COVID-19 Implications for Cyber Risk

Untitled

While COVID-19 mitigation efforts justifiably focus on humanitarian concerns, businesses in the financial and insurance industries may not be aware of the associated cyber-risk implications of dealing with the COVID-19. There is bad news and good news from a cyber risk perspective.

The bad news is that we can expect the expansion of corporate cyber risk exposure to mirror the spread of COVID-19 across global geographic sectors. As businesses adopt work-from-home policies, a resulting consequence will likely be an increase in the number of potential targets available for exploitation by cyber adversaries. Just as natural disasters breed scammers who seek to take advantage of a vulnerable population, the COVID-19 crisis promises to unveil its own stresses on our IT infrastructure and resultant brand of opportunistic cybercriminals.

The good news is that the anticipated threats and vulnerabilities are largely knowable, preventable, and defensible.

While hard numbers associated with the frequency, distribution, and severity of cyber risk related to a remote or displaced workforce are premature, we have concisely laid out the main cyber risk factors that organizations should consider, recommendations for reducing risk exposure, and a sampling of the analytic capabilities that Guidewire Cyence can bring to bear in quantifying organizational and aggregated cyber risk exposures and effects.

Please see our white paper for more details.

Cyber Risk Factors In the wake of COVID-19, business exposure to cyber risk can result from an ill-prepared migration of the workforce to remote operations, where employees are accessing internal corporate networks from outside the core corporate infrastructure.

The following factors increase risk exposure:

  • Insufficient IT infrastructure capacity and expertise

  • Inadequate data governance and enterprise risk management

  • Inadequate security strategy, architecture, and controls

  • Ineffective enforcement of remote work policies with technical and administrative controls

Threat Vectors and Vulnerabilities

Given the risk factors related to a remote workforce, the frequency of threats—such as social engineering, spam, spear phishing, and denial-of-service attacks—are likely to increase. A particular threat’s severity level is a function of how well companies can implement countermeasures and establish resiliency measures.

Recommendations, Implications, and Analytics

Resources are available to guide businesses in bolstering the confidentiality, availability, and integrity of their business data and systems in a remote workforce regime.[1] Similar to the basic hygiene recommendations for addressing COVID-19, businesses should consider fundamental cyber hygiene to assess and reduce remote workforce cyber risk exposure.

Although the impact of COVID-19 on supply chains and global economies is not yet fully understood, we should anticipate the second-order effects on business cyber risk to follow the attack patterns and susceptibilities mentioned here. In the present context of a large-scale, distributed remote workforce, the novel characteristics are the scale and speed with which these threats can present themselves.

In a best-case scenario, where a company’s IT division has proactively reduced its risk factors, a business can still be exposed to cyber threats that target its less-prepared supply chains, such as labor, service, and product providers.

None of these anticipated exposures poses unprecedented implications for the transfer of risk via cyber insurance from the standpoint of established coverages, such as data breach, liability, network interruption, and extortion. Other non-affirmative lines of business that may be affected include property, financial, and general liability lines.

A notable secondary effect of COVID-19 is cyber risk accumulation. Companies across industries are more reliant on information and telecommunication infrastructures. As we gain efficiencies from internet-enabled platforms and software, we increase dependencies and aggregate risk potential. The result is an increase in frequency and magnitude of cascading and systemic harm.

The key to reducing cyber exposure lies in understanding the nature, scope, and projected impact of the cyber risk. For insurers, this is essential to defining segments and tailoring price, determining bad risks, understanding risk exposure across a portfolio, and determining the degree of claims automation.

Guidewire Cyence data collection, analytics, and data science capabilities can help stakeholders diagnose, quantify, forecast, and remedy these cyber risks. For example, using empirical data and measurement-based analytics, we can identify business risk aggregation paths based on network dependencies in cases where a service suffers outages or disruptions.

Although our current response to COVID-19 has transitioned from prevention to mitigation, we still have a window of opportunity to prevent and manage its secondary effects on cyber risk exposure. As the biological reality of coronavirus is demonstrating, testing for indicators of risk is the key to understanding and responding to the frequency, distribution, and severity of exposure. When it comes to the empirical reality of cyber risk exposure, Guidewire Cyence can test for cyber risk. Our domain expertise, client-informed capabilities, and data analytics platform can provide unique perspectives and insights to bridge the disconnect in the interpretation of risk exposure for the financial and insurance industries.

[1] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-114r1.pdf; https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf