The long-term impacts of the coronavirus on cyber insurance will potentially lead to more take-up of the coverage. According to analytics firm GlobalData, the rise in remote working due to COVID-19 will increase the risk of cyberattacks, giving insurers an opportunity to improve their cyber insurance penetration rate.
However, the first part of that equation has already brought more headaches for businesses adjusting to work in the COVID-19 era.
“I don’t think anyone ever anticipated that they would have 100% of their workforce working remotely,” said John Coletti (pictured), AXA XL’s chief underwriting office for cyber. “That obviously creates some cybersecurity concerns,” since employees might expect the same level of access to company-related files that they would have had in a more secure office environment.
Despite the shift to remote work, employees want the simplicity of logging on to their computer and being able to click into all of their files and applications. Companies have always understood that they need to create an environment whereby employees have that consistent access, noted Coletti, “but networks were never created with that goal in mind, or at least with the model of having so many remote workers.”
As a result, businesses need to know how to secure their networks in this new normal, including re-securing devices since their employees might be accessing networks not just with company devices, but with their personal devices that have not been approved by the company. Using a tool like mobile device management software is very important to help ensure that the data on these devices is secure. Companies may also want to consider restricting some data that employees are allowed to access in the first place, especially since home Wi-Fi networks are notoriously vulnerable and set with default passwords that are very easy for hackers to crack.
“There’s also the issue of securing the network – making sure that if you’re an employee, that you have access to the network in a very easy fashion, but access to that network should be blocked or at least very difficult for everybody else,” said Coletti. “And how are employees accessing the network, if they’re not sitting in the office and just plugging in?”
Companies of a larger scale might already have well-configured VPNs on employee devices that allow secure access to the network through private tunnels, but what happens if a business has employees that need to access the network from a public internet? In this case, the issue of external firewalls might become necessary as well as, more broadly, the use of multi-factor authentication.
Implementing these types of sound cybersecurity measures can help insureds when securing cyber insurance.
“For us, it really comes down to asking underwriting questions [around] how are your employees functioning in this environment?” said Coletti. “Certainly we’re very sensitive to the increase in the amount of phishing that’s been going on, using COVID-19 as a lure for additional phishing attempts and, even internally, we’ve seen a huge increase in the amount of phishing emails since the outbreak.”
From an underwriting standpoint, the AXA XL cyber team needs to be comfortable that the client is doing what it needs to do to deal with that influx of phishing attempts, though businesses should also be aware of the challenges that can arise from implementing some of these measures and adjust their strategies accordingly.
“It becomes really a balance between security and the ease of doing business,” said Coletti. “You could increase the amount of filtering that you’re doing on emails to keep all the bad phishing emails out of your inbox, but it’s not a perfect system. You may then restrict a legitimate email from hitting somebody’s inbox, so there’s a trade-off.”