Cybersecurity insurers have augmented risk assessments amid the COVID-19 pandemic. You should, too.
The sharp spike in cyberattack attempts related to the COVID-19 crisis has not escaped the attention of cybersecurity insurers. They’re aware that cybercriminals are actively exploiting the coronavirus pandemic as a lure to ensnare anxious employees – particularly those working from home – with phishing, ransomware, and other types of cyberattacks.
The escalation of activity is precipitous: Cybersecurity firm CrowdStrike said in a blog post that they detected a hundredfold increase in COVID-19-themed malicious files from February to April 2020. Not surprisingly, insurance companies are worried that an attendant surge in successful incidents could increase claims.
The massive, unplanned shift to remote work has dramatically expanded the attack surface, and that has spurred insurers to add new measures to get a better read on risks. According to news reports, insurers are performing deeper due diligence of applicants’ cybersecurity and threat environments to calculate premiums before issuing policies. In particular, insurers are scrutinizing the risks of hastily implemented remote-work programs to determine whether robust security checks and balances are in place.
In addition to issuing more detailed requests for information about cybersecurity controls and processes, some insurers are developing risk-management assessments to augment visibility into a company’s cybersecurity maturity and unique threat landscape. They are also harnessing data to better assess cybersecurity practices and capabilities.
The goal is to better determine cyber risks in a remote-work environment in which at-home workers may be using inadequately secured personal equipment and network connections. There is no precedent for the current remote-work environment, and it’s unclear if insurers will cover the costs of incidents that arise from use of employee-owned equipment.
Risk assessments: More important than ever
The goal of deeper due diligence by insurance companies is to more accurately calculate premiums, which could raise the cost of cybersecurity policies. That’s why it is more important than ever that businesses conduct their own in-depth cybersecurity risk assessments.
Comprehensive cyber-risk assessments have always been recommended as a matter of business as usual. But the threats associated with the COVID-19 pandemic have heightened the need to scrutinize cybersecurity programs. Thorough risk assessments can help organizations gain a holistic understanding of security controls, processes, and technologies that are in place to support a secure remote-work program. That’s mission-critical, but understanding risk exposure can also help organizations prepare to negotiate insurance policy coverage and premiums.
It is critical that businesses assess cyber risks across the entire enterprise and third-party landscape, and not just IT. The assessment should also factor in financial, reputational, and compliance risks.
Organizations should analyze risks with a focus on their most valuable assets, as well as the criticality of risks to business processes, operational disruptions, and impact to revenue. It is also essential to examine the potential for insider threats caused by employees, whether intentional or not.
One external vulnerability that organizations often disregard is third-party risk management. Cybercriminals often infiltrate the networks of vendors to gain a foothold on their partners’ systems. Businesses should evaluate the risks of third parties and ensure that their security capabilities are sufficiently robust.
Organizations also must appraise their regulatory risks related to data breaches and privacy risks.
Checklist: Considerations for risk assessments for remote work
To gain a broad, comprehensive view into risks and current threats, organizations should:
- Perform thorough risk assessments annually, at a minimum.
- Review cybersecurity and privacy policies and programs to determine if remote-work policies are in place and up to date.
- Evaluate security proficiencies related to remote work, including remote access and VPNs.
- Review all connected devices and determine vulnerabilities due to the expanded attack surface.
- Evaluate various monitoring and detection capabilities.
- Assess and test security controls, processes, and systems on an ongoing basis.
- Monitor current threats and adjust security capabilities as necessary.
- Implement robust patch-management and malware programs.
- Examine security risks, policies, and technologies of all third-party vendors.
- Assess employee security awareness programs to make sure they address vulnerabilities relevant to remote workers.
- Ensure that remote workers have secure, password-protected internet connections and Wi-Fi.
- Assess processes for compliance with regulatory laws like the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Evaluate your current and future cybersecurity program and insurance needs
The surge in attack attempts that exploit the uncertainties of COVID-19 has elevated the need for cybersecurity insurance, and insurance companies may now ask organizations to perform an in-depth assessment of their cybersecurity and remote-work defenses before they can purchase insurance or update an existing policy. As organizations look at their cybersecurity programs, they should correlate the programs to their most valuable assets and security technologies, processes, and skills. This targeted risk assessment should connect the dots across the business and remote-work ecosystem. Once this is done, organizations can identify the right cybersecurity insurance requirements for their current and future remote-work models.
Coronavirus Resource Center
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.
InsightFuture of cannabis – Cannabis Quarterly insights, Q1 2022Read our team’s perspectives on taxation, data strategy, and data privacy (including California’s CPRA) in CohnReznick’s CannaQuarterly newsletter.
InsightSEC proposes cybersecurity rules, incident disclosure for investment funds and advisorsIn addition to strengthening threat management, information protection, and other key areas, the SEC aims to boost board oversight. Read more.