AS IF BUSINESSES didn’t have enough to worry about, online scammers have started sending out malicious e-mails to organizations about coronavirus that appear to be from business partners or public institutions. The criminals send these to rank and file employees in the hope that at least one of them will click on a link or attachment in the e-mail, which unleashes malware or tries to trick them into wiring money for supplies purportedly to protect the organization’s workers.

The number of malicious e-mails mentioning the coronavirus has increased significantly since the end of January, according to cybersecurity firm Proofpoint Inc. The company noted that this wasn’t the first time they had seen such widespread cyber attacks associated with some type of disaster. But because this is global in nature, it decided to track the new threat. This practice of launching cyber attacks that are centered around global news and outbreaks (like the current COVID-19 coronavirus) isn’t anything new. Cybercriminals have long employed these tactics to take advantage of users’ desires to keep as up to date with any new information as possible or to evoke powerful emotions (like fear) in the hope that their sentiments will get the better of them and they will not pause to check for the legitimacy of these e-mails.

The cybercriminals are using the public’s ignorance about coronavirus, as well as the conflicting claims of how to protect against it, to lure people into clicking on their malicious links or get them to wire money. Because people are afraid, their guards may be down and they may not be as careful about identifying the e-mail as dangerous.

Some real-life examples

• Japanese workers were targeted in January and February with e-mails that looked like they came from local hospitals. The messages even included legitimate contact information for key personnel. The e-mails were focused on employees of various companies and came in a message that would look like it’s a reply to something or a warning that people are getting from the government. But when they clicked, it was malware. E-mails were sent to companies in the transportation sector that looked like they came from an employee of the World Health Organization.
They included the WHO logo and instructions about how to monitor crews aboard ships for coronavirus symptoms, and they included an attachment with instructions. This phishing e-mail attack was
intended to lure individuals into providing sensitive data, such as personally identifiable information and passwords.
• Companies in the US and Australia have been receiving malicious e-mails that use a display name of “Dr. Li Wei” and are titled “CORONA-VIRUS AFFECTED COMPANY STAFF.”

What you can do

All that it takes to break into your business is a cleverly worded e-mail message. If scammers can trick one person in your company into clicking on a malicious link, they can gain access
to your data. It’s important to train your staff to identify suspicious e-mails. They should avoid clicking links in e-mails that:
• Are not addressed to them by name, have poor English, or omit personal details that a legitimate sender would include.
• Are from businesses they are not expecting to hear from.
• Ask you to download any files.
• Take you to a landing page or website that does not have the legitimate URL of the company the e-mail is purporting to be sent from.
• Include attachments purportedly with advice for what to do. Do not open them even if they come from relatives or friends.

WITH THE current isolation orders for most workers in California, many companies have had to scramble to put systems in place to allow their employees to telecommute. Many businesses are not set up for having employees work from home, and they have legitimate concerns about productivity and communications. But there are steps you can take to make sure that you keep your employees engaged and on task.

1. Make sure they have the right technology

If you don’t already have one, you may want to consider setting up a company VPN so your employees can access their work e-mail and databases. You will also need to decide if you are going
to provide them with a company laptop, and you need to make sure that they have an internet connection that is fast enough to handle their workload. Also provide an infrastructure for them to be able to work together on files. If they are not sensitive company documents, they can use Dropbox or Google Documents, which allow sharing between co-workers.

2. Provide clear instructions

It’s important that you provide clear instructions to remote workers. Some people do not perform well without direct oversight and human interaction. Without that factor, you will need to spell out your expectations and the parameters of the projects they are working on in detail. Make it clear that if they are confused or unsure about any part of the work, they should contact a supervisor for clarification. If you can eliminate misunderstandings, then your workers can be more efficient.

3. Schedule regular check-ins

To hold your employees accountable for being on the clock, schedule calls or virtual meetings at regular intervals. Even instant messaging works. During these meetings they can update their
superiors on their work. This also helps with productivity, since there are consequences for failing to meet expectations and coming to the meeting empty-handed. Their supervisors should be working when they are, so they can be in regular communication.

4. Keep employees engaged

One of the hardest parts of working from home is the feelings of isolation and detachment from colleagues. It’s important that you build in interactive time for your workers. One way to do that is by using a chat program like Slack, Hangouts or WhatsApp (which has a group chat function). For remote workers, these programs are a blessing because they make it easy to keep in touch with their colleagues in and out of the office – and they level the playing field, so to speak, by making distance a non-issue.

5. Cyber protection

With employees working from home, you also increase your cyber risk exposure, especially if they are using a company computer that is tapped into your firm’s database or cloud. Teach them cyber security best practices, such as:
• Not clicking on links in e-mails from unknown senders.
• Making sure their systems have the latest security updates.
• Backing up their data daily.
• Training them on how to detect phishing, ransomware
and malware scams, especially new ones that try to take advantage of people’s fears about COVID-19.

Small and mid-sized businesses are increasingly bearing the burden of cyber threats, as criminals are betting they do not have the resources in place to mount a strong defense. A severe attack on a small company can incapacitate its ability to do business, and the expenses of getting operations back on track – coupled with loss of goodwill – can easily force a firm into bankruptcy.
Unfortunately, with more data breaches hitting the news, one of the main concerns that executives have is if their insurance will cover the costs of recovering from an attack.

If you are running a small or mid-sized company, do not underestimate the growing threat to your business. Your chief priorities should be protecting against the threat and having proper insurance coverage in place.

TOP REASONS FOR CYBER LOSSES

• Malicious breaches resulting in data losses: 52%
• Unintentional data disclosure by staff: 16%
• Physical loss or theft of data: 13%
• Network or website disruptions: 5%
• Phishing, spoofing and social engineering: 5%
• Other: 9%
Source: Advisen and Nationwide Insurance Co.

Insurance concerns

One of the chief concerns for executives is any overlap or gaps between their property, liability, crime and cyber policies when it comes to covering the costs of recovering from an attack, according to a report by insurance news website Advisen and Nationwide Insurance. Some companies feel they don’t need cyber coverage because they believe their property and liability policies will cover any related losses.

EXECUTIVES’ INSURANCE WORRIES

• 95% of respondents named data breach as the number-one risk they expect to be covered by a cyber insurance policy.
• 94.5% said they expect cyber-related business interruption to be covered by a cyber policy.
• 89% said they expect their cyber policy to cover ransom demands.
• 36% said they have cyber-related property damage/bodily injury coverage under another policy, reflecting the belief that some coverage for cyber-related losses can be found under traditional policies.
• 60% of respondents said they are concerned about perceived gaps and overlaps in their insurance coverage.
• 53% of respondents said coverage for funds-transfer losses should be found under the crime policy, but also stated they would like to be able to recover under both crime and cyber policies – or have separate policies with higher limits.

The takeaway

Since cyber insurance is a new and evolving product, all policies do not cover the same thing. That’s why it’s important to weigh your choices carefully and consult with us. While the cyber threat grows, more insurers are changing language in their property and liability policies to limit coverage of cyber events. Because of the high costs associated with a data loss, more
executives want to see higher limits for business interruption coverage on their cyber stand-alone policies.

This market demand may drive insurers to refine their cyber insurance policies, including increasing cyber-related business interruption limits, according to the Advisen report. To find the best coverage for your business, please talk to us. We can help you evaluate your risks and coverages and identify any gaps by looking at your existing policies.

As the full threat of hacking and cyber attacks takes old, cyber insurance policies are evolving so that the primary focus is on business interruption coverage. When these policies first hit the market, they were mostly focused on covering the costs of notifying individuals whose personal data or credit card information may have been exposed, and of any regulatory penalties and other compliance costs.

But many companies, when hacked, suffer far more damage to their operations, including websites or important systems being rendered unusable. The larger danger to companies seems to be system failures resulting from a variety of novel attacks, including;

• Denial of service
• Brute force (an attack aimed at obtaining passwords)
• Malware or malicious code
• Ransomware
• Backdoor attacks
• Social engineering.

Business interruption policies have been around for a while, but they have typically focused on disruptions caused by supply chain issues and natural catastrophes that render businesses unable to operate. Often these interruptions can last for weeks or even months. The downtime for a business that’s been hit by a cyberattack is usually much shorter – a few days to a few weeks at the most.

Also, property policies or traditional business interruption policies have not extended property loss or  damage to electronic data, as data is not considered a physical or tangible object subject to loss or damage. Damage is triggered by a direct physical loss or damage.

Meanwhile, business interruption in a cyber policy is triggered by an electronic event such as a cyber attack, or hacking.  For cyber business interruption coverage to be triggered, there must usually be a direct link between a cyber attack and the interruption of business or a loss of sales. For example:

• Criminals destroy data or alter a website’s or database’s code in order to freeze or render the computer system or website unusable
• A denial-of-service attack renders a website inaccessible to customers and users.

A business interruption claim would not be triggered, however, if a hacker gained access to your database and rooted around for important company information and operations were not hampered and there was no loss of revenue.

Typical cyber business interruption provisions

• The policy will include a maximum payout for business interruption claims. This caps the payout under the policy. The cap may apply to each individual event or it may be an annual limit.
• Policies may include a separate deductible for business interruption claims.
• Policies may include a specific waiting period of hours or days before kicking in to pay a claim. If the event causes losses or a disruption that lasts less than the waiting period, the claim could likely not be paid.
• Policies usually will only pay for business interruption during the period that the company restores its systems.
• Coverage usually includes a number of exceptions, like not covering third party liability, fines and penalties and the costs of restoring a network.
• Most policies include exclusions as well, like loss of market or damage to computer systems caused by fire or other physical events that were not related to a cyber attack.

As CYBER scams and hacker attacks grow, the insurance industry has been frantically trying to keep up in providing appropriate coverage for these events. Hacks, viruses, ransomware and exposure of sensitive personal information of your customers or employees, and any resulting regulatory implications, are often covered by cyber liability insurance. But what about the recent trend of criminals spoofing a company executive’s e-mail address, posing as them and ordering accounts payable to cut a check and send it to the fraudsters?

Well, two firms suffered similar incidents, but different federal appeals courts issued opposite opinions – one saying that a crime insurance policy covered the event, while the other court said it didn’t. The fact that two courts came out with two different rulings illustrates how many traditional and even cyber policies are slow to keep up with evolving hi-tech threats to businesses. The devil is always in the details, so read your policies and discuss your concerns with us.

The number of business e-mail compromise scams quadrupled in 2017, and losses averaged $352,000 per business and topped out at $3 million, according to an analysis of insurer Beazley’s clients. The FBI says these schemes are one of the fastest-growing cybercrimes.

Court case one: Covered

Employees of Medidata, a clinical-trial software firm, wired $4.7 million for what they thought was for an acquisition by their employer. They were sent a series of fraudulent e-mails that they thought were from their company president and the firm’s outside lawyer.

The company didn’t have a cyber insurance policy, but it had an executive protection policy, which had a crime section that included coverage for computer fraud, funds transfer fraud and
forgery. The insurer rejected the claim and the firm sued in federal court. The lower court ruled in favor of the insurer, but upon appeal, the federal appeals court ruled that the policy did in fact cover the loss.

The insurer argued the policy applies to only hacking-type intrusions. The appeals court found that while no hacking occurred, fraudsters inserted spoofing code into the firm’s e-mail system, which the court said is part of the computer system. The court held that the insurer must pay under the computer fraud portion of its policy.

Court case two: Not covered

A federal district court found no crime policy coverage after a Michigan tool and die firm wired $800,000 in funds to a fraudster’s account in the belief the account belonged to one of its vendors. The insurer faulted the company for not verifying the bank account with the vendor. The district court agreed with the insurer that the loss was not a “direct loss” caused by the “use of a computer,” and thus the crime policy did not apply.

The takeaway

Computer fraud is evolving rapidly, so it’s important that you talk to us about the types of fraud that appear in the news. We will work with you to ensure that your coverage is forward-looking and covering more than just threats from last year. We can also discuss with you how computer fraud coverage interacts with other types of cybercrime policies.