Insuralex

  • The Group
    • About us
    • Current Management
    • Past Presidents
    • Membership inquiries
    • Regulatory Information
  • Experience and Vision
  • Services
  • Members
  • News + Articles
  • Reports
  • Events
  • Contact Us
  • FAQ´s
Join

Cyber in the times of Covid-19: the cybercrime triad.

by Insuralex / Friday, 15 May 2020 / Published in Belzuz Abogados Spain, News + Articles

ABSTRACT:

The exceptional situation that the world is living in the light of the COVID-19 pandemic has come with an increase in the exposure of companies and public institutions to cyber-attacks. Taking preventive (ex ante) and repair (ex post) measures is the key to a proper response to the cyber-risk, mitigating the potential harm of an inevitably vulnerable system.

BODY:

COVID-19 not only is testing the strength of our national system, but also the whole welfare state and the social and market economy that supports it. From the social services, through food supply chains, spares logistic and equipment assets, to the education sector, the entertainment industry and information… the severe crisis produced by COVID-19 is to create changes in the goods and services production model within the European Union that strives to overcome, even with its own contradictions, the brutal crisis opened by Brexit.

Indeed, within the cyber framework, the COVID-19 impact has quickly shown its effects. There are several international indicators that highlight the significant rise in the cyber-attacks to critical public and private infrastructures.

In these times of emergency, according to the kind of detected cyber-attacks, the cybercrime triad may be outlined as: ransomware, phishing and fake news.

The main type of cyber-attack is ransomware. As we already stated on “Cyber-risk and cyber-insurance (II): silent cyber, an ongoing revolution?” (March 2020), ransomware is the name of a software that aims to “take data hostage”; given the rising dependency by the companies and public administrations on digital facilities (working from home, virtual meetings, social media…) the possibility of depriving the public and private stakeholders of the access to devices, media, data bases or information sources may have a devastating effect.

Cybercriminals exploit the most vulnerable parts of the system to carry out their attacks. In this regard, one of the most vulnerable points of companies and public administrations is precisely their staff. Ransomware needs an action by a human operator in order to deploy its potential harm. In times of COVID-19, cybercriminals use the user’s fears and insecurities on digital systems as a vulnerability susceptible to attack.

Thus, in our publication of March 2020, we analysed the operating mechanism of NotPetya; the simple malware required the user to click in order to open an email that immediately encrypted files and demanded, in return to unlocking them, a ransom in cryptocurrency. In other words, the ransomware always requires an individual’s participation: to download an application, view a file, open an email…

In this exceptional situation that we are living there is a conjunction of two elements that turn it into the perfect time to carry out a cybercrime of these characteristics: (i) companies and public administrations are overexposed to risk because they can only provide services, due to the compulsory lockdown, via digital infrastructures and (ii) there is an atmosphere of fear and social anxiety around COVID-19 spread that multiplies the system’s vulnerability.

Searching information about preventing COVID-19, acquiring health products such as masks or sanitizer, checking potential treatments for the infection or activities which may be done during lockdown are sociologically understandable behaviours but are a cyber-risk focus, in the event of not adopting the appropriate measures.

Given the severity of the crisis created by COVID-19, some cybercriminal organizations as DoppelPaymer o Maze have announced a “ceasefire” on health institutions, guaranteeing them access to a free decryptor in the event that their data are taken hostage after a ransomware attack; despite of this promise of “non-aggression”, we should highlight that (i) there is no consensus in an uncertain and liquid community such as that of cybercrime and (ii) on the other hand, there is no engagement on preventing the most likely “collateral damage” that this kind of cyber-attacks produce, as we have analysed in previous articles. The hazard of ransomware is, therefore, a current topic.

Other front in the cyber-attacks is phishing, which uses similar parameters as ransomware. Through phishing the user’s vulnerability is used to obtain personal data such as identification numbers, bank account numbers, passwords or other confidential information. Phishing attacks come from allegedly official accounts (usually via email) in order to earn the trust of the user so they enter their data expecting it to be true and secure.

Thus, during the crisis brought by COVID-19, phishing attacks have been uncovered, they have been using the profiles of public organisations, health centres, private organisations that pretend to provide purchase options for health products (masks, gloves…), drugs, pseudo-treatments or, simply, update contact data of bank entities or public administrations (access keys to digital profiles, keys to purchase authorization…).

When the user enters the data required by the alleged trustworthy body, either public or private, the cybercriminal takes them in order to authorise payments, transfers or operations through an identity theft.

Finally, the third party of the cybercrime triad is fake news (misinformation) that, in some cases, may lead to the disrepute of companies and organisations. Usually insurance policies for cyber-risks include the coverage “reputation risk”: coverage of consulting fees, campaigns of image restoration, etc.

What can we do against the cybercrime triad? The guidelines that we suggest are simple and widely known:

  • To guarantee that there is a safe digital infrastructure equipped with the necessary technical resources.
  • To guarantee that the users of the digital infrastructures are sufficiently aware, educated and trained in preventing cyber-risks: use of official channels, use of double-check systems, measures of “digital hygiene”…
  • To inform the employees/users that there is a significant rise of cyber-attacks of different types and to recommend them the use of double-check systems to download emails/files.
  • To inform of loss/theft of devices.
  • To keep work from home under secure channels: to avoid the use of personal media by the employees and to guarantee that there is an active protection system against potential cyber-attacks.
  • To assess the response before a cyber-attack and articulate a system to restore losses and/or damages.

In times of overexposure to cyber-risk, it is recommended not only taking preventive measures (ex ante measures), but also to take the measures addressed to solve the negative consequences for the company/organisation (mitigation/repair measures, ex post).

From insurance perspective, the response to the implications that may arise from a cyber-attack on a company’s business, its image or its staff must be properly assessed and articulated in order to being able to prevent the potentially damaging consequences of cyber-risk.

The increase in the system vulnerability must be taken as an opportunity to improve and update our digital infrastructure, but it is also the right time to start giving cyber-insurance greater importance, being aware of the importance of “digital hygiene” and of the key role which users play while building a security environment to develop an expanding cyber-universe.

 

AUTHOR: Ian Pérez López. Lawyer. Insurance Law Department, BELZUZ ABOGADOS, S.L.P.

https://www.linkedin.com/in/ianperezlopez/

Tagged under: Cyber Covid-19, cybercrime Spain, Insuralex Spain, Insurance Lawyers Spain

Search

Categories

  • Allende & Brea
  • Andıç Partners
  • Arzinger
  • Barze Taylor Noles Lowther LLC
  • Belzuz Abogados Spain
  • Belzuz Portugal
  • BLP Costa Rica
  • BLP El Salvador
  • BLP Guatemala
  • BLP Honduras
  • BLP Nicaragua
  • Brigard Urrutia
  • Bullivant Houser Bailey PC
  • Carter Perry Bailey LLP
  • D’Empaire
  • Ens
  • Estudio Carvallo Abogados
  • Ferrere Abogados
  • Gallivan, White & Boyd, P.A
  • Gross, Orad, Schlimoff & Co.
  • HeplerBroom LLC
  • Heuking Kühn Lüer Wojtek
  • Jáuregui y Del Valle
  • Kellerhals Carrard
  • Larson ⋅ King
  • Law Firm Paul Muylaert
  • Marlow, Adler, Abrams & Rotunno
  • Mason Hayes & Curran
  • MehaffyWeber
  • Meridian Lawyers
  • Moreno Baldivieso
  • News + Articles
  • Olczak-Klimek van der Kroft Węgiełek
  • Osterling Abogados
  • PD Law Offices
  • Pereyra & Asociados
  • Pérez Bustamante & Ponce
  • Peroni Sosa Tellechea Burt & Narvaja
  • Pinheiro Neto Advogados
  • Popovici Nițu Stoica & Asociații
  • Rainey, Kizer, Reviere & Bell
  • Reports
  • Sajic
  • Saldaña Carvajal & Vélez-Rivé PSC
  • SCP Soulié & Coste-Floret
  • Streefkerk Advocaten
  • Studio Legale Giorgetti
  • Sucre Arias Reyes
  • Tramposch & Partner
  • Uncategorized
  • Zuber & Company LLC.

OUR SPONSORS

  • The Group
  • Experience and Vision
  • Services
  • Members
  • News + Articles
  • Reports
  • Events
  • Contact Us
  • FAQ´s

Insuralex is not a law firm, does not practice law and does not provide legal advice or legal opinions. Insuralex members are not a partnership of law firms or lawyers and are not affiliated or in a relationship for the joint practice of law. Insuralex member firms are strictly independent firms.

Insuralex 2025    Cookie Policy | Conditions of use | Privacy Policy | FAQ's | Contact

TOP
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}