As an attorney in the United States, head of cyber at Travelers Europe, Davis Kessler (pictured), was working on litigating coverage disputes, mainly on crime policies, when he saw that an increased number of those claims were computer related. This prompted his natural transition into the cyber world, he said, and when Travelers first put together its UK cyber offering, which launched in 2018, he was asked to lead the business’s European cyber underwriting line-up.
The UK cyber market is widely understood to be behind the US in terms of penetration and cyber purchasing rates, he said, but he has noted that uptake is increasing rapidly, and that the gap is closing rapidly. The role of cyber insurance policies throughout the world has never been under quite so much pressure or scrutiny as it has been during the coronavirus (COVID-19) outbreak with increased numbers of employees working from home, and, speaking with Insurance Business, Kessler highlighted how cyber exposure has been impacted by this development.
“Even before the COVID-19 pandemic occurred,” he said, “one of the things that we, as underwriters, would look at when we’re examining a submission, was if it would apply to working from home or remote working. Just to put it bluntly, remote working increases cyber exposure.”
Though he highlighted that he is not an information security expert, Kessler has a good working comprehension of the security mechanisms which increase cyber exposure and said that, when staff remove themselves from the protection of a business’s network, they must be extremely considerate of the resulting cyber risks. From the use of a VPN to multi-factor authentication for staff accessing web-based email, there are several added protections that can be implemented to protect against phishing attacks, he said.
These are all things considered before the occurrence of COVID-19, Kessler said, but now that companies have been forced to send workers home unexpectedly and quite rapidly, many firms have found that they simply are not ready for this implementation.
“You have to keep working,” he said. “And these companies need to keep conducting business and they need their employees to work - but if they’re not ready, they’re really exposing themselves to these increased potential risks.”
Employees may be using non-corporate email services which will not afford them the same level of protection as internal networks, he said, or they may simply be connecting to the internet via a less secure wireless connection, and these factors can lead to exposures which would not be an issue in the traditional workplace. Employees also still need to share files with each other to get business done, he said, and if not done securely it can lead to an increased number of breaches.
The National Cyber Security Centre (NCSC) in the UK, the FBI in the US and other international security organizations have highlighted an uptick in cybercrime activity. With the increased strain on IT systems, the weakened security infrastructure of most remote working setups and the increased activity of cyber criminals using the pandemic to their advantage, this crisis is something of a perfect storm for cybercrime.
Kessler paid tribute to the IT department at Travelers who, he stated, are doing an outstanding job at handling the situation as it develops but noted that at many organizations these departments have been completely overwhelmed. Firms need to have a clear demarcation between a traditional IT role and an IT security role, he said, as many men and women working in IT departments globally are currently being severely over-worked. With so many IT team members burning the candle at both ends, he said, the question is whether these individuals are going to be able to effectively respond when a breach occurs.
For companies in the thick of the current crisis, Kessler said, there is the need to continually adapt to the new reality of doing business. Unfortunately, it is difficult for many companies to implement the actual hardware infrastructure required unless they have done so already, he said, but this is not to say that there is nothing that businesses can do to protect themselves at this time.
Kessler pointed to the advisory material published to assist businesses when it comes to such matters, particularly a guide released by the NCSC which outlines the approach organizations should be taking when implementing remote working and several high-level guides that Travelers has made available to its insureds. Much of the advice available to businesses showcases simple procedural changes which don’t necessarily involve the purchase of new hardware or software solutions, he said, and companies should also be taking this opportunity to think about what they can do for future situations.
The benefits of being prepared for an event such as the coronavirus are being felt by businesses, Kessler noted, highlighting that Travelers’ preparations have allowed the business to adjust to its new environment. He outlined how firms which do not make the right preparations, particularly when it comes to cyber security, run the risk of not being in business when the next outage occurs.
“The firms that do the right things and have the right protections and have employees that are mindful of these areas can really get a leg up versus their competition,” he said. “If I’m a consumer, or I’m looking for a business-to-business partner, and there’s two or three firms offering the same thing, but one of them stands out from a cybersecurity or privacy protection standpoint then I’m going to go with that company every day of the week. So, it’s not just avoiding disaster, it’s about how you set yourself apart from your competitors.”