Why companies need to be extra vigilant about IT security during COVID-19

As more and more people work from home, fraudsters and others have spotted an opportunity to see if they can dupe company employees into transferring money to a bank account set up by the fraudsters or get company employees to reveal information which fraudsters can subsequently use to profit.

Recent news includes:

• Beazley is reporting that it has seen a 25 percent spike in clients being hit by ransomware in the first quarter of 2020 compared to last year.
• Honda is tackling a suspected ransomware incident.
• EasyJet revealed that hackers have accessed the travel details of 9 million customers.

Many IT directors at companies will now be looking again at internal IT systems and security. Companies and IT directors may also be thinking about insurance so as to mitigate the impact of any cyber security breaches.

What is a cyberattack?

Many cyberattacks occur because of ‘phishing’ emails, which are a scam designed to extract sensitive information from recipients. A phishing email will often ask you to fill in your details to, for example, prevent spurious transactions and claim tax rebates, or send money to a bank account where the email seems to come from someone you know and where the bank account details have changed. According to a recent study, 69% of participating respondents said they’d received phishing emails within the last year.

Why should businesses be concerned?

Cyber risks are increasing at a rapid rate, due to our growing dependence on data and digital automation. The headlines over the past year have amassed a significant amount of attention towards these problems. This is hardly surprising, considering the recent Mactavish report highlighting that 43% of respondents had suffered from a cyberattack in the two years prior to the report.

One of our most recent cases involved an individual customer of our client getting duped by a phishing email that looked like it had been sent from the client. This resulted in the customer sending hundreds of thousands of pounds to a fraudster’s bank account. The individual customer then claimed against our client for the money he had lost, but our client was completely unaware that this transaction had occurred and that their customer had been duped by the fraudster’s phishing email.

As our client had not received any money from the individual customer, we managed to resolve the case successfully. Many companies don’t purchase cybersecurity insurance due to reasons such as uncertainty over the cover and mistrust in the potential pay-out. Nevertheless, businesses should consider cyber insurance, but should be aware of the caveats and exclusions that may apply.

Does cybersecurity insurance protect against all cyber risks?

Cybersecurity insurance does provide some comfort but does not provide the silver-bullet answer to all cyber issues that businesses might be hoping for.

The Mactavish Cyber Risk and Insurance Report tells us why this is the case, pointing to 8 common flaws in some cyber insurance policies, which are, in summary:

1. Cover for issues caused by accidental errors or omissions may be excluded.
2. Data breach costs may be limited to, for example, only costs that the business is strictly legally required to incur (as opposed to much greater costs which would be incurred in practice).
3. Systems interruption cover may be limited to only the brief period of actual network interruption, and not for the period after IT systems are restored but the business is still disrupted.
4. Cover for systems delivered by outsourced service providers is often limited or excluded.
5. There may be exclusions for software in development or systems being rolled out.
6. There may be exclusions where contractors cause issues (e.g. a data breach) but the business is legally responsible.
7. There may be complex and onerous notification requirements.
8. There may be no freedom for a business to choose its IT, PR or legal specialists as the policy only covers insurer-appointed advisors.

How to mitigate against cyber risks

Despite some of the limitations to cybersecurity insurance, there are a number of courses of action your business can take to help prepare for a security breach:

• Think about a bespoke insurance policy: when seeking cybersecurity insurance, firstly understand exactly the risks that could be facing your organisation. This will help you secure a more tailored, bespoke policy that will meet your specific requirements.
• Make a data breach plan: in essence, a data breach plan will contain information on who to contact, what to do and what should happen next (i.e. in terms of business operations and how to communicate the incident to the public, regulators, solicitors, etc.).
• Communication: if you already have a data breach plan, then communicate it to your employees. A large portion of employees won’t even know a plan even exists, which will seriously undermine efforts to recover effectively.
• Training: given that 70% of data breaches occur because of human error, hold cybersecurity training for your employees. This could be a highly effective preventative measure.

Conclusion

Cyber risks are something that large businesses as well as SMEs should be taking seriously now, particularly because of the impact and consequences of COVID-19. For more information, please contact Jimmy Desai.