Cyber – risk & insurance issues from COVID-19
Traditionally the major exposure to business was damage to its premises (by fire, flood, storm, tempest, amongst perils) and consequential loss (costs of rebuilding the premises, including keeping staff during that time and profit). Without its premises, a business could not operate. In modern times, the computer network is a critical aspect to productivity. What COVID-19 has made abundantly clear, is business’ reliance on its network.
We anticipate during the current crisis that cyber-crime will increase. Many companies lack adequate risk management, governance or response plans, and otherwise remain uninsured for cyber risk.
Coverage varies in the market. Many cyber policies will trigger in the event of a “cyber breach” alone, being an intrusion to the network. However, products exist in the market that offer broader cover that responds to “human and programming error”.
Cyber policies incorporate a suite of covers, including:
- first party direct financial loss as a result of fraudulent imitation (but the terms must be checked, and generally a crime policy must complement this cover);
- remediation costs and expenses (following a network incident or cyber breach);
- ransom costs following a denial of service or ransomware attack;
- legal liability to third parties as a result of a cyber breach;
- inquiry costs and expenses following a cyber breach, and in some instances, insurable penalties imposed by regulators.
No director could assert that they did not know “risk” existed as regards the threat of a cyber breach and downtime of their network.
In the event of a breach, network outage, ransomware attack, human or programming error, how exposed is your business? How long will it take to restore your network and become operational? Who will pay for those costs? What affect will an outage caused by an attack/error have on your profitability? Legal liability should also be considered: what personally identifiable information does the business hold? What are the effects in the event of a breach exposing customers’ personally identifiable information? If network services are outsourced, what indemnities are given in agreements with service providers? What are the implications under the Privacy Act (strict liability still exists even if data is stored on the cloud)?
Directors must turn their mind to mitigating against these risks to ensure their businesses are “cyber prepared”. This means a review of their network, its vulnerability, the impact to the business if the network is down and any response plans ie policies, procedures and protocols.
In the current circumstances, particularly given the working from home directions, the following should be considered:
- review business continuity plans and procedures.
- virtual private networks and firewalls should be up to date with the most recent security patches (see guidance for Windows and Apple products).
- increase cyber security measures in anticipation of a higher demand on remote access technologies. Make sure these are tested.
- if you use a remote desktop client, ensure it is secure.
- work devices, such as laptops and mobile phones, must be secure.
- implement multi-factor authentication for remote access systems and resources (including cloud services).
- maintain protection against denial of service threats. Perhaps seek external independent vulnerability testing.
- staff and stakeholders should be informed and educated in cyber security threats such as social engineering.
- staff working from home should have physical security measures in place. This minimises the risk that information may be accessed, used, modified or removed from the premises without authorisation.
It follows that without any significant attention or steps taken with the above, it will be difficult to obtain quotes come next renewal. An independent network assessment and business interruption review should be conducted by third-party experts.