Full extent of the damage from cyberattacks during the pandemic 'yet to be seen'

The Canada Revenue Agency, Twitter, and Brookfield Residential Properties are just a few of the organizations that have been impacted by cyberattacks and data breaches during the coronavirus pandemic. In the meantime, remote working brought on by the global health crisis has created new cyber vulnerabilities for hackers to exploit, according to a recent report from Aon and CyberCube – and one expert told Insurance Business that he expects the cyber risk landscape is likely to get worse before it gets better.

“I fear we have yet to see the full extent of the damage caused by cyberattacks during the pandemic as sophisticated cybercriminals will remain dormant in an infiltrated system until they can attack their victims on masse,” said Nathan Rose, senior underwriter in professional liability at Burns & Wilcox.

The remote working environment is one of the key factors that has and will continue to contribute to a more complex cyber environment for companies. The overnight transition to a remote workplace has resulted in many businesses, and particularly those in the SME space, struggling to implement the same cybersecurity measures and risk management protocols that are in place in a physical office, explained Rose, adding that larger corporations likewise face challenges due to employees using their own devices and email accounts at home, instead of those provided in a managed security environment.

“We also have the added complication of video communication, where we find ourselves wholly dependent on third party software that doesn’t always have sufficient security controls,” said Rose. In turn, “The increased privacy risk from using a remote workforce is being exploited. Resources have been invested in protecting corporate networks, but now that they are being accessed via home Wi-Fi connections, they require additional security for what is essentially the ‘new weakest link.’”

Moreover, the coronavirus and related shutdowns have resulted in many Canadians being furloughed and laid off, which likewise introduces cyber-related risks. The unemployment rate in August came in at 10.2%, according to the Labour Force Survey, after reaching a record high of 13.7% in May.

“Layoffs create disgruntled employees, which heightens the risk of employee theft and malicious damage,” explained Rose. “You will also have another tranche of individuals looking for financial relief, potentially making them more susceptible to phishing attacks.”

And Canadians are especially susceptible when it comes to phishing attacks, as revealed by a report from RSA, a Dell Technologies subsidiary, which found that Canada was the most frequently targeted country for phishing attacks during Q1 2020. From a cybersecurity perspective, the COVID-19 pandemic introduces a huge vulnerability that cybercriminals are trying to exploit by deceiving innocent parties into believing they have information that’s relevant to the pandemic, such as news about a potential vaccine or a charity asking for COVID-19 relief.

“Cybercriminals are endeavouring to steal usernames and passwords, as well as intellectual property, or facilitate fraudulent funds transfer,” said Rose.

In light of the cyber threats presented by the coronavirus pandemic, insurance brokers need to focus on educating their clients about the intensified risks, before their firms’ names get added to the list of companies impacted by cyberattacks during this period.

“Cyber loss prevention starts with education, so the need to raise awareness on vulnerabilities is evident,” said Rose, adding that this involves ongoing training of employees, as well as mapping out work-from-home best practices. In fact, Burns & Wilcox works with a number of Infosec partners that provide a range of forensic or educational resources to strengthen insureds’ defences.

Brokers should also keep an eye out for several areas of cyber policies that are relevant during this time, according to the Burns & Wilcox expert. These include:

• Encryption exclusions for mobile devices. Some policies exclude coverage if the firm’s mobile devices are not encrypted. Encrypting these devices is sound risk management and should be standard practice. Ideally, coverage should not be contingent on this being done and certainly should not be a reason for claims to be excluded.
• Retroactive date. Some policies exclude coverage for claims an insured could have reasonably foreseen due to inadequate security measures not being in place before a certain date. Coverage under a good cyber insurance policy, however, should either have full prior acts cover or be triggered by the ‘discovery of the network security event,’ and not the occurrence of the incident.
• Voluntary notification. Even without a legal obligation to do so though, the trend is moving toward voluntary notification to protect a company’s brand and reputation (i.e. issuing notifications before being mandated to do so). In any event, clients expect such notifications. Not all cyber policies cover costs of providing a breach notice, so brokers should check whether and how the policy will respond to these circumstances.

“Ultimately though, whichever product a potential client opts for, I think the priority should be in identifying their exposures, and where they might be subject to a loss,” noted Rose.