The Voice - Winter 2020 - 34

INDUSTRY

COVID-19 and Cyber Security Attacks

*E
 mployees' email passwords use Multi-Factor Authentication
Since the beginning of COVD-19, insurance companies are noticing
(MFA) and regularly expire. Longer passwords with a combination
an increase in the following types of losses associated with cyber
of randomized numbers, letters and symbols are promoted, and
security attacks:
different passwords are recommended to be used for different
* Losses stemming from ransomware attacks;
accounts;
* Funds transfer losses; and
* Upgraded firewall and anti-virus program was installed on
* Losses due to business email compromise.
employees' laptops and mobile devices; and
With ransomware attacks, a cyber criminal could freeze the
* Cyber security awareness training was provided. Employees
network system, delete and/or encrypt important data, and then
continue to be the greatest line of defence against cyber security
attacks, therefore ensuring employees understand how to detect
demand payment in exchange for the compromised data. In this
phishing emails, where to store confidential and sensitive data,
case, the cyber criminal could use various phishing techniques to
as well as, what steps to take if a cyber security attack occurs, is
gain access to the company's data. For instance, the cyber criminal
critical.
could send an email disguised as an email from a co-worker wherein
the cyber criminal would ask the recipient to open a malicious
This list is non-exhaustive as we continuously work on
weblink. Once the weblink is open, the cyber criminal would
improving our cyber security protocols and procedures, and we
get access to the employee's data, which then could be used for
recommend other companies to take a similar approach.
extortion purposes. With funds transfer fraud, the cyber criminal
would also impersonate a co-worker
Mitigation
either through an email or voicemail and
Even with all cyber security protocols in
request that funds be transferred to a
place, cyber attacks happen and employers
certain account. Lastly, if an employee's
should have a plan in place for business
Significant costs as a result
password is not robust and if the same
continuity and to mitigate damages.
password is used for multiple accounts,
Companies can do so by purchasing cyber
of cyber security attacks
cyber criminals could gain access to all
security insurance through an insurance
can be expected due to
accounts by just accessing one password.
broker such as BMS Canada Risk Services
Ltd. (BMS), a partner of OSPE that works
the
business
impact
of
Good Practices
closely with Corestone Law. BMS works
Professional services firms such as
diagnosing and responding with a market leading Lloyd's of London
accounting, dentists and law firms hold
insurer which provides a Cyber insurance
to cyber security attacks
personal identifiable information (PII),
product that helps to manage a cyber
critical intellectual property (CIP), and
security breach from start to finish. Once a
and working to get teams
sensitive data about their clients, making
breach occurs, the insured business is able
them especially attractive for cyber
to contact the insurer's 24-hour breach
back up and running
criminals and engineering companies are
response hotline. A breach response team
afterwards.
member is then assigned to assist with the
very similar. As COVID-19 commenced,
at Corestone Law, we started operating
next steps. Coverage is provided for the
remotely due to the health considerations
following: cyber extortion, data protection
of our employees and clients. We
loss, business interruption loss, regulatory
implemented the following measures:
defence and penalties, etc.
* Data is backed up to a cloud. If a ransomware attack happens, the
It is no longer a question of whether a cyber security attack
data will not be lost and downtime would be far less;
will happen, but when it will happen. Companies should have a
* Data is also stored on a server that is accessed through a VPN
proactive plan in place. If you have questions about your current
(Virtual Private Network). VPN encrypts data, making it
cyber security insurance coverage or would like to consult with
unreadable for someone who tries to intercept it;
a broker to identify the appropriate cyber security insurance
solution for your professional and/or business needs, you may
* If employees try to use an unsecured public Wi-Fi network, there
is a two-step verification protocol. When an employee attempts to
wish to contact BMS directly at ospe.insurance@bmsgroup.com.
If you have any legal questions, please contact Corestone Law
log in, he or she will receive a text message on the personal phone
at info@corestone.ca.
with credentials that this employee would then have to enter;

34

THE VOICE Winter 2021
The Voice - Winter 2020

Table of Contents for the Digital Edition of The Voice - Winter 2020
