Cyber Risks and Insurance in a Covid-19 World

Since the start of the year the Covid-19 Coronavirus has had significant impact on businesses in Hong Kong and across the world. From operational continuity and contingency planning to the disruptions caused by working-from-home (which carries its own unique set of problems for employers), companies have had to navigate an extraordinary array of challenges.

There have been a large number of obvious risks during this time – does my EC insurance cover staff working from home? Does my corporate health insurance cover the treatment costs of the Coronavirus? Does my keyman life insurance cover a death which has been the result of Covid-19?

Something that has been overlooked, so far, is the intangible digital threat posed by the pandemic. This isn’t surprising, due to the fact that fewer than 20% of companies in Hong Kong have some form of cyber insurance protection. The absence of cyber insurance from the overall risk management strategy at a business is, however, extremely alarming at this time.

Coronavirus Crisis Prompts a Cyber-Criminal Reaction

Cyber criminals will always look for the lowest hanging fruit. The target of opportunity which provides the greatest reward for the least amount of risk. Sometimes they accomplish this with scam emails and let human nature take over; because who doesn’t want to believe they’ve won millions of dollars or, in the current climate, about the home remedy for Coronavirus that actually works. Other times cyber criminals will take more targeted actions and go after a single company or individuals through myriad different means.

But the Covid-19 Coronavirus pandemic has created a perfect breeding ground for cybercriminals. The fear caused by the virus, coupled with a fundamental change in how people work and businesses operate (at least in the short term), there has been more opportunity than ever before to capitalize on lax digital security and awareness. The global proliferation of digital devices over the last 10 years, and the drive of the information economy means that there is more potential for cyber criminals right now than there has been in recent history; and the criminals are taking advantage.

During times of crisis it is not unusual to see an increase in criminal activity. However, due to the nature of Covid-19, and the social distancing being practiced by much of the world, much of the criminal activity experienced during the Coronavirus pandemic has been digital in nature.

Both the FBI and Interpol have reported that cyber crime has significantly increased during the pandemic crisis. Criminals are taking advantage of a number of factors that have created a perfect environment for more lucrative cyber events because workers are out of the office, concerned about getting accurate Covid-19 information, and are using their personal devices.

Increased Exposure Leads to Increased Cyber Events

While working from home has been the best possible solution to ensuring mass social distancing and flattening the growth curve of the virus, much of the IT protection in place (both for the business and the staff) at the office is absent when working from home.

Generally, the IT department will install firewalls on the office servers, they will maintain the critical infrastructure and update employee’s computers with the necessary antivirus and patched programs. Emails are monitored, and it is likely that staff use of company equipment is monitored in some capacity as well (perhaps its something as simple as blocking specific websites or more comprehensive like active keyloggers).

When employees move to working remotely, much of the cyber security infrastructure disappears. Oversight is lacking, employees are likely to be using their personal devices (in addition to any corporate devices they may have been provided), and will be responsible for the upkeep and maintenance of the security of those devices while they are working from home.

As employees will often forget to do the necessary updates there is a reason the IT department is normally responsible for ensuring that all programs are updated, and not general staff members. Even if most employees do patch their devices as and when needed, one or two may not and a gap is created.

Add to this the fact that with personal computing devices comes personal email and social media. While the corporate email server may be firewalled against spam and malicious threats, personal email doesn’t normally enjoy the same protection. Additionally, personal passwords which are subjected to the rigorous updates of corporate logins are much easier to obtain. As much of the world’s cyber-crime is perpetrated via email, the risk of an employee downloading a malicious document, or falling victim to a phishing scam is much higher than it would usually be.

While we all like to think that we’re sophisticated, technically adept and would never fall victim to something as pedestrian as a phishing scam, the simple fact that there is so much uncertainty in the world means that many people are desperate for as much information about Covid-19 as they can possibly get. So, the likelihood of opening an email purporting to contain valuable information about the Coronavirus, or clicking a link to visit a website which may contain all the latest information, is much, much higher than it usually is.

Criminals are even attempting to access popular video-conferencing platform Zoom. Imagine if someone was to overhear your development team talking about your latest e-commerce website. Or if they were to be in on a session you were having with your accountants and talking about your banking data.

Then we have the issue of family; while the employee may not pose a direct threat, or cause criminals to gain access to the company network, a child who isn’t so sophisticated or technically aware very well could. During a parent’s bathroom break the allure of a computer and a YouTube video could be too much for little fingers, and if the wrong button is pressed or URL entered then the company has been exposed to a possible cyber event.

Cyber Insurance doesn’t prevent hacks, but it can help if you are hacked

Cyber Insurance doesn’t prevent hacks or cyber events. Something like the Ransomware surge which has targeted hospitals over the last few weeks (because cyber criminals have correctly assumed that hospitals cannot afford to be locked out of their systems), cannot be prevented.

However, Cyber insurance will assist in the aftermath of a cyber event. Whether this is a stolen corporate computer, a brute force hack on your sales website, or a complete ransomware lockdown of your network, Cyber Insurance provides the finances and expertise for a business to continue and overcome a cyber crisis. From specialist crisis managers, through to funds to pay for a ransomed network, Cyber Insurance ensures that you are able to continue operations as normally as possible despite what would have otherwise been a devastating cyber event.

At this time more than ever, continuity is critical. While debates rage on about whether now is an acceptable time to reopen different economies, or whether restrictions on social distancing and quarantining should be relaxed, the last thing a business needs is a cyber event. To have successfully navigated the coronavirus and then have a cyber event would be crippling, given everything else that is happening.

Cyber Insurance is not a legally mandated form of business insurance protection, but CCW Global would strongly recommend that any business without cyber insurance protection in Hong Kong strongly consider taking out some form of protection. Our brokers are happy to review your cyber protection needs completely free of charge.

For more information, or to arrange a free consultation with one of our expert Hong Kong Insurance brokers, please Contact Us Today.