In the 2007 film, “Live Free or Die Hard,” Bruce Willis as New York City Police Detective John McClane stops the villain who has sabotaged the U.S.’s network of traffic signals, rail transport and air traffic control. The villain also has forced the evacuation of numerous federal buildings with a false anthrax alarm, with some of his men infiltrating a Maryland facility by posing as a hazmat cleanup team to sneak in and kill the guards.
This scenario is no longer fiction. In its Jan.-April 2014 issue of the ICS-CERT Monitor, the U.S. Department of Homeland Security (DHS) confirmed that a public utility was compromised when a “sophisticated threat actor” gained unauthorized access to its control system network, demonstrating that fictional attacks have become all too real. After notification of the incident, ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), an agency within DHS, validated that the software used to administer the control system assets was accessible via Internet facing hosts.
These attacks will become more common, says Ben Beeson, vice president for Cyber Security and Privacy at Lockton Companies, based in Washington, D.C. They are also likely to become more significant and destructive. Companies need to understand that their physical assets also are at risk, not just their data, he adds.
Cyber insurance today
Currently, most companies buy cyber insurance to cover three areas of cost from a data breach or violation of data privacy, Beeson explains:
- Data breach response costs, including notification costs, hiring a forensics IT team, a crisis communications firm, and a credit bureau to offer monitoring
- Regulatory costs, in defending actions by the Federal Trade Commission or a state attorney general, for instance, and any civil fines
- Class action defense costs, from a suit by owners of credits cards whose financial data has been compromised or by banks suing a retailer for the cost of canceling and reissuing credit cards
There are other areas of financial impact that also are insurable under specific policies, for example, business interruption costs and losses while a computer network is down. These costs may include the cost to restore data that has been destroyed. Until recently, Beeson points out, much of this coverage has been included in standard business interruption policies because there have been few claims. As the number and severity of claims increases, the cost of the policies also is likely to increase.
Physical damage coverage
Using the example of a destructive cyberattack on an oil pipeline, Beeson says that the operators now have to worry about physical damage to the pipeline itself, property damage to the equipment used to operate the pipeline or to a third party’s property, and possible bodily injury, as well as business interruption. “This is a huge issue for insurance companies that write legacy property insurance policies,” he says. An attack on a utility causing physical damage to a turbine, for example, would be excluded under a Lloyd’s policy. If the utility was insured by a U.S. domestic carrier, the policy is likely to be silent or provide limited coverage.
The risk to an organization’s physical assets is understandable when you think about how much in our lives is controlled by electronics, for example, the ability to close your garage door or adjust your house lights from your smartphone. Beeson points out that a cyberattack that causes physical damage is more feasible and there is more motivation. Previously, for a data breach, he explains, hackers wanted to monetize personal data, commit corporate espionage or steal intellectual property. Now, hackers want to destroy a company.
Beeson also notes that the operational technology that controls industrial systems wasn’t intended to be secure; it was intended to be available and open. At one time, industrial processes for critical infrastructure were built to be isolated, but now the processes are connected to a corporate IT network, which is connected to the Internet. “That gives a hacker a back door to get in,” he explains. Companies have found they can operate their systems remotely without as many employees, by connecting their systems to their IT networks, which reduces costs. “But you improve profitability at the risk of your security,” he says.
It’s not only large companies that are at risk, Beeson says. Small to mid-sized businesses are easy targets, especially if they are a vendor or service provider to a larger business. “Depending on what assets you have or service you provide,” he explains, “that might attract someone to come after you.”
(Photo: Africa Studio/Shutterstock)
A process of education
A major concern for risk managers is educating senior management about the problems for the company and the possible risks. Many executives struggle to understand the difference between industrial or operational technology and the company’s IT systems, he says. “It’s not just about putting in firewalls or other intrusion detection systems. It’s a risk management issue.” There is a difference in the systems and they need to be treated differently.
Beeson admits that the topic of risk to physical assets from a cyberattack is controversial. He finds that it may be a difficult conversation to have with buyers and some brokers as well. Buyers often ask “Doesn’t my property insurance policy cover this risk?” Often, the answer is “maybe not.”
The education process on physical damage risk is similar to the education process about personal data risk issues 10 years ago, Beeson says. He believes that agents and brokers also need to educate themselves about the potential for damage to physical assets. It’s an emerging risk area and without a solid understanding, agents and brokers may not be able to provide the coverage the buyer needs and wants.
Some insurance solutions
Large organizations generally have teams in place to deal with major crises, including data breaches or other cyberattacks, but small to mid-sized business often lack those resources. “There are some great solutions available for that size market,” Beeson says, demonstrating that the industry is demonstrating that it can innovate to meet new risks and customer needs. He cited the following examples:
Beazley Breach Response gives a buyer more than just an insurance policy to indemnify for the costs of a data breach; the buyer gets a risk management solution backed by insurance. Beazley describes its product as an insurance, loss control and risk mitigation service that provides a comprehensive solution to notify and protect the customers of policy holders that have suffered a data breach. It includes forensic and legal assistance from a panel of experts, as well as coverage for public relations and crisis management expenses.
For its ACE Privacy Protection policy holders, ACE USA, the U.S.-based retail operations of the ACE Group, has available a Data Breach Fund Sidecar Endorsement, an enhancement to its Data Breach Team Endorsement. According to ACE, the Data Breach Fund Sidecar Endorsement eliminates tiered sub-limits and provides a single data breach fund limit, one that falls outside the policy’s liability limits for all data breach expenses.
AIG describes its CyberEdge PC program as “excess, difference-in-conditions cyber insurance solution that helps organizations stay ahead of the curve of cyber risk.” According to AIG, CyberEdge:
- Adds capacity above existing insurance programs solely from a loss from a cybersecurity failure.
- Enhances underlying coverage through difference-in-conditions coverage designed to fill gaps in coverage for cybersecurity risk.
- Fills in when an underlying sublimit caps cybersecurity-related coverage.
- Leverages the features of an organization’s underlying traditional property, casualty, aerospace, marine, environmental, healthcare, E&O, cyber, or fidelity insurance program.
- Provides access to underwriting and claims experts specialized in these lines of business.
Check with your broker
These are only three examples of ways that the industry is responding to the risk of physical damage from cyberattacks. As the risk becomes more well-known other carriers are likely to add products that provide coverage for a range of industries and organizations. If you’re in the market for cyber insurance, contact your broker or carrier to help find the best fit for your organization’s needs.