COVID-19: Next Steps for Your Cyber Insurance

Organisations face increased cyber challenges as COVID-19 continues to spread, with core activities often disrupted or needing adaptation.

As organisations respond to urgent and changing business needs, it is vital they continue to prioritise cybersecurity. This includes understanding the pandemic's implications for cyber insurance.

Risk professionals should work with their insurance advisers to review carefully cyber insurance policy language. They should also refresh their awareness of incident-response services available under their policies, and how to best use them should an incident occur.

Policy Response

With many organisations already operating in crisis mode, incident-response services are more vital than ever. Work with your cyber insurance advisor to ensure you understand:

• How to access your incident response coverage – do you need to call a hotline or report through your adviser?
• Is a pre-approved panel of forensic experts available to help investigate an incident? Is your information security team aware of this benefit?
• If you have a ransomware event, does your cyber policy include coverage for resolving it? Does your insurer provide access to a third party that can facilitate payment of a ransom quickly if required?
• Are there policy conditions you need to comply with to ensure coverage will apply? For example, is pre-approval required before you incur forensic costs?

Renewal Preparation

Insurers across all lines of business are concerned about the pandemic’s impact on the risks they insure and the losses they may face.

From a cyber insurance perspective, organisations should expect underwriters to look at overall business resilience in more detail, to gauge how organisations are grappling with the expanded attack surfaces created by remote workforces and other users. Underwriters will also want to review how increased dependence on technology may affect organisations’ ability to respond to disruption in their operations and extended supply chains.

Organisations should anticipate questions from insurers on:

• Any expected financial impairment due to the pandemic that may affect investment in cybersecurity or technology.
  
• Working from home policies – be prepared to explain any needed relaxation of usual cybersecurity and privacy policies during these unprecedented times. 
• Deployment and management of bring your own device versus company-owned-devices, particularly mobile device management solutions.
• Activation and mandates for employees and other users to utilise multi-factor authentication to access the organisation's systems.
• Methods of securing access via virtual private networks and other secure remote-access protocols, including:
  • Employee/user training on the use of public and home WiFi for business communications.
  • Disabling of USB ports, thereby limiting the likelihood of data leakage in a home-working environment.
  • Guidance provided to employees/users regarding securing connections, the sharing of confidential information to personal devices, and/or proper use, storage, and disposal of printed confidential information.
• Any increased phishing training and/or similar cyber awareness activity. 
• Establishment of a legally reviewed policy/procedure for personal data regarding employees or customers with COVID-19.
• Existence of a designated business continuity plan (BCP) for IT security. Is it being implemented now? And to what extent are you affected by your critical suppliers'/vendors' BCPs?

The global Marsh cyber practice is well-positioned to help you review your coverage in the context of your incident-response plans, or to help you to prepare the right level of information in light of new requests from insurers.