Tackling cyber vulnerability: know your exposures and how to protect against them
No company is immune from the rising risks surrounding cyber security and manufacturers now find themselves in the unenviable position of being the second most hacked industry, according to IBM’s latest intelligence index. In fact, manufacturers are facing a ‘perfect storm’ of cyber risk susceptibility, with this heightened risk of attack compounded by an increased vulnerability flowing from their own readiness to adopt new technology, which has seen the convergence of industrial control systems with ‘hackable’ enterprise systems.
To exacerbate things further, coverage for many of manufacturers’ most prevalent and potentially catastrophic risks are typically excluded from general liability and property insurance policies, leaving companies badly exposed. While tailored coverage can now be sourced through specialists, manufacturers must first understand their greatest areas of vulnerability in order to address these through a combination of risk management measures and effective risk transfer to protect their balance sheets.
The manufacturing sector has long been a leader in embracing technological advances and has become increasingly connected as a result, revolutionising user-machine interaction and the way in which systems communicate with one another. While this enhanced connectivity offers tremendous potential – faster production times, improved supply chain management, increased efficiency and accuracy of output – it is simultaneously increasing manufacturer vulnerability to cyber-attack.
Cyber criminals come in a variety of forms and their motives vary. One of the most underestimated threats to manufacturers is rogue employees, disillusioned with their employer or falling victim to blackmail. Yet the industry faces threats from traditional malicious actors too, such as hackers for hire funded by nation states or terrorist groups or rival corporations in their quest to secure highly valuable intangible assets – notably intellectual property – which often causes the greatest concern.
However, the potential for extensive physical damage and thus injury to those on site is also very real. Take the example of a blast furnace at a steel mill in Germany, which suffered a severe attack in 2014. A report by Germany’s Federal Office for Information Security revealed that hackers took control of the mill’s industrial control systems through hacking its enterprise systems. The unauthorised party was in control of almost all of the facility’s control systems and prevented employees from shutting down a blast furnace, causing irreparable damage to expensive equipment. This hack is thought to have been carried out by, or with the help of, a rogue employee.
An event as catastrophic as that of the German blast furnace serves to highlight the exposures of increased connectivity throughout the manufacturing industry. As the sector becomes more technologically advanced, the possibility of such an attack becomes ever more likely. It also highlights the shortfall in the preparedness of the industry; the Industrial Internet of Things has changed the risk landscape and it falls to manufacturers to ensure they are prepared for every eventuality.
Part of being prepared is investing in a fully comprehensive insurance solution. However, the most common risks facing manufacturers are rarely covered in standard insurance or even cyber-specific policies. The risks for which coverage gaps exist — when the loss is triggered by a cyber event — can broadly be divided into five categories:
- Business interruption – including physical damage to products, machinery and plant.
- Bodily injury of employees — which can cause crippling long-term costs
- Reputational damage — for failure to supply, insecure systems and defective products
- Supply chain risk – including costs for downtime, increased working and contractual penalties
- Intellectual property theft — a big driver of industrial cyber-attack
The problem for manufacturers is that many of their biggest exposures fall between two areas in insurance. Traditionally, cyber insurance policies do not offer cover for property damage or disruption in supply chains, as these are tangible risks avoided by the intangible focus of the cyber insurance market. Likewise, standard property policies do not offer cover in eventualities where property has been damaged due to a cyber security breach. Even general liability policies present gaps: in the event a hacker gains control and creates a dangerous working environment, or if unauthorised activity disrupts a business’ supply chain, neither would be covered because general liability policies do not typically insure against the outcomes of a cyber incident.
Manufacturers’ C-suites are increasingly aware of the mounting cyber threat they face but it’s imperative they understand the specific nature of the risks emerging and how best to mitigate them. Employees need to be educated on recognising these threats, weak links between interconnected operating and enterprise systems protected and any insurance coverage gaps identified and addressed through a bespoke programme tailored to each manufacturer’s need. Only then can manufacturers feel confident they have the most robust defence possible against the increasingly prevalent, insidious attacks.
By Tom Draper, Technology & Cyber Practice Leader at insurance broker Arthur J. Gallagher