COVID-19 is changing the cyber landscape and insurers must adjust quickly

“Now’s the time to make sure you’re doing everything you can to make sure your environment is secure.” Jon Laux, Aon

The global COVID-19 pandemic has created many new opportunities for cyber criminals, while also exposing new vulnerabilities in systems. Re/insurers must be aware of these changes and increased uncertainty and adjust to new norms if they are to continue to underwrite this risk profitably.

That was the core message of a white paper by CyberCube, the leader in cyber risk analytics for the insurance industry, and broker Aon, called “Pandemic under the microscope: a focus on the cyber risk impacts of working from home”, and published in July this year.

The report suggested that although data from the period February to June 2020 suggest that the COVID-19 pandemic did not present notable new classes of cyber attacks, or create major system outages or data breaches, it did expose new access points for cyber criminals to gain access to systems, exploit distracted individuals and potentially wreak havoc through new essential infrastructures.

All this presents the insurers and reinsurers ultimately on the hook for claims stemming from such events with real challenges around how they identify, quantify, mitigate or transfer these new risks in a period of such fast-paced change and uncertainty.

“The changing dynamics that now exist in the areas of home-working, online retail and use of cloud computing (to name just three) have changed for the longer term in our view and this, in turn, is creating a new landscape of cyber risk.

“The insurance markets need to be mindful of these changes and the businesses and individuals that they serve must adjust to risk management approaches in line with the new norms that exist and will continue to evolve for years to come,” the report states in its conclusion.

New vulnerabilities
In a video discussing the report, Darren Thomson, head of cybersecurity strategy for CyberCube, suggested that very soon after lockdown there was an uptick of some 30 percent on average across almost every category of security risk from spam to phishing to general malware.

“We would normally expect an increase of 15-ish percent. So clearly the pandemic was having an effect. Part of that was because non-cyber criminals are starting to become cyber criminals. They were locked down as well, so they were finding other avenues for their criminal activity,” he said.

Thomson said that as home working and the use of cloud applications become the norm, security vulnerabilities were uncovered.
“They probably would have been uncovered eventually anyway, but an extra few million users will do that to an application. There’s a plus and a minus there.

“Short term, that was bad. People got scared. Those applications over time, though, will become better and more robust applications because they’ve been stressed,” he added.

He said that criminals started to take advantage at a tactical level of some of the exposures associated with home working. Low security passwords, on end-user devices and network routers, quickly became the biggest vulnerability.

A lack of patching operating systems also became more of a problem than it normally is, because less patching was happening at home.
“There are all kinds of tactical, technical implications to home working, which we’re still working through,” Thomson said.

Industry implications
Jon Laux, head of cyber analytics reinsurance solutions for Aon, corroborated the increase in cyber attacks. He said that the use of ransomware has escalated in terms of the frequency, but also the severity of attacks. In the fourth quarter of 2019 and the first quarter of 2020 there were attacks up some three times or more on previous quarters, for example.

Laux said the implications of this for insurers are significant especially against a backdrop of increasing losses before the pandemic. In data for the full year of 2019, the industry loss ratio went up about 10 loss ratio points, at least in the US, he noted.

“Coming into 2020, insurers were grappling with what do we do about that. While 2019 was largely the story of starting to become aware and looking for ways to mitigate that attack, we’ve started to see that translate into market conditions changing.

“Insurers have been taking stock of their capacity deployment, their attachment point, and probably most importantly, their rates,” Laux said.
He added that rates have been hardening as a result increasing 5 percent to 15 percent.

“COVID-19 has been fuel on the fire, accelerating some of that concern and caution on the part of insurers as they’ve been responding to some of the impact to the asset side of their balance sheets, as well as some of the additional risk they’re feeling on the liability side,” he added.

These trends point to the start of a new norm for many businesses. Laux suggests that many companies will now be taking a look back at what they’ve done thus far around home working to ensure that they are following best practices, as far as security configuration and architecture goes.

“Many of the organisations Aon works with have been finding that rapid deployments were necessary, but that security vulnerabilities were introduced in the process.

“This is a good time to go back and harden the perimeters as well as one can, because it seems this is a situation we’re going to be dealing with for a while.

“Now’s the time to make sure you’re doing everything you can to make sure your environment is secure,” he said.

Thomson agreed, arguing that there will be new norms in terms of IT usage, security, behaviours and vulnerabilities.

“At the individual level, I think we can safely assume that more people globally are going to be working from home than ever before, following the pandemic.

“Organisations are finding that productivity levels in many cases have actually gone up. We can expect this to continue, and again, governance and best practices need to be revised as a result,” he concluded.

A copy of the report “Pandemic Under the Microscope” can be found on CyberCube’s website

To see a video discussing the key findings of the report please click here