Cyber Risk Management in the Pandemic Era

Joshua Gold


November 12, 2020

As the pandemic continues to wreak havoc and disrupt life and commerce globally, an epidemic of cybercrime is following close behind. As Risk Management recently reported, Coalition’s H1 2020 Cyber Insurance Claims Report found that cyberattacks have increased in frequency and severity since the pandemic first struck.

The theft of money, the exfiltration of sensitive data and the extortion of organizations worldwide continues to proliferate and morph. The Emotet trojan can both deliver ransomware and steal data once inside the gates. A German tech company, a major U.S. law firm, a municipality in Colorado, and a university in Utah have all been recent cyber extortion victims. A ransomware attack against a tech firm in Miami stole and held hostage employee records, payroll information, payment card data and passport scans. 

Conditions created by the pandemic exacerbate exposure to ransomware and other cybercrime—and also point to concrete measures organizations must undertake to manage those risks.

Expansion of the Company Network

The pandemic has forced many organizations to expand their computer networks into dozens, hundreds or thousands of home offices.

A larger network means a larger perimeter to guard. Working from home has come with understandable growing pains—some having to do with functionality, some with productivity, and a number with cybersecurity. Zoom and other video online conferencing platforms have allowed many to telecommute efficiently, but security and privacy enhancements were necessary to ensure the integrity of the communications.

The vastly expanded array of personal computer devices mobilized for the work-from-home effort add a new layer of security risk to corporate networks. In a target-rich environment, cyber criminals have executed a bevy of serious attacks on organization systems—especially in the form of ransomware.

Ransomware Plus Data Theft

Ransomware attacks have increased exponentially. It is hard to know whether they have grown more severe as a result of the pandemic or if the increase is a function of ever-more sophisticated hacking gangs. The demands to unlock data have grown too. Once upon a time, a ransomware attack may have cost several hundred dollars to address. Now the ransoms can range from the many thousands of dollars to the many millions of dollars—all with no guarantee that the data will be unlocked if a ransom is paid. 

Increasingly, ransomware attacks constitute a multi-tiered threat. Early attacks demanded a ransom in exchange for returned access to the target’s systems and files. Now, stolen data is itself held hostage. The attacks can encrypt data, demand exorbitant payment for a return of information, permanently destroy data, disclose private or embarrassing data, and pull sensitive information on the way out of the system.

Risk Management Basics

Maintaining effective defenses against these attacks is not only possible—it is a core corporate responsibility. Regulators, investors and other stakeholders will insist on a dedicated effort to keep the cyber criminals at bay. Recently, a banking regulator levied a fine of $60 million against a financial institution in the wake of a prior security incident, and a U.K. airline was fined 20 million pounds for GDPR infractions after it was the victim of a security incident. 

As the pandemic persists, it is essential to remain vigilant, continuously updating programs and organizational software applications. Continue with security audits and penetration testing. 

Most importantly, concentrate on the dispersed work force. Cybercrime routinely targets and exploits human error. Coalition’s 2020 report found funds transfer claims up 35% and business email compromise attacks up 67%. Both forms of attack rely on duping employees. The report also found that “exploitation of remote access was the root cause of reported ransomware incidents.”

It is important to educate, train, educate and repeat. There cannot be enough reminders about core cyber security hygiene. New employees and longstanding ones need to adhere to the safety protocols and receive regular education about what to do and not do within the organization’s network. 

It is particularly vital that employees treat their personal devices with the same care that would be expected of company ones: use strong passwords, patch and update programs, log off entirely when not working, and secure the device at home, in the car and during travel. Also take great care with storage devices—encrypt any sensitive data that is resting on a hardware device.    

Give Your Insurance Regular Check-Ups

At renewal, first purchase, or even a mid-term check-up, consider whether your cyber insurance is up to the task of protection in a fast-shifting world of technology risk. First, make sure your data is accurately mapped. Some firms have embraced cloud computing without recognizing it. New computing services often take your data and your customers’ data and host it, partly or wholly, on their servers. If that is taking place, make sure the arrangement is reasonably secure and disclosed to stakeholders. 

Mapping data accurately can help inform whether your insurance matches your computing. Some forms of insurance may not include coverage for certain cloud computing operations as part of their basic coverage—and some forms of cyber insurance may try to sub-limit it. If you know you have to insure cloud computing data and operations, the cyber market is robust enough to deliver the needed protection. But have a good broker by your side to know what questions to ask and what to look for.

Second, with the pandemic forcing a surge in telecommuting, make sure that employee home office computing gets picked up as part of the cyber insurance protection. There are lots of different cyber policy forms on the market and not all are created equal. Carefully check the definition of “computer system,” “computer network” and related phrases to make sure that mobile devices are covered—including PCs, laptops, tablets, smart phones and thumb drives—whether they are online or offline. Be mindful too of where servers are located and who owns them.

Third, remember that insurance policies other than just specialty cyber insurance policies may be both handy and needed for serious cyber incidents.

Joshua Gold is a shareholder in Anderson Kill’s New York office, chair of Anderson Kill’s cyber insurance recovery group and co-chair of the firm’s marine cargo industry group. He is co-author with Daniel J. Healy of Cyber Insurance Claims, Case Law, and Risk Management, published in 2022 by the Practising Law Institute.