“Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19.” Those were the words of INTERPOL’s secretary general Jürgen Stock discussing a recent review by the intergovernmental organisation into the impact of COVID-19 on cybercrime.
Find out more: Learn everything you need to know about Cyberscout here
The report found that, since the start of the pandemic, criminals have been taking advantage of the increased security vulnerabilities of organisations and businesses to steal data and cause disruption. Discussing this impact, Tom Spier (pictured), commercial director, global markets, at Cyberscout noted that, for many small businesses, the level of uncertainty which has shrouded the crisis has had a knock-on effect on their exposure to misinformation.
“A big issue for small businesses now is the coronavirus assistance that the government are providing,” he said. “Not to be critical of the government but this information has not been the clearest in terms of how the claims process is going to be administered, or what to expect. So, criminals and hackers and thieves are taking advantage of that in a big way and are lulling people into a false sense of security and extracting information from them. And, it’s going to be relatively easy to extract money in that situation as well.”
Spier said he hopes that the COVID crisis has increased awareness within businesses and individuals of the need to adopt cyber security services and to improve their own understanding of cyber risk. Cyberscout has certainly seen an uptick in the amount of interest in its services, he said, and a number of companies have moved rapidly from the exploration phase of engaging Cyberscout to the development phase during the pandemic.
“Thankfully, these companies are asking for our help, our advice and our experience when they need it during the launching of their programmes,” he said. “About 80% of the inquiries that we get in at the moment are connected to private lines/personal lines solutions so that’s definitely a hot button area from our experience right now, and one that perhaps wasn’t there so much before.”
Brand new product development in the cyber space is a good thing, Spier noted, but there also exists a need for a constant cycle of product updates and product refreshes as cyber risk is continually evolving. It’s incredibly difficult to keep a product relevant, he said, but this is made easier in the UK by a regulatory environment which is designed to encourage innovation and the evolution of cyber services.
“Here in the UK, they don’t do as the Americans do, and say ‘you need to go to each state regulator and file your underwriting criteria and your wording and have those approved,” he explained. “And, by the way, you can’t change them for one or two or even three years.’ Our regulations allow products to evolve as the risks evolve and that’s better for the British public and British businesses.
“It’s a more efficient way of doing things but insurers just aren’t using [that efficiency]. They’re producing cyber insurance policies that are five or six years old and which address very well the cyber risks of five or six years ago, but haven’t kept pace with today. Or they’ve tried to keep pace by adding a section here or there and, in some cases, they’ve tried to retrofit additional areas of cover. And so, these sort of Frankenstein policies have emerged that are not fit for purpose.”
The answer, Spier stated, is for insurers to embrace an evolutionary product development lifecycle wherein, two years after a product launch, they are looking at the next refresh opportunity. This will mean bringing back in the people who built that initial insurance policy, evaluating the type of claims the insurer has been seeing and, most importantly, evaluating the types of incidents their client base has been suffering from.
“A lot of these [incidents] are going to be resolved without costing money or without resulting in claims so you need to look at it on an incident level and say, OK, is our programme best placed to respond to those incidents, to those risks that people are facing today?’ And if you have a regular reflective period, every two or three years with those people that helped you build your initial programme, then you’re always going to be serving your customer base pretty well.”