Cyber in the time of COVID-19: Will cyber claims response see an impact?
Advisen
Cyber in the time of COVID-19: Will cyber claims response see an impact?
By Erin Ayers, Advisen
With more organizations shifting to work-from-home structures and away from typical routines, the COVID-19 pandemic may not only ramp up cyber risk, but also make cyberattacks more difficult to detect.
Experts say that in addition to the stress of increased telecommuting, cyberattacks that would ordinarily be caught quickly and remediated may go unnoticed for longer.
“Companies are not in the best position to monitor or discover breaches,” said Michael Phillips, chief claims officer for Arceo.ai. Most breaches, he added, “are discovered by commerce functioning properly, by an employee saying ‘Hey, I did something wrong’ and being able to walk over to the CISO.”
And, even though some hackers may be feeling generous, as in the case of the “Maze Team” that put out a press release offering discounts for its targets and a commitment to not attacking healthcare organizations, it is clear they do not speak for all. In the last month, numerous healthcare providers have faced attacks, including a UK-based medical research firm seeking a COVID-19 vaccine and the World Health Organization.
“Cybercriminals, who are smarter than a lot of people give them credit for, are capitalizing on the pandemic,” said Lindsay Nickle, partner at Lewis Brisbois. In addition to healthcare, she said, there’s been a “notable” increase in attacks on school districts, the vast majority of which are closed until at least May. The increase is “above and beyond” the already-high numbers of attacks against school districts that occurred in 2019.
It feels deliberate, Nickle said, as though cybercriminals are thinking, “Let’s hit them while they’re desperate because they’re more likely to pay.”
Threat intelligence offers opposing views of cybercriminal activity, with some seeing a slowdown and others reporting increased threat activity. Both views carry some truth, according to experts speaking with Advisen. While some cybercriminals have taken the humanitarian view (or merely been halted in their activity via shelter-in-place orders), others have increased their attack volume. The issue now is detection.
“We’ve seen a slowdown in claims, but the ones that are coming in are critical – it’s schools and healthcare,” said Nickle.
It’s that slowdown that worries cybersecurity experts – attacks are almost certainly occurring, but organizations may not be equipped to respond right now.
“Online threats are higher than usual -- organizations have not prepared for the entire workforce to be remote all at once and they are either late to investing in technology or putting a band-aid to adapt quickly to remote working,” said Elgan Jones, managing director ats Kivu Consulting in an email to Advisen. “This increases the risk as they have not put the security in place to allow all employees to be remote. As an example, in one given day, three small law firms called to say they had been hit by ransomware -- all three had enabled RDP [remote desk protocol] to work remotely the day before. Enabling the RDP port without securing it opens companies up to vulnerabilities.”
The vast numbers of business shutdowns may also complicated insurance recovery for cyber-related business interruption, warned Arceo’s Phillips. Businesses closed due to risk of infection or government mandate run the risk of being hit by a cyber event. This presents a dilemma: If a business is already interrupted, how much of the interruption can be attributed to the cyber event?
“It becomes difficult for the victim and the insurer to figure out. [Cyber insurers] made a promise to pay for those pieces that are truly caused by the cybercrime,” said Phillips. “Unfortunately, the stakes are going to be incredibly high."
While he hasn’t seen the argument formally made, Phillips said organizations and their attorneys may be evaluating all insurance policies that may respond to business interruption.
“If they are running, even at a lower capacity, when they are hit with a cyberattack, they’re going to be looking at their argument about why it should be attributed to the cyberattack,” he said.
Organizations may also opt to delay response to cyber events, a decision that is both understandable and ill-advised, say experts. With businesses worried about finances, cyber events may be going unreported now – and getting worse.
“We’re human beings, we have limits on the number of crises we can handle at one time,” said Nickle. Much of the cyber incident response can be conducted remotely and local teams can respond to events where needed, say experts.
“We are constantly encouraging folks to make claim on their policies and get the resources they need, Arceo’s Phillips said. “Criminals can only do more damage” left unchecked.
When in-person response is needed from Kivu, according to Jones, “our teams will be practicing social distancing whilst on site, and will carry a sanitization kit with them whilst onsite to clean hard surfaces etc.”
He added, “Our intention is to provide smaller teams onsite supplemented by experts working remotely via remote working equipment which Kivu has developed.
Though most organizations won’t have factored “pandemic” into their cybersecurity business continuity planning, it’s likely to become a part of future efforts.
“In many ways, this event is a data model for a cyber virus that hits a wide range of companies,” said Phillips, noting that organizations can examine their role in supply chains to determine the impact of a networked loss.
Editor Erin Ayers can be reached at eayers@advisen.com.
