Examining the pandemic’s effect on the cyber risk landscape

It goes without saying that the Covid-19 pandemic looks set to leave a profound and lasting impact on the way we conduct our day-to-day lives across a number of facets, but not least our relationship with technology. With that shift towards a greater daily reliance on technology, comes a corresponding risk when technology goes wrong.

Perhaps the most severe of these risks is cyber security. Such has been the pace of change across the cyber risk landscape over the last few years, it can be challenging to distinguish the direct effect of the pandemic on cyber risk from what was already an upward trajectory.

However, here we take a look at some of the key areas where exposure to a cyber breach has grown as a result of the Covid-19 pandemic and how insureds can work to get the most out of the insurance market to effectively transfer, mitigate and manage some of these risks.

Change in attack surface area

The sudden shift to remote working dramatically changed the way businesses operated. As organisations scrambled to ensure their digital infrastructure was capable of supporting an entire workforce working from home, they exposed themselves to significantly increased cyber risk.

New laptops and tablets issued to employees, reliance on cloud capabilities rapidly expanded, and the mass adoption of VPN and RDP technologies all placed greater strain on network perimeter security. With business continuity quite rightly the key priority for businesses, security often came second and CISOs and information security teams have been playing catch up ever since.

The rush to adopt new technologies also placed a greater reliance on third party service providers. Sometimes vendors are adopted in haste without proper contractual protection or risk management assessment exposing organisations to business interruption in the event third party suppliers are compromised.

Threat landscape

At the same time as business experience a growing burden on digital infrastructure, cybercriminals have seized the pandemic as an opportunity to feed off widespread vulnerability and emotion stemming from a global crisis.

While phishing is by no means a new threat vector for criminal organisations, the volume of such attempted attacks since the onset of the Covid-19 pandemic has been unprecedented.

A report by the NCSC (2020) found that a quarter of cyber incidents responded to across August 2019 – August 2020 involved criminals and hostile states exploiting the Covid-19 pandemic, while similar statistics issued by Google stated that almost a fifth of the 100 million phishing emails it blocked every day were about Covid-19. Staff falling for phishing attacks opens an organisation up to leaking sensitive data or to deploy malicious software, such as ransomware.

Covid-19 has also led to a heightened insider risk. Job security plummeted during the height of the pandemic across a number of industries and where firms may be forced to terminate staff or require employees to go on furlough or take reduced pay, the threat of malicious insiders grows. Meanwhile employees working from home, enforcing security and privacy policies becomes significantly more challenging. Staff may also become slow to report issues or breaches, potentially posing challenges with regulatory obligations at the same time.

Evolving risks

The pandemic has served as a catalyst for change for a number of businesses, in some cases even positively. Many businesses have reinvented them as a result of lockdowns, pivoting to online platforms or looking to focus more on e-commerce.

While this provides access greater access to more customers, it comes with an added data protection exposure as well as likely reliance on technology vendors. Managing these new and evolved risks at a time where resource constraints for some businesses have never been higher

How can the cyber insurance market be utilised to manage the changing risk landscape?

In the Government’s sixth annual cyber security breaches survey, published in March, 43% of respondents reported purchasing some form of cyber insurance, up from 32% in 2020.

While this highlights that there are still a large proportion of UK businesses currently uninsured for cyber risk, the report suggests that a growing number of organisations view cyber insurance as critical in providing not only financial support in the event of a breach, but also access to specialist skills and experience to deal with incidents.

However, partly because of pandemic-induced exposure but also general cyber loss trends, the cyber insurance market is currently undergoing challenging times. Significant increases in both frequency and severity of cyber incidents, predominantly ransomware attacks, have caused a rapid hardening of cyber insurance market conditions.

This trend was evident even prior to the pandemic but has accelerated over the past 12 months. As a result of the current market conditions, those looking to address pandemic-driven cyber exposures must tread carefully. Here we outline three key areas to look out for when dealing with the cyber market:

1. A more forensic underwriting approach. In light of the recent loss environment, insurers have taken a more stringent approach to risk selection and minimum standards of controls in place. Carriers are requiring insureds to produce more detailed underwriting information than previous years, with certain controls such as multifactor authentication and endpoint detection and response (EDR) expected for coverage to be given. Some insurers have also adopted arbitrary changes in appetite to certain industry classes, regardless of the quality of the individual risk. It is important to work with your broker to ensure you as a risk are presented appropriately to the market and not painted with a broad brush.
2. Consider your cyber insurance policy language. Unfortunately, no two cyber insurance wordings were created equally. Recent market conditions have prompted insurers to look further at managing their overall exposure in certain areas, namely around cyber extortion and outsource service provider coverage. Again, work with your broker to ensure your policy language is fit for your purpose, and don’t necessarily accept boiler plate terms. Also look to make sure that existing coverage adequately addresses any changes to your business practices implemented as a result of the pandemic, such as working from home, running a predominately 'online' business, or by outsourcing key business functionality. A typical cyber policy provides coverage for many of the areas of increased risk highlighted throughout this article, including malicious or negligent insiders, IT service provider failure as well as incident response support. The challenge, however, can be navigating the turbulent cyber market in good time to ensure you are purchasing appropriate cover at competitive terms.
3. Capitalise on risk management services offered by the cyber insurance market. Not only are insurers expecting a certain standard of controls across their portfolio, but in many cases actively providing risk management tools and services to help insureds manage cyber risk. Considering this when assessing your cyber insurer should form a key selection criterion.  In certain cases, insurers may be willing to provide a bursary to support risk management enhancements, or at the least access to preferential rates.

Tom Dryden
Partner in McGill and Partners’ Cyber team
Tom.Dryden@mcgillpartners.com

McGill and Partners is a boutique specialist (re)insurance broker focused on clients with complex and/or challenging needs. Launched in 2019, with significant backing from Warburg Pincus, McGill and Partners is headquartered in London and has an international presence in Ireland, New York and Miami. For more information visit https://www.mcgillpartners.com/

Editor’s note: Airmic’s next Harsh Market survey, seeking an insurance buyer’s perspective on insurance market conditions, will be sent out to Airmic members in mid-July and will focus on cyber risk and insurance.