A remote workforce on COVID-19 lockdown has made many organisations more exposed to cyberattacks.
Cybersecurity insurers have realised that the risk equation has changed dramatically for their customers, and they’re closely scrutinising companies’ security arrangements and existing insurance policies. As a result, some enterprise risk managers may soon find themselves paying noticeably more for cyber insurance protection—and turning to their CISOs to find out why.
Fertile Ground for Cyberattacks
The COVID-19 pandemic has increased the potential for cyber threats. Phishing attacks have continued to rise as malicious actors use COVID-related lures to exploit users’ fears and desire for information about the pandemic. At the same time, a remote workforce using less-secure home networks and personal devices can increase the company’s attack surface. That increases the likelihood that cybercriminals will prey on employees working from home, using phishing emails to hack their credentials and cause other major disruptions. Also, VPNs, once a lifesaver for remote workers who needed to connect to a company’s private network, have become something of a cautionary tale because some products have security holes that leave an organisation vulnerable to hacking.
According to one legal expert, some cybersecurity insurance policies draw a line between company-owned computers and personal devices, and may not cover hardware owned by employees—which means the company could be exposed in the event of a breach. Some insurers may also require companies to have a formal written policy for the use of personal devices.
How are cyber liability insurers responding?
Cyber liability insurers are reacting to the changing risk equation created by the pandemic. According to the Wall Street Journal, insurers are asking to see policyholders’ business continuity plans and determining whether they’ve been revised to include working-from-home scenarios. Insurers are also escalating their scrutiny of policyholders’ other security practices. In some cases, that means obtaining proof that companies are practising good digital hygiene, such as ensuring that remote access is secured correctly, that operating systems are kept current with security patches, and that email servers are configured to shield against possible phishing attacks. Overall, insurers are becoming more proactive, alerting policyholders to new exposures and vulnerabilities in their network that might trigger a breach—before a cyber threat wreaks havoc and causes major financial losses.
Cyber insurance costs could escalate
The greater risk caused by the COVID-19 public health crisis and home working could drive insurers to increase prices. That’s partly because cybersecurity insurers are worried that home networks and personal equipment could introduce cyber risks that might not have been a concern when the policies were originally drawn up. Insurers might even deny coverage if companies fail to provide evidence that they are implementing security best practices such as multi-factor authentication.
Increased recognition of the impact of cybersecurity events has been driving more businesses to buy cybersecurity insurance in recent years—and demand is continuing to rise. However, even before the COVID-19 pandemic, cybersecurity insurers were raising prices as losses due to ransomware attacks and other breaches were growing.
Cybersecurity insurers are attempting to improve risk-modelling techniques and trying to enhance their understanding of fast-moving cyber risks. For example, companies now face greater scrutiny from their insurers due to the potential impact of far-reaching security and privacy laws at state, federal and international levels.
The Bottom Line
COVID-19 has dramatically changed the risk landscape and working practices—and is pushing cybersecurity insurance providers to closely examine companies’ security arrangements and existing insurance policies. Insurers are scrutinising companies’ security arrangements for employees working at home, and some are proactively alerting policyholders to new vulnerabilities in their network. For some companies, this scrutiny could mean higher cyber liability insurance rates or even denial of coverage.
This article was originally published on Mimecast’s blog and has been shared with permission.