There are two elements to cyber risk. The first is better known, financial loss due to business interruption and reputational damage following a cyber breach. The second relates to the physical threat that can stem from a cyber incident, which, in some cases, can have an environmental impact. A hacker gaining control of a company’s systems could cause a pollution incident from an uncontrolled release through, for example, the opening of control valves or increasing pressure or temperature settings resulting in an explosion. Similarly, a negligent act or failure to act by an employee while operating, maintaining or upgrading a computer system could also lead to a pollution incident. Both events could result in the company being on the hook for clean-up costs as a result of environmental damage.
The more digital systems that are connected to the Internet, the greater the number of access points for a hacker. This opens the door to potential breaches. Today, almost every industry now has automated systems that can be breached.
The challenge for many companies is that they don’t just have to defend their IT infrastructure, but also their industrial control systems (ICS), which are much harder to protect. There are a couple of reasons for this. First, the two operate using vastly different protocols, so while there is a huge population of IT professionals with experience at looking for internet threats, there are fewer doing the same for ICS-based systems.
Second, whereas IT systems have a relatively short life cycle of around three years, for ICS it is somewhere in the region of 10 or 20 years. This is because up until now it simply didn’t make business sense to change ICS more frequently. Before the advent of the Internet of Things you needed to think about safety, but not really about security. This mindset has endured. AIG underwrites EIL for a broad range of industries and clients usually still think that cyber is just an IT issue. This is something that needs to change.
Companies need to better understand cyber risk and its intersection with environmental threats, shifting focus to not just look at the potential for financial loss but physical damage too
Even if the targets aren’t changing, the threats are. Extortion is the biggest cause of cyber claims that we see, accounting for about 15-20% by volume. When ransomware emerged five or six years ago the modus operandi was for the end-user to have their software or data encrypted by a hacker who would want roughly $200 for the encryption key to restore store the systems and return the data.
This has expanded now to the point where organised criminals are targeting enterprises. They undertake increased due diligence on how much potential targets can pay, before stealing their data and encrypting it. Victims may now have to pay two ransoms running into millions of dollars. One to get the data back and another so that the hacker won’t make it public.
Within the scope of EIL, cyber threats can materialize into significant real-world damage, causing environmental issues, property damage and casualties, in addition to the already mentioned financial damages. For example, if a hacker seized control of the systems at a water company, they might threaten to open the sewage gates and pollute nearby waterways if a ransom isn't paid. Sometimes the hacker is not incentivised by money and just wants the challenge of being able to cause damage. And, of course, threats don’t just come from external actors but also from negligent or disgruntled employees.
Holistic risk management
Companies need to better understand cyber risk and its intersection with environmental threats, shifting focus to not just look at the potential for financial loss but physical damage too.
Protection starts with getting the basics right. This means making sure that there is enough separation between ICS and IT systems. Two-factor authentication should be in place. Passwords should be robust and not easily guessable. A monitoring process should be installed to identify any unusual activity in the system. Vulnerability management is important and patching needs to be done promptly. A sound approach to access management is also vital – regularly asking the question “who has access to what?” and making sure only the right people do so. It is often difficult to perform background checks on employees so having access to control monitoring and logging is very important.
With the boundaries between physical and financial cyber loss becoming increasingly blurred, companies also need to understand the insurance products that are available and make sure that they have appropriate coverage. Extensive experience underwriting both non-physical and physical cyber risks should be an important consideration in the evaluation of EIL coverage.
By David Nunes & Sebastian Hess