Covid-19: How can cyber risk protection be improved?

 

Teleworking has proved to be “the solution” for continued activity, at least for the companies that have been able to set it up and for the operations that can employ it. The uncontrolled implementation of telework may considerably increase security risks for the companies and organisations using it. It may even endanger their activities in the face of cybercriminals who are increasing their efforts to take advantage of these new opportunities (and more and more in confrontation with state-sponsored groups). On this subject, we recommend reading the very good Thalès report edited on 24 March 2020.

 

In its communication dated 19 March, the FINMA stated: “in the current situation relative to the coronavirus, there has been a recrudescence of fraudulent phishing e-mails. Cybercriminals are trying to take advantage of the atmosphere of insecurity using the identity of various senders to dispatch malware.”

 

This observation was confirmed in the Europol report of 27 March which describes how criminals are exploiting the current sanitary crisis, and not only through the Internet.

The National Support Network for Investigations engaged in fighting IT crime (NEDIK) and the Reporting and Analysis Centre for Information Assurance (MELANI) have warned against this cyber threat and provide information on good practice and how to apply adequate protection:

Defences are also being organised by state actors and private specialists and through spontaneous transnational initiatives. A group of 400 Cyber Security experts from 40 different countries was created on 25 mars 2020 under the name COVID-19 CTI League (CTI for “Cyber Threat Intelligence”). Their intention is to dismantle the current hacking campaigns, with priority going to the protection of healthcare institutions and those organisations currently mobilised on the “front line”.

From an insurance point of view, it should be pointed out that current Cyber policies do not contain any specific exclusions for the notion of pandemic. The definitions of “information system covered” include all the tools provided by the company and there are no exclusions for the use of personal devices (“Bring your own device”), in as much as the security measures presented by companies at the time of purchase remain in effect. Failing that, the notion of modification or increased risk could be cited.

 

However, it would pay to remain attentive to the points we raise below which, while not exhaustive, may be crucial at a time when the Internet, corporate information networks and Cloud services are put to the test:

• As prior to the crisis, the consequences of an Internet or power outage are never covered if the outage also concerns areas other than the corporate sites. Insurers are therefore protected from a systemic risk.

• While they insure against technical breakdowns and malware, some policies may include an exclusion to ensure vigilance in Information Security. This means that an exclusion may make the anticipation of operational needs obligatory, even if that is higher than normal. In other words, in a context of massive use of teleworking for example, or if there is a lack of personnel available to maintain a server, any technical breakdown caused by this situation and leading to a partial or total outage of the information network would not be covered a priori. It would however still be possible to invoke a case of force majeure against the insurer (COVID-19 being considered as an event exterior to the company, unpredictable and irresistible, of great intensity). The qualification would then depend on the judge and would certainly be treated on a case-by-case basis.

In any event, considerations regarding the efficacity of insurance coverage must obviously not hinder companies from continuing to apply prevention best practice.

We are living in a cyber period of high intensity and, in this uncertain world, cyber insurance is more pertinent than ever for companies. Certain markets are already trying to impose pandemic exclusions. Vigilance remains the order of the day and all these opportunist attempts must be resisted.

 

The specialists at Swiss Risk & Care ensure the surveillance of problems linked to cyber security, insurance, pension and propose to share them with you through a document. Write us at communication@swissriskcare.ch to get it !