As despicable as it may sound, cybercriminals are capitalizing on the fear and anxiety caused by the coronavirus pandemic by deploying social engineering scams targeting employees who are working from home, many for the first time.
In some cases, hackers are sending phishing emails that appear to be coming from teleworking employees’ own companies requesting their log-in credentials to ensure they have IT system access. In other cases, the emails claim to come from the Centers for Disease Control or the World Health Organization soliciting donations to help pay for the development of a coronavirus vaccine. Employees must be vigilant and more cautious than ever when opening emails like these.
Protect Vulnerable IT Systems
To combat these attacks, agents should advise their clients who are asking people to work from home to take extra precautions to protect their companies’ IT systems and secure information. Tell employees who receive one of these suspicious emails to use an alternative means to verify that it is legitimate, such as calling the sender. But warn them against responding to the email, because it could download a virus onto their computers.
Companies also should anticipate that there will be a strain on their network resources as more employees access it remotely. But they shouldn’t give into the temptation to remove some of their security patches and firewalls to speed up system access. That will only make them even more vulnerable to malicious hackers.
Since most employees working from home will be using the Internet to access their companies’ IT systems, they could be opening those systems to intruders. Workers have been connecting on unsecured airplane and hotel wi-fi networks for years, but now there are so many smart devices connected to the Internet of Things, it creates even more possible entry points, and those devices don’t have the same security as company IT systems.
Follow Security Protocols
As employers deploy more IT hardware assets for home use, they need to follow strict security protocols:
- Make sure that these assets have the same built-in security standards as the equipment they use in-house.
- Make sure they have a secure means for deploying security updates remotely.
- Don’t deploy new IT assets with default factory settings—that’s always where the bad buys start-- particularly if you’re drop-shipping laptops directly to employees’ homes. Make sure the employees receiving these devices work with IT security staff to set them up securely.
- If possible, use a VPN rather than the Internet to access company IT systems.
- Segment access rights on a need-to-know basis; don’t give administrator rights to everyone working from home.
Practical Tools to Help
We know your insureds are asking questions about the new risks they are facing with a dramatic increase in employees who are working from home, and we want to help you come through for your clients in response to these inquiries.
Our elite third party cyber incident response team has put together a guidance entitled “Security Considerations While Working Remotely" for you to download. The document is designed for you to share with your insureds, with editable fields, so they can customize it specifically to their business.
Business Income Coverage in Cyber Policies
Companies may be asking if they have business interruption coverage in their cyber policies to respond to network disruption or system failures occurring in connection with COVID-19. Look at their policies’ coverage trigger: If it’s tied to a security breach, coverage will be unlikely to respond, because there is no coverage for income losses stemming from IT system failures or shutdowns. And, voluntary shutdowns are generally only covered if they are tied to the need to mitigate a loss because of a covered security breach. But there may be some contingent business interruption coverage If data being hosted by a third-party cloud provider isn’t accessible due to a security breach.
Unlike in property policies that provide business income loss If government orders companies to shut their doors, cyber policies typically don’t respond if civil authority orders a shutdown of their IT systems. They also won’t pay if business is disrupted by slow Internet speeds. Infrastructure, unless under control of the insured, is almost always excluded from coverage. But there may indeed be coverage if malware enters the company’s IT systems via one of their employees’ less-secure at-home Internet connections.
Most cyber policies also have bodily injury exclusions. Cyber policies are not designed to provide business interruption coverage in connection with a pandemic.
Coronavirus Impact on Renewals
Even before this pandemic, the cyber insurance market was already in the beginning stages of change due to the dramatic increase in ransomware frequency and severity claims. For insureds who are considering canceling their cyber policies at renewal, explore options for extending their policy term for three to six months, or, adjusting future-looking revenues in light of their new reality. These could be some cash-flow savings ideas that could allow them to still maintain this coverage that has become more critical than ever.
Also, prepare your clients that the process is going to take a little longer. With everyone working remotely, including underwriters, things are going to move slower. There also will be more questions surrounding financials, loss mitigation, preparation and business continuity plans. For sectors like healthcare and service industries, there will be more specific questions from underwriters about how they are handling and managing pandemic risk now, as well as in the future.