Work-from-home shift to stretch firms' cyber cover

Work-from-home shift to stretch firms' cyber cover | Insurance Business Australia

Work-from-home shift to stretch firms

Roughly a year after the COVID-19 pandemic spread rapidly around the world, many employees in various industries are working from home to avoid contracting or spreading the virus in the office or on their daily commute.

This has made it harder for organizations to secure their networks, and cyber insurance policies that used to be sufficient prior to the pandemic may no longer be today.

According to Jerry Ray (pictured), chief operating officer of data security firm Secureage, many companies are struggling with new risks that have emerged with employees working remotely.

“The sudden and en masse shift to work from home found most companies ill-prepared with hardware and software tools to manage the countless risks,” he told Corporate Risk and Insurance. “These include unknown network access points, uncontrolled environments with families all having access to a company-issued laptop, untrained employees who have to troubleshoot IT issues on their own, unconstrained employees who have time to explore websites they might not have seen while in the office, or social engineering attacks against households that exploit issues or pathways that don’t exist in controlled office environments.”

This also has implications for businesses’ cyber insurance, and, according to Ray, different cyber insurers will each have their own non-exhaustive list of exclusions relating to the “wild and untamed landscape” of employee homes.

The novelty of widespread working from home is making it difficult for insurers to create predictive risk models. This huge unknown space, Ray said, is likely to fall out of bounds for cyber cover.

“Cyber incidents in the realm of the previously unknown will pose even more areas where coverage may be denied,” he said. “Upstream supply chain attacks, like the recent SolarWinds exploit, present far too much potential aggregate risk to any insurer. That is, where the incident propagates from legitimate software vendors down to customers and their customers, or across shared cloud infrastructure hosts or ISPs, or even through hardware supply chains, insurers will limit their coverage to arbitrary and artificial boundaries throughout the interconnected and interdependent nature of computing.”

Insuring cyber risk, he said, is much more difficult than insuring a house or a vehicle. The widely disparate IT infrastructures of businesses, the lack of accurate and historical data on cyber events, and the ability of cyberattacks to target extremely wide geographical areas all introduce a huge number of variables into the equation.

Due to this uncertainty, Ray believes that companies’ cybersecurity efforts should not merely be to comply with the insurer’s requirements.

“While adhering only to the guidance of the insurer and limits of coverage, a company could overlook the real extent of its risk, which it is far better positioned to gauge than an insurer,” he said. “Minimizing cyber incident coverage failure isn’t nearly enough, especially where larger risks to brand, reputation, intellectual property, partner relationships where data is shared, and other intangible assets and value exist.”

With IT and security teams now having a much wider cyber perimeter to secure, Ray said that this is not the time to be complacent and apathetic, over-relying on insurance and cloud-based services.

“Without complete or meaningful cyber policy coverage to offset the risk to companies having employees work from home, companies will start waking up to the real risks posed to their business wherever data or IT infrastructure and services exist,” he said.

“A new appreciation for older but tested technologies, such as encryption or VPN, has arisen, but not to the extent that companies look to cloud-based computing and cloud operators to solve their security problems for them.”

According to Ray, the large concentrations of data on these platforms are likely points of attack.

“Much of the cyber risk management has been foisted on to those third parties with a belief that data generated by employees working remotely can be manipulated and protected better in the cloud services offered by Amazon, Google, or Microsoft, among others. Reliance on those third-party vendors, though, is creating a massive reservoir of data ripe for wide scale attack – precisely what cyber insurers are unlikely to cover.”