programs quickly became vulnerabilities for companies as cyber criminals and nation-states immediately exploited every possible aspect of the coronavirus.
During COVID-19, the FBI, Secret Service, the DHS Cybersecurity and Infrastructure Security Agency (CISA), Europol, and Interpol each put out releases warning of cyber scams and exploits by cyber criminals who were taking every advantage possible of the coronavirus. The cyber criminals realized that computer rooms were unmanned, cyber-security personnel were not able to monitor the system as effectively, patches were not being applied as consistently, and people were working from devices that didn’t have an up-to-date operating system or current antivirus software. They also preyed on people’s desire for information on the virus, the need to buy face masks and personal supplies, and the desperate need felt by so many for financial assistance. And the cyber criminals have no shame: some of the hardest-hit organizations were hospitals and medical centers—the very entities that were on the front lines trying to respond to the virus.
Cyber crime has run rampant during the coronavirus pandemic. Companies now need to give their cyber-security programs a higher priority and ensure that they have the funding and resources necessary to close gaps and deficiencies and put in place controls necessary to support business operations in the new normal, which will likely include at least another wave of the virus. This means that, at a minimum, companies need to immediately review critical activities in their cyber-security programs.
Ignore Cyber Security at Your Peril
Companies that do not ensure their cyber-security programs keep pace with the operational changes necessary to counter the virus in this heightened state of alert will pay a high price. The loss of intellectual property and confidential and proprietary data will not be kept quiet. Criminals who demand ransom or extortion payments and are snubbed are likely to expose clients who refuse to pay or post their data on the internet.
Federal, state and European regulators have issued warnings that companies need to maintain compliance during operational changes required by the coronavirus. Enforcement actions are a reality. In addition, the plaintiff’s bar—including those representing investors of public companies—is completely up to speed on what companies should be doing to have effective cyber-security and are filing lawsuits against directors and officers after most major incidents.
The California Consumer Protection Act (CCPA), which became effective Jan. 1, 2020, includes a private right of action with statutory penalties for privacy violations. At least five CCPA class action lawsuits have already been filed against companies such as Salesforce, Ring doorbells, and Zoom. As Elizabeth Hampton, a partner at Fox Rothschild notes, these cases “also underline the importance of privacy audits and implementation of data privacy and cybersecurity best practices.”
The 2019 Travelers Risk Index placed cyber risks as the top business risk. The new normal for cyber security means that it must be given the attention it deserves by executives and boards and that cyber-security programs must be adapted to new working arrangements. Because quite simply, policies, procedures, and incident response and backup/recovery plans that are not in sync with current operations—no matter how temporary they may be—will be used as leading evidence by prosecutors, regulators and plaintiff’s attorneys.
Agents and brokers can help their clients navigate the path forward by reviewing their cyber coverage under all existing policies (cyber, D&O, P&C, and CGL) and examining whether they have appropriate coverage for their operations.