Risks and challenges may emerge with the adoption of social distancing and stay-at-home protocols to reduce COVID-19’s adverse effects. With employees, students, patients, and others asked to function remotely under stressful circumstances, and infrastructure pushed to handle more activity, organizations must consider how their cyber risk profiles may be affected.
The biggest challenge is migrating from a physical presence to a virtual one. Once organizations acknowledge this challenge, they must take appropriate action to mitigate potential risks — for example, by reinforcing employee and other users’ awareness of cyber threats, boosting and supporting technology systems, and reviewing insurance coverages with an eye toward potential losses under cyber, media, and technology errors and omissions (E&O) policies.
Increased remote working is presenting more opportunities for cyber-attacker, and organizations just starting to use remote desktop protocols for work may be more susceptible to a cyber-attack. For instance, individuals may log in remotely from home networks that use less secure hardware.
Cyber actors have already taken advantage of people seeking information on the pandemic. COVID-19 is increasing the occurrence of phishing and “social engineering” events, with information about the virus used as the hook.
Remote working also increases the risk of relaxed privacy policies and procedures. To facilitate working from home, employees may remove printed files from the workplace, or transfer personally identifiable information to unsecured or unencrypted storage or personal devices — potentially exposing the information to a breach by unauthorized users or improper use and disposal.
Organizations should proactively remind employees that good digital hygiene is even more critical when connecting to networks remotely. The burden may fall on employees at home to conduct activities such as patching and updating systems, logging out when not working or using networks, physically securing computers, following proper procedures about handling private data, and using robust passwords for devices and home Wi-Fi.
Organizations also need to maintain a heightened state of cybersecurity, including testing system preparedness for inevitable operational disruption. IT/InfoSec teams are being increasingly called upon to handle problems arising from a suddenly remote workforce.
Demand on web communication tools will increase, so system availability may be reduced. System outages or degradation will interrupt operations, causing loss of revenue and additional expense.
Insurance coverage for privacy breaches, security incidents, and technology outages is already available. In fact, a typical cyber policy provides various loss prevention and mitigation services that can be accessed both before and after an event. Several insurers are also proactively reaching out to policyholders when they become aware of potential threats or exploitable vulnerabilities.
However, with the unprecedented number of people “social distancing,” the rapid rise of remote connectivity will likely create new vectors for cyber claims, particularly under three distinct coverages:
Some of the COVID-19 pandemic’s unique circumstances may limit or challenge the responsiveness of these policies.
Most cyber insurance policies include a broad array of coverages relevant to the current environment. These include network security liability, privacy liability, security response and forensic costs, data recovery and restoration, ransom event costs, reputational harm, network business interruption and associated expense, system failure, contingent business interruption, and privacy regulatory defense.
In some situations, however, coverage may not apply. Cyber insurance policies typically include:
Tech E&O policies include coverage for wrongful acts in the delivery of technology services, or failure of technology products to work or perform intended functions that are potentially relevant to current conditions. Coverage may not apply, however, in certain circumstances because of a policy’s:
Media liability policies include coverage for a wide range of acts related to the creation or display of media material (for example, information, sounds, images, and graphics). Typical media liability coverages include defamation or product disparagement, infliction of emotional distress, misappropriation of names or likenesses, privacy rights violations, and infringement of copyrights or domain names, and plagiarism.
But losses and damages incurred may not be covered under some circumstances. Media policies typically include:
As the pandemic continues, risk professionals should work with their insurance advisors to carefully review policy language to refresh their awareness of what is and is not covered, and act as necessary to ensure that coverage will be triggered in the event of a loss.