Where environmental & cyber risk meet
Environmental liabilities present a growing risk to businesses. Heightened levels of public awareness and developing regulation have made businesses more accountable for environmental damage. At the same time, cyber risk is an ever-growing threat to companies of all sizes. The point where the two converge is presenting new challenges.
There are two elements to cyber risk. The first is better known, financial loss due to business interruption and reputational damage following a cyber breach. The second relates to the physical threat that can stem from a cyber incident, which, in some cases, can have an environmental impact. A hacker gaining control of a company’s systems could cause a pollution incident from an uncontrolled release through, for example, the opening of control valves or increasing pressure or temperature settings resulting in an explosion. Similarly, a negligent act or failure to act by an employee while operating, maintaining or upgrading a computer system could also lead to a pollution incident. Both events could result in the company being on the hook for clean-up costs as a result of environmental damage.
The more digital systems that are connected to the Internet, the greater the number of access points for a hacker. This opens the door to potential breaches. Today, almost every industry now has automated systems that can be breached.
Interconnected systems
The challenge for many companies is that they don’t just have to defend their IT infrastructure, but also their industrial control systems (ICS), which are much harder to protect. There are a couple of reasons for this. First, the two operate using vastly different protocols, so while there is a huge population of IT professionals with experience at looking for internet threats, there are fewer doing the same for ICS-based systems.
Second, whereas IT systems have a relatively short life cycle of around three years, for ICS it is somewhere in the region of 10 or 20 years. This is because up until now it simply didn’t make business sense to change ICS more frequently. Before the advent of the Internet of Things you needed to think about safety, but not really about security. This mindset has endured. AIG underwrites EIL for a broad range of industries and clients usually still think that cyber is just an IT issue. This is something that needs to change.
Companies need to better understand cyber risk and its intersection with environmental threats, shifting focus to not just look at the potential for financial loss but physical damage too
Evolving risk
Even if the targets aren’t changing, the threats are. Extortion is the biggest cause of cyber claims that we see, accounting for about 15-20% by volume. When ransomware emerged five or six years ago the modus operandi was for the end-user to have their software or data encrypted by a hacker who would want roughly $200 for the encryption key to restore store the systems and return the data.
This has expanded now to the point where organised criminals are targeting enterprises. They undertake increased due diligence on how much potential targets can pay, before stealing their data and encrypting it. Victims may now have to pay two ransoms running into millions of dollars. One to get the data back and another so that the hacker won’t make it public.
Within the scope of EIL, cyber threats can materialize into significant real-world damage, causing environmental issues, property damage and casualties, in addition to the already mentioned financial damages. For example, if a hacker seized control of the systems at a water company, they might threaten to open the sewage gates and pollute nearby waterways if a ransom isn't paid. Sometimes the hacker is not incentivised by money and just wants the challenge of being able to cause damage. And, of course, threats don’t just come from external actors but also from negligent or disgruntled employees.
Holistic risk management
Companies need to better understand cyber risk and its intersection with environmental threats, shifting focus to not just look at the potential for financial loss but physical damage too.
Protection starts with getting the basics right. This means making sure that there is enough separation between ICS and IT systems. Two-factor authentication should be in place. Passwords should be robust and not easily guessable. A monitoring process should be installed to identify any unusual activity in the system. Vulnerability management is important and patching needs to be done promptly. A sound approach to access management is also vital – regularly asking the question “who has access to what?” and making sure only the right people do so. It is often difficult to perform background checks on employees so having access to control monitoring and logging is very important.
With the boundaries between physical and financial cyber loss becoming increasingly blurred, companies also need to understand the insurance products that are available and make sure that they have appropriate coverage. Extensive experience underwriting both non-physical and physical cyber risks should be an important consideration in the evaluation of EIL coverage.
This article may contain third party content or links to third party websites. These content and links are provided solely for your convenience and information. AIG has no control over, does not assume any liability or responsibility for and does not make any warranties or representations as to, any third party content or websites, including but not limited to, the accuracy, subject matter, quality or timeliness.
##
American International Group, Inc. (AIG) is a leading global insurance organization. AIG member companies provide a wide range of property casualty insurance, life insurance, retirement solutions and other financial services to customers in approximately 70 countries and jurisdictions. These diverse offerings include products and services that help businesses and individuals protect their assets, manage risks and provide for retirement security. AIG common stock is listed on the New York Stock Exchange.
Additional information about AIG can be found at www.aig.com | YouTube: www.youtube.com/aig | Twitter: @AIGinsurance www.twitter.com/AIGinsurance | LinkedIn: www.linkedin.com/company/aig. These references with additional information about AIG have been provided as a convenience, and the information contained on such websites is not incorporated by reference herein.
AIG is the marketing name for the worldwide property-casualty, life and retirement and general insurance operations of American International Group, Inc. For additional information, please visit our website at www.aig.com. All products and services are written or provided by subsidiaries or affiliates of American International Group, Inc. Products or services may not be available in all countries and jurisdictions, and coverage is subject to underwriting requirements and actual policy language. Non-insurance products and services may be provided by independent third parties. Certain property-casualty coverages may be provided by a surplus lines insurer. Surplus lines insurers do not generally participate in state guaranty funds, and insureds are therefore not protected by such funds.