A likely derivative effect of the outbreak, lower in priority but still significant, is increased pressure on an organization's cybersecurity risk management.
One kind of pressure will be driven by companies' efforts to ensure employee health and safety and mitigate the spread of the illness. In doing so, companies may request sensitive health-related information from employees, and then take action based on the information received. Companies should remember that they must still comply with all applicable privacy, data security and confidentiality laws, such as HIPAA, GDPR, other international or state information security laws, and possibly additional laws such as the ADA. These laws may have certain exceptions relating to health or other emergency situations, and companies will need to deal with such laws on a jurisdiction-by-jurisdiction basis. All organizations should consult with legal counsel to make sure they understand and comply with their privacy-related obligations.
Another significant source of pressure will result from many more employees suddenly working remotely, without much or any lead time for reinforcing and enhancing network capabilities or cybersecurity risk management practices. This will strain IT security and operations staffs, which may already be stretched by closures and illness.
Here are some suggestions for dealing with the increased cybersecurity risks arising from a sudden increase in your remote workforce. This list is not intended to be definitive or exhaustive:
- Allow network access only:
- through virtual private networks (VPNs) that are promptly patched as soon as updates become available
- to devices with full disk encryption and proper firewalls
- Require strong passwords and multifactor authentication
- Pay special attention to system monitoring and detection services, enhancing or upgrading them as needed to keep up with the increased remote network traffic
- With so many employees working remotely, be on heightened alert for cyber criminals using the higher remote traffic to a mask their efforts to exfiltrate data.
- Remind employees:
- about social engineering risks, methods and defenses -- and the heightened risk that will unfortunately arise from coronavirus-related scams
- to keep their laptops within their physical control, and their screens hidden from others, at all times when they are in public places
- never to provide login credentials in response to an email request
- not to use less secure devices, such as the family computer, to obtain or store work information
- not to use personal email accounts to transmit work information
- not to transmit or store work information on their personal cloud storage accounts unless their companies specifically allow that practice
- not to leave written corporate materials in shared or unsecured locations
- even when at home, log off when not using network
- Tighten both the scope of authorization for wire transfers and the verification of each request -- such as video confirmation
- Review and update your incident response, business continuity and disaster recovery plans so that they adequately address your new circumstances
Despite companies' efforts, it is almost certain that cyber incidents will increase in connection with the dislocations caused by the coronavirus outbreak. Companies with dedicated cyber insurance policies (or, where appropriate, combined cyber/E&O policies) will likely find coverage for many of the costs they will incur from these incidents. Potential cyber insurance coverages, depending on a particular policy's negotiated terms, could include:
- Costs incurred in connection with the wrongful disclosure or otherwise failure to protect confidential personally identifiable information (PII) or protected health information (PHI)
- Costs incurred in defending and resolving lawsuits alleging the wrongful disclosure of confidential personal information
- Costs incurred in responding to a regulatory investigation or proceeding triggered by an alleged failure in the collection, use or disclosure of confidential information
- If allowed by applicable law, regulatory fines and penalties resulting from such investigations and proceedings
- Costs incurred in defending and resolving lawsuits alleging the failure to provide network access or technology products/services
- Business income loss and extra expenses caused by a non-malicious "system failure" — an interruption or significant degradation of the network caused by a coding error, upgrade or patch, or network failure caused by its inability to handle the increased volume of remote work
- If cyberthieves are able to gain wrongful access to the network:
- Legal and forensic costs incurred in determining if PII, PHI or third-party corporate information has been compromised
- Possibly some "social engineering" coverage for losses from fraudulent wire transfers or invoice manipulation, although losses should be addressed by Crime policies
- Ransomware-related coverages, which can include the cost of ransom payments, data and system recovery, legal and forensic work
- Business income loss and extra expenses caused by ransomware or other attacks on the network
- Business income loss and extra expenses caused by a voluntary shutdown of the network to limit the scope of an attack in process
- Depending on the policy's terms, there could be business income and extra expense coverage if the network interruption is suffered by one of the company's outsourced IT suppliers or other outsource providers (such as supply chain providers)
Please do not hesitate to contact your team at Gallagher for help and guidance, especially if you have or suspect a cyber incident. Your Gallagher representatives are ready and eager to help you during these challenging times
This is an evolving risk that Gallagher continues to monitor through the CDC and WHO. Please visit our Pandemic Preparedness Page for the latest information.