Managing the Ever-Changing Cyber Risk Landscape
In just a few months, COVID-19 has fundamentally reshaped the business and risk landscape, and cyber risk is no exception. The following will touch on the “what” and “why” of that change and provide insight on mitigating risk.
What a difference a pandemic makes
When we closely examine how business practices are adjusting to and pivoting around a crisis that seemingly changes daily, we notice a strained and disproportionate economic impact across both nation-states and industry sectors. Unfortunately, there is no clear end in sight due to the uncertainty around treatment, vaccines, and a potential second wave. Entire industries (such as hospitality and transportation, for example) could be forever altered or will alternatively have even lengthier recovery periods based on the nature of their services, customer base, and the scale of resultant disruption.
This uncertainty also increases cyber risk. At a high-level, organizations are racing to re-engineer existing business processes that have been in place for years. If hastily made, these changes – while necessary – may result in introducing new or unknown cyber vulnerabilities. An example of this is how we are seeing remote work accelerating both automation and migration to the cloud. Such increased dependency may result in more damaging data breaches or business interruption outages, due to greater data storage concentration and increasing service digitalization. Remote work may also result in a higher propensity for human error, as many employees deal with the challenges posed by the necessity of blending work, child care, and personal time. Hence, there is an increased risk that sensitive or proprietary information may not be properly safeguarded.
Why you should be concerned
As workers are furloughed or newly hired in connection with changing business needs, the loss of employee knowledge, remote onboarding and new employee training, and virtual-only colleague and client interfacing increases the human capital aspect of cyber risk. Greater utilization and dependency on e-commerce is another accelerating trend that may increase organizational cyber risk as companies collect payment card information and rely more heavily on seamless connectivity in order to process transactions.
Threat actors take advantage of these challenges. Consider the increased volume of phishing and malware attempts observed thus far by Google.1 And Microsoft researchers separately noticed a discernible uptick in ransomware attacks last month.2 For ransomware specifically, it’s plausible that cyber criminals are opportunistically banking on the fact that when stressed companies are impacted by a cyber incident, they may be even more willing to pay a ransom to get back to “normal” than before the COVID-19 crisis. Based on recent discussions with leading cyber insurance carriers, this increased threat activity has not yet led to a correlating larger volume of claims, although that could change in the coming months.
Despite these changes and threat activity concerns, businesses will have a greater opportunity to better manage cyber risk post-COVID-19. For example, in response to supply chain challenges, businesses may be incentivized to identify and engage alternative suppliers. This could limit certain aspects of contingent business interruption loss moving forward with respect to cyber incidents. Despite the evidence that pharmaceutical and other companies conducting medical research in the race for a vaccine are being targeted by nation-state cyber espionage efforts3, an elevated risk environment may increase industry-wide threat information sharing, as well as efforts within organizations to appropriately tier, classify, and limit internal access to sensitive data.
What you can do to mitigate the risk
Companies that don’t already have cyber insurance should consider purchasing it, as it may be an essential component of a post-COVID-19 cyber risk management strategy. In addition to helping minimize the financial impact of a cyber event, cyber insurance can help enhance awareness and resiliency through quantification tools, in-depth risk discussions and related preparedness, and by providing access to experienced technical, legal, and other experienced professionals who can assist with responding to and recovering from a damaging cyber event. These benefits were apparent pre-COVID-19, and with the dramatic uptick in remote work, digital dependency, and the evolving threat environment, cyber insurance can help manage a risk that is more complex than ever.
We believe cyber security is critical. Interested in guidance on how to optimally manager your cyber risk? Call M&T Insurance today at 1-800-716-8314.
This article is for informational purposes only and is not intended as an offer or solicitation for the sale of any financial product or service. It is not designed or intended to provide financial, tax, legal, investment, accounting, or other professional advice since such advice always requires consideration of individual circumstances. Please consult with the professionals of your choice to discuss your situation.
MTIA is a wholly owned subsidiary of M&T Bank.
Insurance Products offered are: Not FDIC insured; Not a deposit in, obligation of, nor insured by any federal government agency; Not guaranteed or underwritten by the bank; Not a condition to the provisions or terms of any banking service or activity
Insurance products are offered by M&T Insurance Agency, Inc., not by M&T Bank. Insurance policies are obligations of the insurers that issue the policies.