Using your personal device for work? Why that matters to cyber insurers

Insurers need to consider the hybrid workforce and employees using personal devices when reviewing a cyber risk, a managing general agent says.

“Multi-factor authentication is critical as… employees access work email and networks remotely, sometimes even through a web application on a personal device that is a non-corporate sanction,” says Danion Beckford, a professional liability underwriter with MGA Burns & Wilcox Canada. “It is crucial for companies and insurers to address these topics up front when considering the purchase of cyber insurance or when reviewing a risk.”

Many companies employ a hybrid work model, working both at home and in the office to avoid the spread of COVID-19. Consequently, communication between senior management and staff is more important than ever.

“With employees working in various places, cybercriminals will attempt to pounce on the uninformed,” Beckford says. “Ransomware attacks have seen an increase year-over-year. All it takes is one employee to open a malicious email to get the ball rolling.”

Organizations should also emphasize protecting their technology and their network, Beckford says. Strategies should be in place for how staff can handle malicious emails and how to report the information. Organizations should install patches for critical and high security information.

Beckford made his comments in response to a question from Canadian Underwriter about how ransomware plays into the hybrid workforce and the increasing shift to at least partial remote work and how this changes the risk profile.

System back-ups are a crucial element when underwriters are reviewing a risk. They help to ensure information has been protected elsewhere and the organization can continue its operations in the event of a cyber breach resulting in a ransom, Beckford adds. Underwriters should verify that back-ups are encrypted and on a separate network or offline.

Lindsey Nelson, cyber development leader at CFC Underwriting, says the industry has had numerous conversations around the presumed direct correlation between COVID, a hybrid workforce, and cyber risk. In fact, she says, cyber claims have been increasing for years, even before COVID. “What COVID and the increasing shift to remote work have done is increase businesses’ awareness that they have a cyber exposure.”

For the insurance industry, the lesson learned is that implementing one particular security control or just asking for multi-factor authentication, or any other single security control, is not going to solve the ransomware dilemma. Cyber insurers ultimately have to adapt and be as dynamic as the cyber claims landscape.

“It’s really going to take a collection of security controls and basic minimum guidelines that we need clients to take on board as a measure of risk transfer, so we can futureproof against loss and the new attack vectors that come up,” Nelson says.

For the cyber insurance market, the dilemma is demand remains at an all-time high while capacity is significantly reduced and much more difficult to obtain.

“One thing is clear,” says Nelson. “In order to have any longevity and stability as a class of business, cyber insurance needs to quickly evolve to act as a proactive service rather than a reactive incident response policy.”

Feature image by iStock.com/martinedoucet