From Zoom to doom: the new cyber risks

At the start of 2020, most of us hadn’t used Zoom. In fact, most of us had probably never heard of it. Now, Zoom and a whole host of other digital communication tools have become the norm, in both our work and personal lives.

The mushrooming of digital interactions since the COVID-19 crisis hit has brought with it a dark side – an increased vulnerability to cyber risks. And society may simply not be prepared for this heightened exposure.

At home, at risk

In some parts of the world people are easing back into workplaces, but the swing of the working week remains fundamentally different. The home ‘office’ is still the norm for many – with all its potentially insecure communication platforms.

Many companies still haven’t got the basics right in this new way of working. Simple things, such as policies on printing confidential documents from the home office, may have slipped under the radar. In many cases the impetus to update them appears to be lacking. Society's perception of cyber risk – just like how it viewed the chances of a pandemic before this outbreak – remains abstract. It’s just something that “might happen” someday.

This has given attackers a window − and they have been grabbing the opportunity. They have played on people’s fear and need for information, for example with COVID-19 phishing emails. In the first quarter of 2020 alone, around 16,000 new coronavirus-related domains were registered. And far more of them are malicious than other types of domain.

The new shape of cyber insurance

The cyber insurance market in 2020 stands at around USD 5.5 billion, according to Swiss Re estimates. This is still a relatively small amount when compared to more established insurance lines.

The market is growing year-on-year – but there is still a lack of risk awareness that is limiting its expansion. Small- and medium-sized enterprises (SMEs) and individuals generally tend to be less savvy than larger businesses about the risk that cyber presents.

This lack of awareness is despite a raft of cyber insurance products emerging as a response to highly publicised data breaches. But part of the problem is these attacks were on large, newsworthy corporations. In our view this has created a false sense of security for smaller companies who are also prone to extortion and business interruption following ransomware attacks. Being caught out has become both more common and more costly.

Going into the Covid-19 crisis, not all organisations had robust business continuity plans. Some were able to operate with only minor hitches from day one. Others were left scrambling to set up remote access for employees and having to rethink the technologies they used.

The health services sector, in particular, has been targeted by bad actors, seizing an opportunity amid the disruption. The World Health Organisation (WHO) reported back in April that it was seeing a dramatic increase in the number of cyber attacks directed at its staff, as well as email scams targeting the public more generally. Compared to pre-coronavirus times, WHO saw a five-fold increase in attacks.

Although it is too early to translate this COVID-19 opportunism into a rise in cyber insurance claims, it is likely to have an impact.

The tools for cyber resilience

At Swiss Re, we have built a series of modular solutions to support our reinsurance clients in bringing cyber insurance products to market. Clients can bolt together modules including product design and wordings, risk assessment, costing, claims handling, service providers and – last but not least – risk transfer.

For the policyholder, cyber insurance is a key element of a broader risk management approach. It’s not just about transferring some of the financial risk to an insurance company. It usually also includes, for example, an emergency response service with a specialised IT forensics provider to help piece together how an attack may have occurred, and what needs to be done to overcome the incident.

Cyber insurance is, however, not a replacement for sound cyber risk management practices. Good cyber hygiene starts with simple measures such as backing up data regularly, keeping software up to date and conducting regular employee training.

Cyber insurance – a necessity not a luxury

As sound cyber risk management becomes part of the cost of doing business, buying cyber insurance is moving from extraordinary to normal. Cyber insurance is no longer likely to be viewed as unnecessary and too expensive; instead it is becoming an integral part of the cyber risk management approach. The dynamics are simple: businesses are becoming increasingly digital and so the shift away from bricks-and-mortar risks to digital risks will only accelerate.

The annual growth of the cyber insurance market already stands at around 20-30% . We see this continuing at sustained levels.

The current crisis could also serve as a catalyst for risk awareness among SMEs, resulting in mass market adoption of cyber insurance. Alongside this, private households are becoming more aware of their exposure – and the insurance products available to protect them.

Reporting resilience

Hand in hand with this growing awareness, there is a growing expectation from customers and partners that the companies they interact with take all the necessary steps to limit their cyber risks.

Just as there has been a growing number of companies reporting on environmental, social and governance (ESG) issues in recent years, there are increasingly loud calls for cyber resilience reporting to follow suit. It is against this backdrop that we have recently published a white paper – Cyber Resilience “ESG” Reporting.

Reporting won’t solve the problem on its own – but it would help in a number of ways. It would open up the floor for better conversations about security and resilience within companies. It would increase the focus on cyber resilience in companies. And it would foster cultures of greater security and resilience.

And that is a strong base to build on.