Cyber risks: Not if, but when

The protection of personally identifiable information held on behalf of customers and suppliers continues to be a major source of concern. But for many companies, particularly in the manufacturing sector, the operational risks of a malicious intrusion are at least as great.

Large service businesses such as retailers, financial institutions, and health care providers — organizations that hold significant volumes of personally identifiable customer information — are a long way through the cyber risk journey, with many, including Target, Home Depot, Anthem, J.P. Morgan, and more recently Ashley Madison and Bell Canada in Canada, having experienced firsthand the impact of massive data breaches.

Other businesses are at a much earlier stage in the journey. Manufacturers in particular have not until recently appreciated the scale of their vulnerability to cyberattacks, but they are increasingly being targeted. A 2016 study by Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI) titled “Cyber Risk in Advanced Manufacturing” for instance revealed that 40 per cent of manufacturing companies in the U.S. had experienced a “cyber incident” and for 38 per cent of these, the costs exceeded $1 million.

The growth of web-based services has narrowed the divide between manufacturing and service businesses. The benefits of this in terms of manufacturing efficiencies and enhanced customer services are undeniable. But it also significantly increases cyber risk. According to the U.S. Office of Homeland Security, “More Internet connected industrial automation devices, and the convergence of OT and IT infrastructures, in addition to a shortage of security skills, means that accurate evaluation and mitigation of security risks is increasingly challenging.”

Some manufacturers now rely more on fees for support services than on payments for the physical goods they produce. If these services are in any way web-enabled, they, and the customers who use them, can be vulnerable to a data breach.

Manufacturers, however, additionally confront a slew of first-party exposures, the most significant of which are likely to include the following:

1. Physical damage/bodily injury. An incident in Germany in late 2014 exemplifies the risks at hand within the manufacturing industry. The German Federal Office for Information Security reported “massive damage” at a steel mill following the “uncontrolled shutdown” of a blast furnace. The hackers first accessed the mill’s office software through phishing emails and sophisticated social engineering. From there they penetrated the mill’s production management and control systems and shut down individual control components and installations regulating the blast furnace.

This was believed to be an instance of what is known as an advanced persistent threat (APT) in which a single entity is targeted and a concerted effort made to secure long-term access to the entity’s internal network. Such attacks are unlikely to be within the repertoire of individual hackers and are more likely to be carried out by criminal gangs and, sometimes, state actors.

2. Business interruption from a direct cyberattack. Imagine the cost of business interruptions if a major production centre were to be immobilized for a long period of time. Cyberattacks make manufacturers vulnerable to such costs. On a small scale, the WannaCry attacks briefly brought European car plants owned by France’s Renault and its Japanese partner Nissan to a halt. A successfully targeted attack on an individual manufacturer would have far greater repercussions.

3. A cyberattack that disrupts a company’s supply chain. A growing concern is production stoppages deriving not from an attack on a manufacturer itself, but on its suppliers. Of course, a well-designed supply chain will have a measure of redundancy built in, but this always comes at a cost, and a major attack to a Tier 1 supplier (or more than one) could well cause production stoppages.

Fast-evolving Risk

Cyber is unquestionably a fast-evolving risk, as the recent epidemic of ransomware attacks has shown. Extortion through ransomware, which Beazley saw quadruple in 2016 and increase by 50 per cent again in the first six months of 2017, has so far targeted relatively small sums in bitcoin, generally no more than $20,000.

If the cyber criminals are confident that they can inflict very high financial and potentially high reputational costs on the victim, there is no reason that the demands could not be much larger.

For once the press is not blowing headlines out of proportion, but the rise of cyberattacks is staggering.

Billions of dollars are being spent annually by cybersecurity companies to sell their wares, but Edward Snowden may have come closer to the truth last year when he was quoted in the Financial Times as saying, “We are living through a crisis in computer security the likes of which we’ve never seen. We have more systems that are more connected with more vulnerabilities than have existed in the past.”

The promise and potential of interconnected systems have been a fundamental component of many Canadian manufacturers’ business models. Now they need to look to the vulnerabilities.

So what can manufacturers do?

Cyber insurance is sometimes presented as a single insurance product, whereas in reality, it is a diverse mix of different types of insurance designed to address risks that are themselves rapidly evolving.

Until now many insurers have been focused on providing coverage for third-party exposures stemming from the loss or theft of personally identifiable information (usually relating to customers or individuals).

There are well-designed insurance products and services that enable a company hit by a data breach to marshal all the services it needs to handle the breach effectively and maintain customer confidence. These services typically include forensic analysis to pinpoint what data was lost, legal advice to identify who needs to be notified in compliance with applicable regulations, and customer notification and credit-monitoring services.

All of this may forestall customer lawsuits, but that cannot be guaranteed, so third-party liability coverage is an important part of the package.

Specialist insurers with dedicated cyber risk teams also offer protection to meet manufacturers’ individual needs and first-party risks, including bodily injury, property damage, and contingent business interruption deriving from supply chain disruption.

As the risks evolve, so does the need for insurance that is fit for the purpose. Manufacturers should ensure that they are properly protected. Reliance on their existing liability insurance to cover cyber risks may no longer be enough.

As cyberattacks continue to rise in frequency and evolve in nature, Canadian businesses -- including manufacturers -- have much to be concerned about. But the way that insurers are offering solutions to the problem should offer solace.