Cyber Insurance In A Health Pandemic

Cyber criminals prey on the vulnerable

Isn’t there enough to worry about at the moment without the additional risk of a cyber-attack? The saying, “it never rains but it pours” is the cruel reality that some individuals and businesses find themselves in, fighting a war on both sides.  This is the environment in which cyber criminals thrive.

As fear and uncertainty grip the world, we are not just fighting the deadliest global pandemic in a century, but also operating under the enhanced threat of cyber-attacks.

The risk to individuals and business is growing as the global shift to remote working gains momentum.  Laptops and pcs are now in short supply and many businesses are scrambling for resources.  One IT Security expert from Blackfoot Cyber Security said, “some workers are reverting to remote working on poorly configured networks, with unsecured devices and inferior security practices”.

With many business continuity plans now activated there is additional risk that these plans are not tested or designed for prolonged exposure.  Standard business security posture is typically reduced significantly with remote working.  Controls, processes, systems and data are exposed.  Even national critical infrastructure such as mobile networks are creaking with the rise in voice calls leading to dropped calls and major outage.

Mitigate the impact

Businesses can take some quick actions to improve their remote working security:

1. Require VPN to access the Internet, with 2FA to access company resources.
2. Run AntiVirus on startup – users should not be able to change AV settings.
3. Make workstation AV logs available to central systems admins.
4. Train workers on the risks of working remotely.
5. Follow the work from home guidance from NCSC

The impact of a pandemic on cyber insurance

Cyber insurance has never been tested by a global health pandemic, but generally the policy should respond to most types of cyber-attack.   At the time of writing, there are no specific exclusions in relation to the pandemic but that is likely to change soon.  Insurance regulators have instructed UK insurers to be ‘flexible’ when considering policyholders’ responses and claims in view of the pandemic.

Cyber insurers typically underwrite assuming an incident response plan (IRP) disaster recovery plan (DRP), and most relevant now, a business continuity plan (BCP) is in place to ensure a business can operate should a major disruption occur.  For many businesses that means staff are remote working.

Insurers would expect a policyholder to be following the same processes as if the workforce was operating from their offices.  If insurers discover the controls disclosed were not complied with at the time of a claim, cyber insurers will have to consider the impact of that and whether the business acted in reasonable best efforts to operate as was disclosed to insurers.

Don’t forget the small print

There are exclusions in a cyber insurance policy that might be triggered by a health pandemic:

• Change in risk profile

Some insurers will expect to be notified if devices being used for work purposes do not have the same level of security as the corporate network.  Similarly, if the security methods used by the workforce to connect to Gsuite/O365 have changed due to remote working.

• Government-mandated shutdown

Typically, cyber insurers do not cover mandated shutdown of a business’s computer system by order of any governmental authority.  However, it’s unlikely that a government order of ‘stay at home’ or ‘lockdown’ would trigger this restriction in cover.

• Failure of mobile networks

This is a standard exclusion in most cyber insurance policies and extends to include the failure of any other utility providers (i.e. power, satellite, internet and water) causing a cyber insurance loss.

• Physical events

Any fire, flood, earthquake, volcanic eruption, explosion, lightning, wind, hail, tidal wave, landslide, act of God or other physical event which has a physical nature to it will typically be excluded by cyber insurance.  There could be grey areas of coverage if sickness were to be the trigger for a physical event that became the cause of a cyber event.

• Acting as prudent uninsured

There may be restrictions to this due to incapacitation of the workforce.  Typically, insurers would expect a response in a timely and reasonable manner as if the policyholder was acting as a prudent uninsured.  However, at times where the workforce neither has the access or capability to provide a standard response, it could increase the scale and threat of a cyber-attack.  This would need to be reviewed on a case-by-case basis by insurers.

Making a claim during a pandemic

Cyber security incident response is one of the few emergency services that can be provided remotely to investigate and, in some cases, remediate a cyber-attack.  Cyber insurers typically engage best-in-class cyber security incident response experts who have the capability and expertise to handle incidents virtually and not in person.

The first 72 hours after the discovery of a cyber attack are the most critical to managing the consequences and potential fallout.  For a business to manage the simultaneous effects of a major cyber-attack during a pandemic situation, it is essential to establish a successful partnership with cyber insurers’ incident response providers that is both timely and effective.  Cyber insurers’ 24×7 around-the-globe response capability should still apply, with on-the-ground assistance if needed.

Of critical importance in the earliest stages is the need to communicate the situation to all members of the workforce as swiftly as possible, with clear instructions on any action individuals might need to take to support the recovery process or, possibly, to avoid because of the risk of potentially worsening the situation. Clearly, off-line communications channels need to be firmly established in order to ensure that this contact cannot be interrupted or prevented by the cyber event.