Cybersecurity insurers have augmented risk assessments amid the COVID-19 pandemic. You should, too.
The sharp spike in cyberattack attempts related to the COVID-19 crisis has not escaped the attention of cybersecurity insurers. They’re aware that cybercriminals are actively exploiting the coronavirus pandemic as a lure to ensnare anxious employees – particularly those working from home – with phishing, ransomware, and other types of cyberattacks.
The escalation of activity is precipitous: Cybersecurity firm CrowdStrike said in a blog post that they detected a hundredfold increase in COVID-19-themed malicious files from February to April 2020. Not surprisingly, insurance companies are worried that an attendant surge in successful incidents could increase claims.
The massive, unplanned shift to remote work has dramatically expanded the attack surface, and that has spurred insurers to add new measures to get a better read on risks. According to news reports, insurers are performing deeper due diligence of applicants’ cybersecurity and threat environments to calculate premiums before issuing policies. In particular, insurers are scrutinizing the risks of hastily implemented remote-work programs to determine whether robust security checks and balances are in place.
In addition to issuing more detailed requests for information about cybersecurity controls and processes, some insurers are developing risk-management assessments to augment visibility into a company’s cybersecurity maturity and unique threat landscape. They are also harnessing data to better assess cybersecurity practices and capabilities.
The goal is to better determine cyber risks in a remote-work environment in which at-home workers may be using inadequately secured personal equipment and network connections. There is no precedent for the current remote-work environment, and it’s unclear if insurers will cover the costs of incidents that arise from use of employee-owned equipment.
The goal of deeper due diligence by insurance companies is to more accurately calculate premiums, which could raise the cost of cybersecurity policies. That’s why it is more important than ever that businesses conduct their own in-depth cybersecurity risk assessments.
Comprehensive cyber-risk assessments have always been recommended as a matter of business as usual. But the threats associated with the COVID-19 pandemic have heightened the need to scrutinize cybersecurity programs. Thorough risk assessments can help organizations gain a holistic understanding of security controls, processes, and technologies that are in place to support a secure remote-work program. That’s mission-critical, but understanding risk exposure can also help organizations prepare to negotiate insurance policy coverage and premiums.
It is critical that businesses assess cyber risks across the entire enterprise and third-party landscape, and not just IT. The assessment should also factor in financial, reputational, and compliance risks.
Organizations should analyze risks with a focus on their most valuable assets, as well as the criticality of risks to business processes, operational disruptions, and impact to revenue. It is also essential to examine the potential for insider threats caused by employees, whether intentional or not.
One external vulnerability that organizations often disregard is third-party risk management. Cybercriminals often infiltrate the networks of vendors to gain a foothold on their partners’ systems. Businesses should evaluate the risks of third parties and ensure that their security capabilities are sufficiently robust.
Organizations also must appraise their regulatory risks related to data breaches and privacy risks.
To gain a broad, comprehensive view into risks and current threats, organizations should:
- Perform thorough risk assessments annually, at a minimum.
- Review cybersecurity and privacy policies and programs to determine if remote-work policies are in place and up to date.
- Evaluate security proficiencies related to remote work, including remote access and VPNs.
- Review all connected devices and determine vulnerabilities due to the expanded attack surface.
- Evaluate various monitoring and detection capabilities.
- Assess and test security controls, processes, and systems on an ongoing basis.
- Monitor current threats and adjust security capabilities as necessary.
- Implement robust patch-management and malware programs.
- Examine security risks, policies, and technologies of all third-party vendors.
- Assess employee security awareness programs to make sure they address vulnerabilities relevant to remote workers.
- Ensure that remote workers have secure, password-protected internet connections and Wi-Fi.
- Assess processes for compliance with regulatory laws like the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Coronavirus Resource Center
InsightNew SEC cybersecurity guidelines: Next steps for public companiesBhavesh Vadhani, Scott CorzineNew rules require public companies to elevate their cybersecurity risk management and disclosure practices. Read key changes, deadlines, and action items.
InsightFederal agencies face complex cyber compliance – but relief is underwayBhavesh Vadhani, Bill Hughes, Adonye ChamberlainWith a new national cybersecurity strategy expected to create a baseline cybersecurity standard, read how to get a head start in the meantime.
InsightPractical Infrastructure: A blueprint for program management successRoman CastilloVideo series explores program management guidance for state, local, trial agency execs and administrators.
InsightToday’s boards need cyber expertise more than everCyber risk is fundamentally unlike every other risk that companies face, and boards should add expertise accordingly. Read why – and how to get started.