July 6, 2017 by Jimaan Sane, Cyber Underwriter, Beazley; and Rhea Turchinetz, Cyber Underwriter, Beazley Canada
The onward march of cyber risk gives Canadian businesses – including manufacturers – much to be concerned about. But they should find some comfort in the way in which insurers are confronting the problem.
The first reaction of most business people to a new risk is a very human one: it will not happen to them. Then, as the evidence proliferates that it may well happen to them, forward-looking executives will search for ways to protect their companies. Over time, the initial camp grows smaller and smaller and, eventually, disappears.
With regard to cyber risk, large service businesses such as retailers, financial institutions and healthcare providers – organizations that hold significant volumes of personally identifiable customer information – are a long way through this journey. A dwindling band of naysayers has successfully ignored a succession of massive data breaches, starting in the United States with Target, Home Depot, Anthem and J.P. Morgan, and more recently including Ashley Madison and Bell Canada in Canada.
The naysayers have also ignored the deep vulnerabilities in the software on which modern business relies, most recently demonstrated by the havoc created by the WannaCry malware attack. Millions of lines of code in typical office software programs provide almost innumerable access points for hackers.
Evidence for the wisdom of appropriate insurance accordingly continues to mount.
Other businesses are at a much earlier stage in the journey. Manufacturers, in particular, have not until recently appreciated the scale of their vulnerability to cyber attacks.
But the risks are real and diverse and some of the world’s largest companies are now seeking to build towers of coverage sufficiently tall to provide meaningful protection.
One of the drivers of demand is the fact that the distinction between manufacturing and service businesses has been narrowing for decades, a process accelerated by the growth of web-based services. This convergence of manufacturing and digital services was neatly encapsulated in General Electric’s decision earlier this decade to reposition itself as the “digital industrial” company, a process the company’s chief digital officer Bill Ruh has described as “a journey to a world where physical operations intersect with physical science, data and advanced analytics.”
The benefits of this in terms of manufacturing efficiencies and enhanced customer services are undeniable. But it also significantly increases cyber risk.
Some manufacturers now rely more on fees for support services than on payments for the physical goods they produce. If these services are in any way web-enabled, they – and the customers who use them – can be vulnerable to a data breach.
But manufacturers face other risks, too. Until now, most insurers have been focused on providing coverage for third-party exposures stemming from the loss or theft of personally identifiable information (usually relating to customers.)
Well-designed products exist that enable a company hit by a data breach to marshal all the services it needs to handle the breach effectively and maintain customer confidence. These services typically include forensic analysis to pinpoint what data was lost; legal advice to identify who needs to be notified in compliance with applicable regulations; and customer notification and credit-monitoring services.
All of this may forestall customer lawsuits, but that cannot be guaranteed, so third-party liability coverage is an important part of the package.
Manufacturers, however, additionally confront a slew of first-party exposures that go well beyond the coverage normally provided by data breach insurance policies.
For a manufacturer, the most significant first-party exposures are likely to include the following:
1. Physical damage/bodily injury. An alarming foretaste of the risks manufacturers face occurred in Germany in late 2014. The German Federal Office for Information Security did not release full information relating to the attack, but reported that it caused “massive damage” at a steel mill following the “uncontrolled shutdown” of a blast furnace. The hackers first accessed the mill’s office software through phishing emails. From there, they were able to penetrate the mill’s production management and control systems, shutting down security protocols regulating the blast furnace. This was believed to be an instance of what is known as an advanced persistent threat (APT) in which a single entity is targeted and a concerted effort made to secure long-term access to the entity’s internal network. Such attacks are unlikely to be within the repertoire of individual hackers and are more likely to be carried out by criminal gangs and, sometimes, state actors.
2. Business interruption from a direct cyber attack. The potential business interruption costs of a cyber attack on a large manufacturer, if a major production centre were to be immobilized for a long period of time, are enormous. On a small scale, the WannaCry attacks briefly brought European car plants owned by France’s Renault and its Japanese partner Nissan to a halt. A more targeted attack on an individual manufacturer could, if successful, have far greater repercussions. A particular concern is attacks against supervisory control and data acquisition (SCADA) systems, which have been widely reported to be on the rise. One of the most dramatic such attacks crippled a Ukrainian power company in 2015, plunging more than 80,000 homes into darkness at Christmas. As with the German steel mill attack, the original access to the system is thought to have been achieved via a phishing email.
3. A cyber attack that disrupts a company’s supply chain. A growing concern is production stoppages deriving not from an attack on a manufacturer itself, but on its suppliers. Of course, a well-designed supply chain will have a measure of redundancy built in, but this always comes at a cost and a major attack to a tier-one supplier (or more than one) could well cause production stoppages.
So much for demand, what of supply? How much coverage can manufacturers obtain and how well-tailored is it to their individual risk profiles?
The insurance industry has not yet seen a US$1 billion cyber tower, but a number of companies have been able to purchase coverage for well in excess of US$500 million and the billion-dollar limit may well be exceeded in the next 18 months. The primary layer in such a tower will typically be US$100 million and be provided by one of a handful of insurers that have developed a specialism in insuring these complex risks.
There are some important differences in underwriting philosophy among the carriers active in this market. Some require adherence to quite restrictive security and operational protocols before they will underwrite a risk; others aim to be more flexible.
The rationale for a more flexible approach is that at this end of the market, the level of security sophistication tends to be high. Coverage – and premiums – should recognize the security precautions in place, but insurers should not adopt an “our way or the highway” underwriting approach.
As with many risks, the match between what the client desires and what an insurer is willing to provide is not always perfect. For example, contingent business interruption (CBI) risk, however it is triggered, has always been challenging to underwrite as supply chains can be long and complex and ripple effects hard to quantify. But some measure of CBI protection for cyber risks is now obtainable.
Cyber risk is sometimes categorized, wrongly, as an emerging risk. The reality is that elements of the risk have been insurable perils since at least 2003, when California became the first state in the U.S. to require notification of security breaches.
Indeed, it was the proliferation of similar regulations (47 states now have them) that first spurred the purchase of data breach insurance south of the border, well in advance of other countries. This means that insurers have excellent data, at least for this form of cyber risk.
But cyber is unquestionably a fast evolving risk, as the recent epidemic of ransomware attacks has shown. Extortion through ransomware, which Beazley has seen quadruple in 2016, has so far targeted relatively small sums in Bitcoin, generally no higher than $20,000.
There is, however, no reason why far larger demands might not be made if the cyber criminals are confident that they can inflict very high financial costs – and, possibly, very high reputational costs as well – on the victim of the attack.
While news headlines about cyber attacks are alarming, for once, the press may not be exaggerating the risk. Billions of dollars are being spent annually by cyber security companies to sell their wares, but Edward Snowden may have come closer to the truth last year when he was quoted in the Financial Times as saying: “We are living through a crisis in computer security the likes of which we’ve never seen. We have more systems that are more connected with more vulnerabilities than have existed in the past.”
Many Canadian manufacturers – in common with manufacturers around the world – have built their business models on the promise and the potential of these interconnected systems. Now they need to look to the vulnerabilities.
-Jimaan Sane, Cyber Underwriter, Beazley; and Rhea Turchinetz, Cyber Underwriter, Beazley Canada