In a digitally transformed and hyperconnected business world, all industries are at grave risk of cyber attacks. But a robust risk, insurance and claims management framework could help mitigate the impact
Imagine a world where criminals could add fake cancerous cells to an MRI scan to discredit a politician standing in an election or where a laptop stolen from a construction site could lead to the theft of credit card and personal data of hundreds of thousands of consumers.
This is the reality of 21st century business – and the risks described will worsen for corporations as the world continues towards digital interconnectivity.
Companies in every sector rely heavily on the type of advanced technology, that only ten years before, might have seemed like something from a science fiction movie. Inventions such as artificial intelligence, the internet of things (IoT), virtual reality and drones have transformed the way we work, live and interact with the world.
Indeed, the benefits are plentiful – companies can penetrate markets that were once out of their reach. Productivity and efficiency have increased, while production and operation costs have declined. But the downside, of course, is that companies have never been so vulnerable to cyber risks – and the consequences of such attacks are more widespread than we could have ever predicted.
For instance, recent research by security firm Cyclance found that the healthcare system is bearing the brunt of ransomware attacks. These attacks grew threefold last year, and the healthcare sector now receives 34% of the threats.
This is unsurprising given the fact that medical data is increasingly kept online, and procedures and diagnostics rely heavily on new technologies. Everything – from hospital records and test results to lifts in hospitals – are now connected via the internet.
Carrie Campi, Esq. vice-president, North American claims group at Allied World, said: “Given the ever evolving nature of intrusion, healthcare related entities are at higher risk of internet connected devices being compromised by either losing confidential data or becoming inoperable possibly through some sort of attack. A disruption of use of these critical devices will result in lost business and possibly worse.”
MANUFACTURING AND CONSTRUCTION
It is not hard to find examples of the scale of cyber incidents in recent years. The WannaCry attacks in 2017, for example, infected thousands of computers globally and brought the NHS almost to its knees. In May, cyber security researchers said they had created a new malware that attackers could use to target a presidential candidate to get them to withdraw from an electoral race.
Of course, healthcare isn’t the only sector facing significant risks. Manufacturing and construction are two other industries that are particularly vulnerable. Research by Symantec showed that manufacturing was among the top three industries targeted by spear phishing attacks, for example.
Indeed, both sectors rely on technologies – smart machines, storage systems and production facilities – across multiple sites. Jason Glasgow, vice-president, US technology, privacy and network security practice Lead at Allied World, says: “Wearables and drones provide real-time monitoring and data collection, while virtual reality can create simulations of building designs. These technologies open a world of safety, training and efficiency opportunities, but also give malicious actors potential access to valuable information.”
This ‘flexible manufacturing’ is enabled by the ‘industrial internet’ and is expected to improve production and resource efficiency by 18% in the next five years, while also reducing costs by 2.6% each year, according to Symantec.
However, the interconnectivity means that companies are more vulnerable. In particular, any attacks that cause substantial delays to production or projects are likely to be extremely costly for both manufacturing and construction businesses.
There is also a significant risk surrounding the access that these firms often have to confidential client data.
Glasgow explains: “Compromised intellectual property such as building specifications and architectural drawings can provide a roadmap for criminals to gain access to valuable personally identifiable information (PII), including financial accounts and employee data.”
These evolving threats mean that all industries need to better manage the risks presented by technological transformation.
One way to protect against these threats is through insurance cover – and insurance in this area is evolving, for the better. These days, policies can protect business from anything from lack of security controls, data theft to business interruption of first and third-party vendors owing to a cyber-related attack.
Campi says: “As a target company, it is crucial that you have business interruption coverage for cyber disruptions. Another evolving cyber coverage is contingent business interruption, which provides coverage for a non-target entity when their business is impacted by the attack on one of their service and/or product providers.”
There is also an increasing expectation among employees, customers, clients and regulators that businesses mitigate against cyber breaches in the first place. Failure to obtain the appropriate insurance coverage may lead to costly fines (for instance, falling foul of GDPR regulations) and to reputational damage and loss of business.
Glasgow concludes: “Our increased dependency on technology exposes all stakeholders to increased risk. Companies can mitigate this risk by developing mobile device security and cyber breach plans and by providing adequate training for all employees on cyber security measures and responsibilities.”
“Some cyber policies offer proactive, value-added risk management support. This can serve as a tremendous resource, especially for companies that lack expertise in information security. Working with an insurance agent who has proven expertise in cyber security and familiarity with the unique risks posed is the best way for companies to ensure that they are adequately covered.”
CYBER SECURITY: TOP FIVE LESSONS
Companies must adopt a robust cyber security risk management strategy and take the time to understand the exposures including:
- Access to client’s confidential information – Although your company may not store the type of personal information hackers find desirable (e.g., credit cards or financial records), you may still have access to your clients’ confidential information. Compromised intellectual property such as building specifications and architectural drawings can provide a roadmap for criminals to gain access to valuable personally identifiable information (PII), including financial accounts and employee data. Just like any other company, if you have access to this type of confidential information, you’re vulnerable to phishing, ransomware, and other common forms of cyber attack.
- Business interruption exposure – As in any industry, cyber attacks can result in business interruption, which can be very costly. Potential disruption must be built into a risk management plan. If a breach occurs, companies should have a contingency plan to ensure projects are not delayed.
- Increased reliance on technology – Businesses are increasingly adopting new technologies to improve safety and efficiency. Wearables and drones provide real-time monitoring and data collection, while virtual reality can create simulations of building designs. These technologies open a world of safety, training and efficiency opportunities, but also give malicious actors potential access to valuable information.
- Third party liability – As third-party vendors to clients, who also use third-party suppliers and subcontractors themselves, companies are exposed to stakeholder breach liability risk on all sides. An example is in the 2013 cyber attack on a large, national retailer, in which a small HVAC contractor providing services suffered a data breach. The hackers gained access to the network credentials that the contractor used to remotely access the retailer’s network, resulting in a breach of credit and debit card information for tens of millions of customers in the US. This HVAC contractor could have been held liable for the damages customers sustained.
- Claims Findings – Claims arising out of breaches are as a result of various types of attacks including ransomware, phishing and social engineering where criminals send emails purporting to be employees or trusted business partners in order to get confidential information or steal money. These attacks can be from criminals with a pure profit motive, competitors attempting to steal information, or criminals seeking to create chaos for other reasons.