COVID-19 Toolkit: Cyber risks and exposures amid COVID-19
The measures taken in Australia and other countries to control the spread of the Novel Coronavirus (COVID-19) have been unprecedented in modern times. The fallout from those measures on individuals, businesses and industries has been and will continue to be unprecedented.
As businesses and individuals do their very best to rapidly adapt and transform how they operate, they face significantly greater cyber exposures. Seasoned cyber criminals have not hesitated to leverage the upheaval for their own nefarious purposes and will target the already stretched healthcare sector. As a result, we expect to see an increase in the number of cyber security related incidents and claims, both directly under cyber policies as well as under technology, professional indemnity and potentially D&O policies.
This guide presents the ramifications on cyber exposures for businesses, individuals and insurers, attack trends, steps businesses can take to mitigate their risk and how we can assist.
New exposures and risks to consider
- As businesses and individuals adapt to survive in these unprecedented times with limited time and resources, the steps they take may expose them to significant cyber risks;
- The rapid deployment of mass remote working systems is exposing many businesses to systems and policy risks to an extent they would not have previously faced;
- A flow-on from the steps taken by businesses, be it rapid mass remote working, downsizing, or ‘hibernation’, is an even greater risk faced by all businesses from third party providers;
- Cyber criminals and state sponsored attackers have adapted their tools and attacks to exploit the fear, interest and exposures generated by COVID-19;
- The healthcare sector, already a popular target, is now an even bigger target given the media focus it is currently receiving and the volume of sensitive data with which it deals multiplies.
Responses and how we can assist
- Businesses must adopt tried and true measures, including ensuring basic security measures are implemented, enabling multi factor authentication, limiting use of personal devices where possible and ensuring staff and stakeholders are educated in cyber security practices and practice company policies designed to mitigate cyber risk;
- Insurers will need to be ready for an uptick in cyber related claims, and not just under cyber policies, due to the impact of COVID-19 on society;
- We provide a range of services to assist insurers and businesses minimise the damage caused by a cyber incident, from helping businesses improve cyber compliance and resilience via contract and company policy reviews, to managing an incident and dealing with privacy and notification obligations, to advising on and defending third-party claims arising from incidents.
Rapid business transition to remote working
Many businesses have attempted to rapidly transition to mass remote working arrangements. While they may have had pre-existing remote working structures, very few businesses would have been prepared to scale those structures for their entire or a significant part of their workforce. This will almost certainly lead to shortcuts and oversights that often come with rapid deployment.
To survive, businesses have been forced to rapidly implement additional systems and capacity to facilitate a mass remote work place set up regardless of whether proper cyber security measures have been set up and tested on those additional systems. Businesses will need to be wary of security vulnerabilities that may have been introduced as a result.
Leaving aside business-endorsed or approved hardware, it is inevitable due to time and financial constraints that many businesses, as part of their remote working arrangements, will be relying on their workforce utilising personal devices as endpoints to connect to business systems. Personal devices pose a significant risk for businesses as they are rarely as secure as business systems, can be difficult to monitor and secure for a variety of reasons and so generally are easier to compromise. A compromised endpoint logged into a company’s otherwise secure systems can provide attackers significant access to those systems.
In addition to ensuring systems adopted in a remote working structure are secure, businesses will need to ensure internal policies designed to address or limit exposures to cyber security risks continue to be adhered to and followed by the workforce.
This can be more challenging for businesses to monitor and enforce than systems security, particularly parts of policies that are designed to moderate human interactions or require multiple parties to cross check processes (for example, payment authorisations or the transmission and confirmation of instructions).
Employers no longer have the luxury of monitoring the majority of workforce interaction within office environments, which in turn may increase the vectors by which cyber incidents occur if policies do not continue to be adhered to.
Third party exposures
A flow on from the risks arising from not only the rapid mass remote working structures by many businesses, but also from the downsizing, ‘hibernation’ or shutdown of other businesses, is an increase in the risk posed by third party providers. Businesses who have reduced their operating workforce or temporarily suspended operations entirely are less likely to be as vigilant in monitoring unusual activity across their systems.
Given the far-reaching impact of the current crisis, it is very likely that most third party providers will fall within one of the above descriptions. The risks posed by third party providers was well known before the crisis emerged and business responses to the crisis simply heighten those concerns.
For example, in mid to late February 2020, General Electric (GE) was subjected to a data breach that arose from the compromise of a Canon employee’s email account, which involved the personal information of current and former GE employees as well as their beneficiaries. There is significantly greater scope for similar incidents to occur as well as other potentially more damaging incidents triggered by third party providers, of which there are many examples.
Attackers are looking to make the most of the upheaval caused by the pandemic and will use all traditional attack methods.
However, phishing scams and malware attacks continue to be notoriously effective and attackers have taken little time to launch a significant volume of COVID-19 related phishing and malware attacks. The attacks have successfully preyed on the general interest and fear across communities and the desire for more information and ‘answers’. Attacks are being deployed not just via websites, emails and other internet platforms (such as social media and collaboration platforms), but also via text messages, with multiple text scams being identified.
The Australian Competition and Consumer Commission’s (ACCC) Scamwatch reported that there have been 94 reports of different COVID-19 related scams between 1 January 2020 and 20 March 2020. The Australian Cyber Security Centre (ACSC) has also been releasing regular threat updates on COVID-19 malicious cyber activity, the latest of which (as at 8 April 2020) states that between 10 and 26 March 2020, the ACSC received over 45 incident reports related to COVID-19 themed scam and phishing activity. These numbers represent only reported incidents and are undoubtedly just the tip of the iceberg.
Numerous malicious websites now exist purporting to sell COVID-19 related products or information which then obtain sensitive final information and/or distribute malware. Popular COVID-19 information sources, such as the Johns Hopkins University COVID-19 interactive dashboard, have been used maliciously as a front to spread malware. The ACSC has released information on COVID-19 text messages scams, which include a link purporting to detail testing information but instead link to a malware designed to steal banking details. An update from the ACCC dated 6 April 2020 has identified that scammers are now engaging in superannuation scams targeting individuals financially impacted by COVID-19.
There are also indications that state-sponsored hackers are taking advantage of the upheaval caused by COVID-19 to launch attack campaigns, from countries including Russia, North Korea and China.
Separately, there are growing concerns around the security of collaboration platforms that have grown in popularity since the implementation of lockdown measures as people look for new ways to remain connected. Data security and privacy issues within Zoom have been of particular focus, which suggest the platform could be yet another vector by which a cyber incident could occur.
The scope of attacks are far reaching with varying objectives that include the monitoring and complete hijacking of impacted systems. The historically demonstrated effectiveness of phishing and malware attacks combined with the shift towards a mostly remote workforce poses a significant cyber threat to all individuals and businesses.
Healthcare an even greater target
The healthcare sector, a heavily targeted industry at the best of times, is now an even greater target. The sheer volume of sensitive information the healthcare sector already has, and will yet need to handle as its resources are stretched to respond to the crisis, will be a prime target for some attackers. Other attackers will look to maximise the publicity to be gained from successfully impacting a healthcare provider during these times.
Although a number of criminal cybercrime organisations have indicated they will not target medical and healthcare facilities, there have still been attacks against these organisations.
Incidents targeting the healthcare sector have been reported in numerous countries, including the Czech Republic, France, Spain, Thailand and the United States. This includes attacks on a Czech Hospital and a medical research centre, a London based medical research company, French Hospitals, the US Health and Human Services Department and multiple reported attacks on or involving the World Health Organisation (WHO). The WHO reported a two-fold increase in cyber-attacks in March 2020 alone.
All businesses in or that work with the healthcare sector must be extremely vigilant, as a successful attack may not only result in financial losses but also the loss of human lives.
How businesses can protect themselves
Whilst important to understand the possible threats and risks that businesses and employees face, it is far more important for businesses to be aware of the steps they can take to protect themselves.
- ensure that staff and stakeholders are informed of and educated in cyber security practices, such as detecting socially-engineered messages;
- ensure basic security principles, including regular software updates, strong password protocols, firewalls and properly implemented functioning backup procedures are maintained;
- implement multi-factor authentication for remote access systems and resources (including cloud services);
- where possible, issue company-approved devices for employees to access company resources.;
- ensure work devices, such as laptops and mobile phones, any remote desktop clients and all devices used to access company resources are secure and regularly updated;
- ensure policies and procedures designed to mitigate cyber risks are in place and are being complied with;
- review business continuity plans and procedures.
Unsurprisingly, these recommendations are similar to measures recommended for businesses to mitigate cyber exposures well before the COVID-19 pandemic occurred.
Implications for insurance claims
The cyber exposures that arise from the sudden and significant change in the way businesses and people are currently operating will impact the claims made under insurance policies.
While perhaps not immediate, we expect the matters we have identified will cause an influx in claims arising from cyber incidents. This includes not just claims directly under cyber policies for cyber incidents, but also claims made under:
- technology policies, including from allegations that products rapidly deployed were not fit for purpose or negligently installed and facilitated a cyber incident;
- professional indemnity policies arising from allegations that advisors breached duties of care owed to keep systems and information reasonably secure to mitigate damage from cyber incidents; and
- potentially, D&O policies on account of actions and class actions against companies and directors arising from steps taken to transition work practices without ensuring adequate cyber security measures were first put in place.
Our team and no doubt all insurers will be keeping a careful watch on claims trends that emerge as the world works through the COVID-19 pandemic.
How we can assist
Gilchrist Connell’s Cyber team has assisted insurers and insureds on all legal aspects of cyber risk and cyber incidents to minimise the damage and help businesses recover as quickly as possible.
We provide a range of services across the cyber risk life cycle. These include:
- helping businesses improve their cyber compliance and resilience via contract and company policy reviews;
- managing a cyber incident and dealing with privacy and notification obligations;
- responding to complaints or queries;
- assessing loss arising from an incident;
- considering and preparing for long tail risks from contractual obligations and third parties.
We have considerable experience advising on and defending third-party claims arising from cyber incidents and deliver a responsive and practically-geared service. Our team is committed to providing clear guidance for insurers and businesses that are concerned about their cyber exposures, including the likely impacts of COVID-19.
We acknowledge Jeremy Bilski’s assistance in preparing this guide.