COVID-19 has created unprecedented working situations for businesses. Many are rapidly trying to grapple with their employees working from home.
Cybercriminals are using these unprecedented times as an opportunity for online scams and attacks. Businesses need to be hypervigilant.
There are many ways a cyberattack can cause business loss; data loss; hacker theft, business interruption; breach response costs and consultants’ costs; privacy complaint costs and potentially third-party liability amongst others.
If you don’t have a Cyber Insurance or Cyber Liability Insurance policy, different insurance policies in your suite of business policies may respond to different types of loss. Even if your business does have a specialist cyber policy, the best option is to avoid cyberattacks altogether, if at all possible.
This article identifies common risks arising from your workforce working remotely, some things your business can do to minimise the risk of a cyberattack and, in the unfortunate event you suffer a cyberattack, how to respond.
Where do the risks lie?
There are significant risks from so many employees working from home for the first time:
- Network vulnerability – employees may use unsecured home networks, single factor authentication or weak passwords when working remotely.
- Reduced ability to monitor employees – to check employees are following the business’ best security practices (for example, calling a client to verify invoices or bank account details).
- Removing data from secure location – employees may transfer electronic files from business devices to less secure personal devices.
- Increased number of scams – CERT NZ has sent out an alert detailing the opportunistic attempts of cybercriminals to use the COVID-19 pandemic to scam people. They include downloading malware from COVID-19 maps and entering usernames and passwords into phishing websites.
How can you minimise these risks?
If my business is attacked, will it be covered by my insurance?
Your aim should be to prevent
a cyberattack. Proactive steps to minimise risk include:
What should my response plan include?
- Improving your IT security, particularly for remote network access. Ensuring all anti-virus software is up to date is crucial.
- Reviewing and strengthening IT security policies and procedures may require input from external IT security professionals. Some Cyber Insurance policies include the cost of pre-loss security consultation, so check this.
- Creating a response plan in the event of a cyberattack.
- Keeping cybersecurity at the forefront of employees’ minds. Remind staff of your security policies and what to do in the event of a breach or suspected breach. Encourage vigilance, and regularly test employees’ awareness and understanding of your IT security policies.
- Putting extra security measures in place to protect vital data and backing it up in the event that it is lost or stolen.
- Ensuring your employees only access business information on their business devices.
- Setting up logs to alert your business to any suspicious activity or incidents, e.g. for multiple failed login attempts or a login from an unknown IP address in an unexpected country.
If your business does suffer a cyberattack it is important to take the following steps:
- Take immediate steps to respond to the attack and mitigate any potential loss, by seeking help from your IT security provider. Loss mitigation costs are usually covered under Cyber Liability Insurance Policies.
- Notify your insurance broker or insurer immediately, even if you don’t know what, if any, loss you’ve suffered. Failure to notify your insurer promptly could compromise a future claim. Your insurer can approve consultant and other costs you incur in responding to the attack and it is better to ask first than retrospectively seek approval of costs incurred.
- Keep a record of the circumstances surrounding the cyberattack and the steps taken in response.
- After checking with your insurer, notify all relevant bodies such as the New Zealand Privacy Commissioner and any affected individual if the cyberattack has resulted, or is likely to result, in a breach of that individual’s privacy rights. If you are unsure whether an individual’s rights have been affected, notify anyway.
Whether you are covered for a particular attack under any of your insurance policies is, of course, dependent upon the particular policy wording or wordings.
Most specialist Cyber Insurance policies cover costs and losses associated with a broad range of situations including network security and privacy breaches, data recovery, some security, liability and defence related costs, business interruption, and consequential loss.
However, there will be policy exclusions that limit the cover available. These usually relate to infrastructure failures (power, telecommunications infrastructure or services), or shutdowns for network access / functionality improvements.
If you are unsure about how your insurances will respond to a cyberattack, or what steps you need to take in the event of an attack, you should speak to your insurer or insurance broker. This will help your business implement the correct procedures to ensure compliance with policy obligations and safeguard your business should anything go wrong.
If you, or your business, has any questions about the issues raised in this article, please contact one of our Insurance Team
Wynn Williams is a member of SCG Legal, a global network of more than 110 independent law firms with both legal and public policy practices serving businesses in all 50 U.S. state capital cities and the District of Columbia, as well as capital cities and major commercial centers in more than 50 countries. SCG Legal has developed a COVID-19 Global Resource Center, which is focused on up-to-date legal and public policy developments from more than 25 different countries and most U.S. States. To access it, visit scglegal.com/coronavirus-resources.