The COVID-19 pandemic has greatly accelerated the use of technology at work, and the risk of cyberattacks has grown exponentially. Katharine Hall, senior VP, cyber practice leader with Aon, and Hugh Wright, partner with McInnes Cooper, discussed the risks and how to mitigate them at our recent virtual conference, Today’s Legal and Legislative Landscape Across Canada.
When a huge portion of the population suddenly started working remotely, the lines between work and home life became blurred. People got used to being online and clicking all the time—whether it was answering work emails or buying groceries, Hall explained. “What it really did was create an environment in which the threat actors, who were looking at cybersecurity, had all kinds of opportunity.”
Many employers weren’t prepared for that shift. According to Aon’s 2021 Cyber Security Risk report, less than half (40%) of organizations say they have adequate remote work strategies to manage the risks, and just 17% feel they have adequate security measures in place to match the pace of their digital evolution.
The Business of Ransomware
From a risk standpoint, “what’s moved to the head of the class is ransomware, and you see it everywhere,” said Hall. Data from the Coveware Ransomware Market Report shows there was a 336% increase in ransomware claims in Q4 2020 versus Q1 2019 and a 148% spike in ransomware attacks tied to COVID-19, costing businesses an estimated $20 billion USD.
Ransomware attacks are becoming increasingly more organized, targeted and expensive. The average ransom payment is now 10% to 20% of an organization’s revenue in the previous year, she noted. And it’s become a big business: some large ransomware organizations even have customer service lines allowing you to rate your negotiator when the ransomware attack is over, Hall added.
Managing the Risks of Cyberattacks
When it comes to data breaches, it’s really a question of when, not if, said Wright, noting that about eight in ten organizations faced at least one cyberattack in 2019-2020. In fact, more data records were stolen in 2020 than in the previous 15 years combined, he added.
What actions can employers and plan sponsors take to manage the risks? Wright explained there are three main approaches:
- Risk reduction through cyber-resiliency—including data breach prevention and response;
- Risk transfer through purchasing cyber insurance; and
- Risk allocation through service provider contracts—including language on how your providers collect and use personal information, compliance with applicable laws (e.g., privacy laws), incident reporting, and liability limits and indemnities.
The reality is, your organization may be exposed to risks without even knowing it. “Ultimately, you’re really only as secure as your service providers, and your service providers are really only as secure as their service providers,” Wright noted. “So you really do need to focus on your supply chain.”
Key Steps to Improve Your Cybersecurity
Hall advised employers and plan sponsors to take the time to clearly understand their cyber exposure, know what cyber insurance coverage they have (if any), and ensure staff are appropriately trained on cyberattacks and what to look for. Wright added that knowing what your vendors are doing—or not doing—to mitigate cybersecurity risks is vital. “If you don’t understand it, they didn’t explain it.”
And it can’t be a one-off: managing cyber risk needs to be an ongoing process. “Because the environment is continuously changing, your response to that has to be continuously changing,” Hall concluded.
[Related Reading: Five Strategies to Help Thwart Ransomware Attacks on Your Plans and Trusts]
Alyssa Hodder
Director, Education and Outreach – Canada
The latest from Word on Benefits:
- New Mental Health Parity Guidance: More Clarity, But More Compliance Obligations
- Legal & Legislative Reporter: Medical Provider May Not Bring Claim on Behalf of Participants and Beneficiaries
- Five Steps to Nurture Belonging in the Workplace
- Navigating Uncertainty
- DOL Guidance on Mental Health Parity: Proposed Rules for NQTL Comparative Analyses
