March 24, 2021
8 Major Cyber Security Concerns in the Age of COVID-19
More employees working from home means more possibilities for cyber security breaches.
The Covid-19 pandemic has been a game changer for businesses. For some businesses change may have even been beneficial, such as increased online sales or greater numbers of people working from home. But Covid-19 has also brought more digitization, and that has helped accelerate our cyber vulnerabilities, according to a new report by Allianz Insurance.
Despite the huge advances companies have made in cyber risk awareness in recent years, many businesses are still playing catch-up and often don’t realize the importance of their digital assets are until something happens. Here are eight major cyber security concerns to consider for your business.
- Covid-19 has heightened cyber risk vulnerability.
The largest work-from-home situation in history has given criminals new opportunities to exploit security vulnerabilities created by the pandemic. The rush to enable people to work from home has resulted in lowered or suspended IT security standards, putting cyber security under new levels of stress. According to research by cyber security firm Arceo, security practices when working remotely are unlikely to be as stringent as those at the office.
- Business interruption is the main cost driver in cyber claims.
Business interruption following a cyber incident has become a major concern. Whether because of ransomware, human error or a technical fault, the loss of critical systems or data can bring an organization to its knees in today’s digitalized economy, keeping it offline and unable to conduct business as usual.
- Ransomware now the most prominent cyber-crime threat.
Ransomware attacks, already high in frequency, are becoming more damaging, increasingly targeting large companies with sophisticated assaults and hefty extortion demands. Five years ago, a typical ransomware demand would have been in the tens of thousands of dollars. Now they can be in the millions. The consequences of an attack can be crippling, especially for organizations that rely on data to provide products and services, but it can also create significant damage for others in the supply chain, such as critical infrastructure.
- Business email attacks are surging.
More people working from home means new opportunities for criminal activities. Prior to the pandemic, business email compromise (BEC) — or spoofing — incidents had already resulted in worldwide losses of at least $26bn since 2016, according to the FBI. Between May 2018 and July 2019, the number of incidents discovered worldwide doubled, with the average economic loss around $270,000.
- Data breaches are costing more money.
As IT systems and cyber events become more complex, and with the growth in cloud and third-party services, cyber loss costs are rising. Regulation is also a key factor driving cost, as is growing third-party liability and the prospect of class action litigation. So-called mega data breaches (involving more than one million records) are more frequent and expensive. In July 2019, Capital One was hit by one of the largest ever breaches in the banking sector with approximately 100 million customers in the US impacted — more than 30% of the population. As a result, it was fined $80mn by the US bank regulator. Yet this breach is by no means the largest in recent years.
- Regulatory costs for data breaches are increasing.
Data protection and privacy regulation is getting stricter, having long been an important driver of cyber losses and insurance purchasing anyway. The first such law was introduced in California in 2002, while Alabama became the 50th state to enact a breach notification law in 2018.
- Class action litigation is a developing threat.
Many large data breaches today spark regulatory actions, but they can also trigger litigation from consumers, business partners and investors. Legal expenses can add substantially to the cost. Several large data breaches have triggered class actions by consumers or investors — in July 2019, Equifax reached a $700mn settlement for its 2017 mega breach. US courts have been battling the questions of “legal standing” — whether claimants have the right to sue — but the trend appears to be favoring plaintiffs. Statutory and regulatory changes could also facilitate compensation for data breaches. The California Consumer Privacy Act, for example, provides a mechanism for consumers to sue businesses and — in a first for the US — sets statutory damages for data breaches.
- Nation states are sponsoring attacks.
The involvement of nation states in cyberattacks is an increasing risk for companies, which are being targeted for intellectual property or by groups intent on causing disruption or physical damage. Major events like elections and Covid-19 present significant opportunities. Google said it had to block over 11,000 government-sponsored potential cyber-attacks per quarter  in 2020, ranging from phishing campaigns to less common distributed denial of service attacks. Recent years have seen critical infrastructure such as ports and terminals and oil and gas installations hit by cyber-attacks and ransomware campaigns. Sophisticated attack techniques and malware may also be filtering down to cyber criminals while nation state involvement is providing increased funding to hackers. Even where companies are not directly targeted, state-backed cyber-attacks can cause collateral damage, as seen with the NotPetya malware attack.
In another recent report, S&P Global Ratings noted businesses are becoming increasingly wary of these problems and as a result, “investment in cyber risk management, including cyber insurance coverage, is rising.”