Risks and challenges may emerge with the adoption of social distancing and stay-at-home protocols to reduce COVID-19’s adverse effects. With employees, students, patients, and others asked to function remotely under stressful circumstances, and infrastructure pushed to handle more activity, organizations must consider how their cyber risk profiles may be affected.
The biggest challenge is migrating from a physical presence to a virtual one. Once organizations acknowledge this challenge, they must take appropriate action to mitigate potential risks — for example, by reinforcing employee and other users’ awareness of cyber threats, boosting and supporting technology systems, and reviewing insurance coverages with an eye toward potential losses under cyber, media, and technology errors and omissions (E&O) policies.
Awareness and Vigilance
Increased remote working is presenting more opportunities for cyber-attackers, and organizations just starting to use remote desktop protocols for work may be more susceptible to a cyber-attack. For instance, individuals may log in remotely from home networks that use less secure hardware.
Cyber actors have already taken advantage of people seeking information on the pandemic. COVID-19 is increasing the occurrence of phishing and “social engineering” events, with information about the virus used as the hook.
Remote working also increases the risk of relaxed privacy policies and procedures. To facilitate working from home, employees may remove printed files from the workplace, or transfer personally identifiable information to unsecured or unencrypted storage or personal devices — potentially exposing the information to a breach by unauthorized users or improper use and disposal.
Organizations should proactively remind employees that good digital hygiene is even more critical when connecting to networks remotely. The burden may fall on employees at home to conduct activities such as patching and updating systems, logging out when not working or using networks, physically securing computers, following proper procedures about handling private data, and using robust passwords for devices and home Wi-Fi.
Cyber Coverage
Most cyber insurance policies include a broad array of coverages relevant to the current environment. These include network security liability, privacy liability, security response and forensic costs, data recovery and restoration, ransom event costs, reputational harm, network business interruption and associated expense, system failure, contingent business interruption, and privacy regulatory defense.
In some situations, however, coverage may not apply. Cyber insurance policies typically include:
- Infrastructure exclusions. Policies typically exclude coverage for failure of power, utility, mechanical or telecommunications (including internet) infrastructure or services not under the insured’s direct operational control.
- Voluntary shutdown coverage limitations. Coverage may only apply to voluntary shutdowns to prevent the spread of malware or limit damage — and not to shutdowns intended to improve network access or functionality.
- Voluntary shutdown coverage limitations. Coverage may only apply to voluntary shutdowns to prevent the spread of malware or limit damage — and not to shutdowns intended to improve network access or functionality.
- Limitations in system failure definitions. Some policies may require a human or programming “error,” proof of testing or patches, or proof of system use prior to failure in order to trigger coverage.
Need for Policy Coverage Reviews
As the pandemic continues, risk professionals should work with their insurance advisors to carefully review policy language to refresh their awareness of what is and is not covered, and act as necessary to ensure that coverage will be triggered in the event of a loss.