We are committed to the health, security, and resilience of our families, clients, and colleagues as together we face down the COVID-19 coronavirus outbreak. As ever, our work from home services are available 24/7 to help you assess, respond, and recover from ransomware events. We are steadfast in support of our clients should they have cyber insurance claims during this challenging time, and offer caution on these likely scenarios.
Our security experts and threat researchers have already seen an increase of corona-themed phishing scams. Cyber criminals are impersonating public health officials, medical experts, and senior executives to deceive users into clicking malicious links or attachments purporting to provide information on appropriate coronavirus response. Unsuspecting users who click on the links or access the attachments expose their computer systems to the bad guys, which may result in further attacks on the company’s network, theft of personal information or trade secrets, misdirection of funds, or company systems being rendered inoperative by ransomware.
We expect there to be significant delay between many COVID-19-inspired hacks and its discovery by victims and the broader cyber insurance market. Once cyber criminals access their victims’ computer systems, they may lay in wait for sensitive information to be exchanged or valuable transfers of funds to occur so that they can misdirect them. Businesses who suspect a breach of their cybersecurity may have to make tough choices about how to prioritize an investigation or devote their resources in the face of the public health crisis and economic strain. Cash-strapped businesses - even those with cyber insurance and certain that they were hacked - may find it difficult to decide when or whether they are able to pay out any applicable deductible or retention.
As enterprises rely increasingly on telework (many for the first time), we anticipate an increase in claims caused by cyber criminals and exacerbated by human error, misconfigurations, and employee devices as people adjust to the new normal. Misconfigurations during a speedy deployment and a lack of employee training on new systems create potential openings and opportunities for the bad guys. In addition, employees’ increased use of personal devices by employees poses its own set of risks. CISOs may have reduced ability to secure those devices and reduced visibility into how employees use devices (both personal and professional) at home. Risks also grow as business-critical systems are increasingly accessed from outside the company’s local network.
Confronting these risks requires close collaboration between an enterprises’ legal and security functions to establish and maintain reasonable remote-work security practices focused on people, process, and technology. Tech like encryption, endpoint monitoring, virtual private network connections, multi-factor authentication, and data loss protection tools can help reduce the risk, but deploying them should be prioritized in light of a company’s particular risk profile. For example, this may include focusing on the encryption of private health data or deploying upgraded security tools to teams that handle trade secret information. Our CISO network is available to consult.
Of course, the coronavirus itself does not impact computer systems, but COVID-19’s severe macro- and micro-economic impacts may inform the context of cyber business interruption claims for the foreseeable future. As firms shut down to address the public health concern and supply chains and travel suffer significant disruption, business interruption events become more complex, more sensitive, and harder to measure.
The pandemic is an opportunity to refresh your organization’s business continuity and disaster recovery plans (both cyber and otherwise) to ensure that you are resilient as possible in the face of unforeseen interruptions - and we are here to help.
A consequence of data collection around coronavirus and the public health emergency is likely to be an increase in health privacy litigation and regulatory investigations. Health care facilities will be under strain and may make privacy-related errors. Folks who suffer adverse employment or business consequences because of their coronavirus diagnosis may file lawsuits. While regulators have signaled sensitivity to the pressure businesses are under because of the outbreak, they also remain vigilant against firms hoping to hoover up health data indiscriminately and monetize it. Thus we see both that the Dep’t of Health and Human Services Office of Civil Rights has waived its potential HIPAA penalties for ‘good faith use’ of telehealth technologies during the COVID-19 crisis, and EU authorities cautioning that the disease is no excuse for ignoring core data protection principles. As firms execute their contingency plans, they should keep these potential disputes in mind - and our network of legal experts is available to help.
While the true extent of this global crisis is yet to be seen, Resilience is committed to helping the insurance industry understand the depth of the impact to their programs and sharing information on best practices to protect their clients and their own systems. Please feel free to reach out at any time for assistance or support.