In their response to the coronavirus outbreak, employees and other stakeholders will begin remote work and there is increased pressure on an organisation’s cyber security risk management.
A likely impact of the outbreak, less obvious but still significant, is increased pressure on an organisation’s cyber security risk management.
One kind of pressure will be driven by companies’ efforts to ensure employee health and safety and mitigate the spread of the illness. In doing so, companies may request sensitive health-related information from employees, and then take action based on the information received. Companies should remember that they must still comply with all applicable privacy, data security and confidentiality laws.
These laws may have certain exceptions relating to health or other emergency situations, and companies will need to deal with such laws on a state-by-state basis. All organisations should consult with legal counsel to make sure they understand and comply with their privacy-related obligations.
Ensure remote working environments are cyber secure
Another significant source of pressure will result from many more employees suddenly working remotely, without much or any lead time for reinforcing and enhancing network capabilities or cyber security risk management practices. This will strain IT security and operations staffs, which may already be stretched by closures and illness.
How to increase cyber security protection with a remote workforce
Here are some suggestions for dealing with the increased cyber security risks arising from a sudden increase in your remote workforce:Allow network access only
- through virtual private networks (VPNs) that are promptly patched as soon as updates become available
- to devices with full disk encryption
- require strong passwords and multi-factor authentication
- be extra alert: with so many employees working remotely, be on heightened alert for cyber criminals using the higher remote traffic to mask their efforts to exfiltrate data.
- about social engineering risks, methods and defences - and the heightened risk that will unfortunately arise from coronavirus-related scams
- to keep their laptops within their physical control, and their screens hidden from others, at all times when they are in public places
- never to provide login credentials in response to an email request even when at home, log off when not using network
- of authorisation for any financial processes and monetary transfers and the appropriate verification of each authorisation
Consider cyber insurance protection
Despite companies’ efforts, it is almost certain that cyber incidents will increase in connection with the dislocations caused by the coronavirus outbreak.
Companies with dedicated cyber insurance policies (or, where appropriate, combined cyber/E&O policies) will likely find coverage for many of the costs they will incur from these incidents. Potential cyber insurance coverages, depending on a particular policy’s negotiated terms, could include:
- Costs incurred in connection with the wrongful disclosure or otherwise failure to protect confidential personally identifiable information (PII) or protected health information (PHI)
- Costs incurred in defending and resolving lawsuits alleging the wrongful disclosure of confidential personal information
- Costs incurred in responding to a regulatory investigation or proceeding triggered by an alleged failure in the collection, use or disclosure of confidential information
- If allowed by applicable law, regulatory fines and penalties resulting from such investigations and proceedings
- Costs incurred in defending and resolving lawsuits alleging the failure to provide network access or technology products/services
- Business income loss and extra expenses caused by a non-malicious “system failure” – an interruption or significant degradation of the network caused by a coding error, upgrade or patch, or network failure caused by its inability to handle the increased volume of remote work
- If cyber criminals are able to gain wrongful access to the network:
- Legal and forensic costs incurred in determining if PII, PHI or third-party corporate information has been compromised
- Possibly some “social engineering” coverage for losses from fraudulent money transfers or invoice manipulation, although losses should be addressed by crime policies
- Ransomware-related coverages, which can include the cost of ransom payments, data and system recovery, legal and forensic work
- Business income loss and extra expenses caused by ransomware or other attacks on the network
- Business income loss and extra expenses caused by a voluntary shutdown of the network to limit the scope of an attack in process
- Depending on the policy’s terms, there could be business income and extra expense coverage if the network interruption is suffered by one of the company’s outsourced IT suppliers or other outsource providers (such as supply chain providers)
The Australian Cyber Security Centre has also sent out guidance on how to stay secure while staff work remotely. If you have any questions or need any help on protecting your business during the COVID-19 outbreak, do not hesitate to contact your broker.
This is an evolving risk that Gallagher continues to monitor through the CDC and WHO.
To the extent that any material in this document may be considered advice, it does not take into account your objectives, needs or financial situation. You should consider whether the advice is appropriate for you and review any relevant Product Disclosure Statement and policy wording before taking out an insurance policy.