When manufacturers think about cybersecurity, they automatically think about firewalls, antivirus software and ways to detect network anomalies. They turn to the IT department and the control engineers to make sure mission critical systems are protected from bad actors trying to vitiate operations in order to steal IP, or perhaps cause harm.
But there’s a glaring omission in this security model. Beyond the technology used to protect the borders of the business or the confines of the control network, there needs to be an element that deals with the “transfer of risk.” It’s about protecting the corporate reputation, and it requires cybersecurity insurance.
I know what you’re saying: “Why should we buy extra insurance? There’s no way we’ll be hacked because we have a bullet-proof border.”
And, I say, “No, you don’t.” Automation World, has reported on plenty of the high-profile ransomware and cyber incidents like WannaCry and Triton. But there are many other mishaps happening all around us. Many manufacturers just don’t know they’ve been hacked—or they just don’t report it.
“Depending on the nature of an incident, reporting requirements for manufacturers vary, but can be far less stringent than some other industries,” said Brendan Rooney, director at The Crypsis Group, a digital forensics and incident response firm. The group has handled just under 500 incidents that required forensics in the past year, but you probably didn’t hear about them. “There are a lot of reasons you don’t see mid-market manufacturers popping up in the news or admitting to a compromise. Mostly, because they would incur a significant level of reputational harm.”The Crypsis team is called in after a cyber incident. They run proprietary programs and deploy their expert consultants to see how a hacker gained access to the network, and where the IP address originated. They also determine how long the hacker was in the network and what information they had access to. That report is passed back to an attorney who works on remediation of the issues to stop a future attack, and to do damage control.
To that end, every company needs a response plan to a security breach. And managing the consequences of a breach is critical to that plan. How you handle the incident after the fact will make or break the trust between the manufacturer and its partners and suppliers. That means, when a cyber breach happens, there is an obligation to notify everyone in the supply chain to understand what your company is responsible for in the case of data theft or consequential loss.
The best way to accept—and shift—the risk associated with a cyber breach is to have cybersecurity insurance, a new category that brokerage firms like AHT Insurance are adding to their offerings.
Many manufacturers carry general business insurance, but one size does not fit all, and, cybersecurity adds a new dimension that requires its own kind of coverage. “Insurance by itself is pure risk transfer,” said George Forrester, a principal at AHT Insurance. “But as part of that you want the reduction of risk.”
Even the Department of Homeland Security is encouraging businesses to invest in cyber risk management and cybersecurity insurance which could help reduce the number of successful cyberattacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection.
In an effort to understand risk reduction, Forrester and team studied the ANSI/PMMI B155.1-2016 safety standard for packaging and processing machinery. From that, they were able to make risk assessment a centerpiece of their product safety program to get manufacturers to proactively demonstrate, when an incident occurs, the safety, design and manufacturing processes, which makes them more defensible. And, about 18 months ago, when cyber incidents were on the rise, AHT recognized that cyber threats go hand-in-hand with safety threats.
AHT addresses the many faces of cybersecurity threats, which include business interruption, loss of income, as well as the potential for a product recall. But, Homeland Security wants insurers to take cybersecurity policies a step further by providing coverage for an area of growing private and public concern: the physical damage and bodily harm that could result from a successful cyberattack against critical infrastructure.
Forrester is taking note. “Most hackers are in it for the money, but there’s also the possibility of someone doing something that can cause serious damage.”
For a more in-depth report on cybersecurity risks, read: What Lies Beneath a Cyber Breach.