Cyber resilience in the digital era

Imagine a world where criminals could add fake cancerous cells to an MRI scan to discredit a politician standing in an election or where a laptop stolen from a construction site could lead to the theft of credit card and personal data of hundreds of thousands of consumers.

This is the reality of 21^st century business – and the risks described will worsen for corporations as the world continues towards digital interconnectivity.

Companies in every sector rely heavily on the type of advanced technology, that only ten years before, might have seemed like something from a science fiction movie. Inventions such as artificial intelligence, the internet of things (IoT), virtual reality and drones have transformed the way we work, live and interact with the world.

Indeed, the benefits are plentiful – companies can penetrate markets that were once out of their reach. Productivity and efficiency have increased, while production and operation costs have declined. But the downside, of course, is that companies have never been so vulnerable to cyber risks – and the consequences of such attacks are more widespread than we could have ever predicted.

HEALTHCARE

For instance, recent research by security firm Cyclance found that the healthcare system is bearing the brunt of ransomware attacks. These attacks grew threefold last year, and the healthcare sector now receives 34% of the threats.

This is unsurprising given the fact that medical data is increasingly kept online, and procedures and diagnostics rely heavily on new technologies. Everything – from hospital records and test results to lifts in hospitals – are now connected via the internet.

Carrie Campi, Esq. vice-president, North American claims group at Allied World, said: “Given the ever evolving nature of intrusion, healthcare related entities are at higher risk of internet connected devices being compromised by either losing confidential data or becoming inoperable possibly through some sort of attack. A disruption of use of these critical devices will result in lost business and possibly worse.”

MANUFACTURING AND CONSTRUCTION

It is not hard to find examples of the scale of cyber incidents in recent years. The WannaCry attacks in 2017, for example, infected thousands of computers globally and brought the NHS almost to its knees. In May, cyber security researchers said they had created a new malware that attackers could use to target a presidential candidate to get them to withdraw from an electoral race.

Of course, healthcare isn’t the only sector facing significant risks. Manufacturing and construction are two other industries that are particularly vulnerable. Research by Symantec showed that manufacturing was among the top three industries targeted by spear phishing attacks, for example.

Indeed, both sectors rely on technologies – smart machines, storage systems and production facilities – across multiple sites. Jason Glasgow, vice-president, US technology, privacy and network security practice Lead at Allied World, says: “Wearables and drones provide real-time monitoring and data collection, while virtual reality can create simulations of building designs. These technologies open a world of safety, training and efficiency opportunities, but also give malicious actors potential access to valuable information.”

This ‘flexible manufacturing’ is enabled by the ‘industrial internet’ and is expected to improve production and resource efficiency by 18% in the next five years, while also reducing costs by 2.6% each year, according to Symantec.

However, the interconnectivity means that companies are more vulnerable. In particular, any attacks that cause substantial delays to production or projects are likely to be extremely costly for both manufacturing and construction businesses.

There is also a significant risk surrounding the access that these firms often have to confidential client data.

Glasgow explains: “Compromised intellectual property such as building specifications and architectural drawings can provide a roadmap for criminals to gain access to valuable personally identifiable information (PII), including financial accounts and employee data.”

These evolving threats mean that all industries need to better manage the risks presented by technological transformation.

PROTECTION

One way to protect against these threats is through insurance cover – and insurance in this area is evolving, for the better. These days, policies can protect business from anything from lack of security controls, data theft to business interruption of first and third-party vendors owing to a cyber-related attack.

Campi says: “As a target company, it is crucial that you have business interruption coverage for cyber disruptions. Another evolving cyber coverage is contingent business interruption, which provides coverage for a non-target entity when their business is impacted by the attack on one of their service and/or product providers.”

There is also an increasing expectation among employees, customers, clients and regulators that businesses mitigate against cyber breaches in the first place. Failure to obtain the appropriate insurance coverage may lead to costly fines (for instance, falling foul of GDPR regulations) and to reputational damage and loss of business.

Glasgow concludes: “Our increased dependency on technology exposes all stakeholders to increased risk. Companies can mitigate this risk by developing mobile device security and cyber breach plans and by providing adequate training for all employees on cyber security measures and responsibilities.”

“Some cyber policies offer proactive, value-added risk management support. This can serve as a tremendous resource, especially for companies that lack expertise in information security. Working with an insurance agent who has proven expertise in cyber security and familiarity with the unique risks posed is the best way for companies to ensure that they are adequately covered.”