The insurance industry needs to spend time educating clients on how to best protect themselves as cyber criminals continue to capitalize on new vulnerabilities in the wake of the COVID-19 pandemic.
Educating clients is as important as getting them the proper insurance coverage, according to Lisa Lindsay, executive director of Private Risk Management Association, and Darren McGraw, president of Mechelsen Private Client, in a recent Insurance Journal vodcast.
“I believe we’re invested in spending as much time helping our clients not have a loss as we are making sure that the proper insurance coverage is there to make them whole,” Lindsay said. “And the more we talk about cyber crime, the more we help make cyber crime real to companies and individuals and give them practical tips on how to protect themselves.”
McGraw said he has already seen awareness of cyber crime increase as a result of what’s happening with this pandemic as more companies focus on prevention.
“This will continue, and we won’t necessarily know the full scope of what or how bad this is going to be for months until these breaches and attacks continue,” he said. “I will say that one level of encouragement I have is that I have never seen the amount of awareness or communication out there about, ‘be careful, be careful, be careful.'”
Cyber Attacks on the Rise
Indeed, Lindsay and McGraw don’t expect cyber attacks to slow down any time soon as the world continues to battle with COVID-19.
“I think that the longer this goes on, the more the cybercriminals are going to be out there looking for unlocked doors and windows to go in,” Lindsay said.
Already, cyber attacks on small and large companies alike have ramped up as a result of the coronavirus. Cyber criminals are using the widespread desire for COVID-19-related information to trick internet users into clicking links within phishing messages as well as capitalizing on company cyber vulnerabilities as more employees work from home.
“I absolutely expect the cyber criminals to keep their foot on that pedal and to keep forging ahead to try to get access to people in this very vulnerable time,” Lindsay said.
Cyber criminals are also taking advantage of employees downloading software such as Zoom for company meetings. They are able to hack into computer systems and steal passwords and sensitive information, Lindsay added.
Cyber extortion has ramped up as well, McGraw said, through something called denial of service attacks. He said this is happening most frequently with businesses, such as food delivery services, that many are dependent upon right now. Attackers will flood the servers for these services so that users can’t connect until the business has paid a ransom. McGraw said he’s seen the level of sophistication and opportunism among attackers increasing as they view this pandemic as an opportunity.
“Usually in a business, you can design governance plans and a chain of processes that you can direct and control,” he said. “You know who’s doing what and you have this plan, and all of a sudden, many employees are scattering and connecting from different directions. So this creates a great deal of opportunity for cyber criminals to jump in where maybe the business hasn’t had a chance to control.”
A lack of control as many employees work remotely, coupled with changes in employee behavior while at home, contributes to the cyber vulnerabilities that companies are facing right now.
“When you’re at work, you may not click on a link, you may not go to a website, because you’re told not to,” he said. “And we all seem to have a heightened sense of concern for these policies and procedures that our business tells us to do. But when we’re at home, we are much more likely to ignore those protocols.”
Prevention and Recovery
As both the pandemic and resulting cyber crime continue, companies that fair best will be ones that take cybersecurity seriously, Lindsay said.
“Firms that will do the best if they’re hit with a cyber attack are the firms that have a robust cybersecurity plan in place that is continually vetted, reviewed and practiced so that employees know the standard operating procedure,” Lindsay said. “If they believe that a breach has occurred or that they may have been infected, they know exactly who to call and what to do in a timely fashion.”
For companies, having a cybersecurity plan is not just about being proactive in preventing these attacks, but also recognizing that attacks will occur and having a response plan in place, she added.
“A lot of it comes down to the planning,” Lindsay said. “A lot of it comes down to the culture of the organization. Are people invested and really feeling committed? Do they know that they’re an important part of the plan and the security of the company?”
With this in mind, McGraw spelled out four elements he believes should be included in a cyber recovery plan.
The first step is identifying the breach. “That’s the immediacy of it,” he said. “What is it? What happened? Document, record it and then attack the attack, shut it down and prevent it from spreading.”
Second, it’s important to communicate transparently. “Who you should talk to is very specific to the business,” he said. “But when looking at other breaches in the past – some of them from the largest companies in the world – one of the number one lessons learned is the degree of secrecy versus transparency is a long-term consequence of recovery.”
Third, companies should learn from past attacks as well as ensure they are financially and legally prepared to respond to any additional consequences that result. “Some of the best ways that we can evolve as good guys is by learning from the evolution of the bad guys,” he said. “And we can learn to stay on top of things based on what we see happening so that they don’t happen again.”
Finally, companies need to ensure they have the right insurance, he said. While the range of cyber coverages available in the marketplace today is fairly robust, according to McGraw, finding the right coverage is imperative.
On the private client side, Lindsay said, clients need to make sure they are working with carriers that offer the most up-to-date specialized products and services available in the marketplace.
“I would say that we’re seeing a little bit of a low take-up where people don’t seem to possibly think that they need [specialized cyber] coverage,” Lindsay said. “As more attacks occur, I think we will see people being more interested in adding on that additional coverage to their insurance policies.”
Although the cyber consequences related to this pandemic are still being fleshed out, McGraw and Lindsay both noted that insurers have decades of experience responding in times of crisis.
“We have a track record and a history of being there to respond to fires and hurricanes and storms and hail storms,” McGraw said. “And that’s just part and parcel to what it is that we stand for as an industry. I have no reason to expect that’s going to change because the nature of loss is cyber versus wildfire or some storm event.”
Was this article valuable?
Here are more articles you may enjoy.