“I’d be talking to your insurance provider to find out what’s covered and not covered in the world as it is today,” Chip says. “For instance, I don’t think many companies were considering a pandemic in their top five business risks.’
“Similarly, we have to think about how we now are even more dependent on our computing resources than we have ever been.”
“In a lot of businesses, a ransomware attack might bring things down, but you were still able to communicate because you could just walk office to office. We can’t do that anymore.’
“So, I think it changes the business impact equation, and I think people have to look at that in terms of what’s covered and not covered.”
“I have no idea what’s going to happen when every company who has been impacted by the coronavirus puts in a business interruption claim. And if you had a cyber attack that’s also related, is that a cyber issue or a coronavirus issue? There’s a lot of uncertainty on how exactly that’s going to play out.”
The major change to risk factors comes from employees working at home, Chip says. Some implications, he sees:
Chip says “the most important thing in the FAIR approach, and the most important thing a company can do right now is to figure out exactly what are most critical vulnerabilities to the business--not to the technology, but to the business--and how do you address those vulnerabilities.
“In particular, one of the greatest values of FAIR is that a lot of times the best cybersecurity action is not an action for the cybersecurity staff but for other parts of the organization. For example, changing privileges of who can see what or moving data from one server to another or even changing contract language with a supplier. FAIR reveals those things that won’t be revealed just doing a technical evaluation.
“FAIR will also tell you that you may have a major risk that’s of low likelihood, but the impact could put you out of business. That’s what insurance is there for.
“So, review the risks and see if there are things you want to add to your policy or at least check with your insurance company, to see if those critical areas are covered.”
Related:
Cyber Insurance: Smart Shopping When “Every Policy Is Different”