Like IT security staffs everywhere, the guardians of data and network security at large research universities and life sciences companies are stretched by the risks created by their suddenly-remote work environments. The coronavirus pandemic has spawned an additional risk for the organizations most likely to be seeking preventative vaccines or curative medications: cyber espionage aimed at appropriating data generated by the organizations’ research. 

The head of the FBI’s Cyber Readiness, Outreach, and Intelligence Branch has said that both criminals and state-sponsored hackers have made concerted efforts to obtain proprietary research data on COVID-19 vaccine research. Other government officials and legislators have made similar statements.

Top cyber insurers are aware of efforts to hack into research universities thought to be exploring potential COVID-19 vaccines. Insurers are expected to refine their underwriting analysis for organizations considered to be at risk for those kinds of cyberattacks, which could include pharmaceutical companies as well as universities. See Gallagher’s 2020 Cyber Market Conditions Report for information about the current cyber insurance marketplace and claim frequency in various industries.

In Gallagher’s recent webinars and papers about the COVID-19 pandemic, we have emphasized that the principal cyber risks organizations face in the current environment are primarily heightened or intensified versions of the risks they have already faced in varying degrees. Accordingly, many of the defenses against those risks are already part of their security arsenal -- and which now may have greater value and impact than before.

The Center for Internet Security as well as the FBI offer several steps that potential targets of vaccine-related cyberattacks should consider to reduce their exposure:
  1. Categorize data based on organizational value, and implement physical and logical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and network segment as an organization’s email environment.*
  2. Perform network segmentation according to organizational functionality and apply access controls between trust zones.**
  3. Implement the least privilege for file, directory, and network share permissions. If a user only needs to read specific files, they should not have write-access to those files, directories, or shares. Configure access controls with least privilege in mind.*
  4. Adhere to the principal of least privilege, ensuring that users have the minimum level of access required to accomplish their duties. Limit administrative credentials to designated administrators.**
  5. Review any vendor accounts and their associated passwords to ensure they have been changed from their default settings.**
  6. If remote access for the user account is required by a third-party vendor, consider developing a process that keeps the user account disabled until access is needed.**
  7. Use multifactor authentication for access to user accounts.
  8. Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy.*
  9. Ensure all user accounts fall under, and adhere to, acceptable policies associated with password aging, password complexity and account lockout.** 

* FBI Ransomware PSA I-100219-PSA dated October 2, 2019 -- (

**The Center for Internet Security®: Security Primer – Ransomware (

Gallagher provides insurance, risk management and consultation services for our clients.  When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance/risk management perspective, and offer general information about risk mitigation, loss control strategy and potential claim exposures.  Any statement or information provided is for informational purposes only and is not intended to be, nor should it be interpreted as, medical, legal or client-specific risk management advice. The general insurance descriptions and other information contained herein does not include complete insurance policy definitions, terms and conditions and should not be relied on for coverage interpretation.  Policy-specific terms and conditions dictate whether coverage applies to any particular risk or circumstance, and this information in no way reflects or promises individual client or policy-specific insurance coverage outcomes. 

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organizations.  Gallagher claims no responsibility for or endorsement of the content of any linked website, as we have no responsibility for information referenced in material owned and controlled by other parties. 

Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third-party websites and resources. Insurance brokerage and related services to be provided by Arthur J. Gallagher Risk Management Services, Inc. (License No. 0D69293) and/or its affiliate Arthur J. Gallagher & Co. Insurance Brokers of California, Inc. (License No. 0726293).