Cyber Risks for Manufacturing Companies

Cyberattacks, identity theft are just two of the threats companies face

Cybersecurity is a top-of-mind risk for organizations of all sizes and across all industries. While to date media attention has focused on large retail companies dealing with privacy breaches on a massive scale, the scarier news is the number of small to midsize organizations that are experiencing cyber incidents that are not reported to the public.

In some cases, these attacks are not even known to the company until well after the fact.

The reality is that the majority of organizations doing business using electronics have some kind of cyber exposure. As manufacturing companies increasingly rely on software to automate processes, manage supply chains, and facilitate R&D, the threat of cyber crime within the industry has risen significantly.

Manufacturing companies might believe that they do not retain the type of confidential information that would be an attractive target to hackers. However, most organizations, even if they don’t collect third-party financial information, have some type of critical data that could make them the target of a cyberattack.

Employee and other personnel records, corporate credit cards, health benefits, intellectual property, and third-party corporate business information all can be attractive to cyber criminals who may then sell it to rogue states or competitors over the Internet.

Another significant cyber exposure for production or manufacturing companies arises out of the use of computer systems and software to automate manufacturing processes, manage supply chains, and conduct R&D.

These companies could be the target of cyber criminals with financial, political, or activist motivations because of the perceived environmental impact of the organization’s or its industry’s operations, the types of products being manufactured, or the manner in which the end products are used.

In the event that the company’s computer system is compromised with malicious code, or malware, this could cause operations to cease and result in lost revenue for the organization while it incurs additional costs to get operations back up and running.

Real-world Cyber Breaches

In the last year there have been a number of reported cyberattacks on manufacturing companies, including the following:

  • Cyber breach. A manufacturing company with 400 employees learned it had suffered a cyber breach when the Internal Revenue Service discovered that hundreds of fraudulent tax returns were filed on behalf of employees that worked at the company. The FBI was notified and an investigation discovered that the personnel files of 298 past and present employees had been accessed.
  • Malware attack. A North Carolina-based manufacturing company suffered a cyber breach that affected a total of 3,754 customers. The company manufactured products that served the needs of military personnel on bases across the U.S. Hackers used a malicious software code to access and steal personal information, including individual names, credit card numbers, email addresses, website account names, and passwords.

Cyber Liability Insurance

Cybersecurity is a growing issue for organizations in every industry; businesses in the manufacturing industry are no exception to this. Every company must take steps to prevent a cyberattack by determining their cyber vulnerabilities, identifying assets that are potential targets, and investing in cybersecurity measures.

Yet many IT security experts assert that an attack is inevitable for most companies. As a result, many organizations are using risk transfer tools such as cyber liability insurance as part of their risk management strategy to help them quickly address a cyber breach and reduce possible damages.

Basic Cyber and Privacy Coverage

First-Party Coverage. One of the key components of cyber liability insurance is the coverage that it provides for the first-party costs that a company incurs to deal with a cyber breach. These could include expenses related to breach notification, public relations, credit monitoring, a call centre, forensic investigation, business interruption, and the repair and restoration of a computer system. These are costs that are not covered under any other insurance policy.

In addition, many cyber liability insurance policies now come backed by a cyber response team dedicated to helping insured parties manage cyber and privacy breaches. Many insurers have established a relationship with third-party cyber breach service providers so that at the time of a breach, an insured company has quick and easy access to a breach coach and other organizations ready to help, rather than being left to handle the situation and source out assistance alone.

Third-Party Coverage. Cyber and privacy insurance policies also contain coverage for an insured’s third-party losses. This generally includes defence costs and the cost of judgments or settlements in any lawsuits that arise as a result of a cyber or privacy breach. This coverage can also extend to regulatory investigations or proceedings, including fines, insurable penalties, or civil awards that an insured is required to pay as a result of a breach.

Business Interruption Coverage. The business interruption insuring agreement in a cyber insurance policy provides coverage for losses that result from the disruption or shutdown of the insured’s computer system following a network or security breach. The covered losses can include forgone revenue and other expenses incurred by an insured, over and above usual costs, to get operations back to normal.

The basic business interruption coverage provided in cyber and privacy policies does not include contingent business interruption, which provides coverage for losses that result when an insured company suffers a disruption in their business operations because of a breach to a third-party service provider’s computer system. This is optional coverage that can be added to most cyber insurance policies for an additional premium.

Bodily Injury and Property Damage. It is important to note that a cyber liability insurance policy does not provide coverage for bodily injury or property damage that results from a cyber breach. Other insurance products have been developed to address this risk and can be purchased separately from the cyber liability insurance discussed in this article.

Insurers typically recommend that organizations of all sizes and in all industries consider purchasing cyber liability insurance to protect their assets and ensure they are well-prepared to deal with a cyberattack or privacy breach.

The quality of cyber liability insurance products varies widely so it is best to work with an experienced insurance broker that is familiar with the nuances of this coverage and the additional perks, such as a cyber response team, that insurance carriers can offer.

For more information, contact Judi Smith at judi.smith@aon.ca.

Jennifer Drake is vice president, legal consultant, Aon Canada -- Financial Services Group.