Whether it is due to a technical glitch, human error or, as in the recent Petya and WannaCry cases, a full-on cyberattack, as digitalisation transforms the industrial world there is a significant cyber risk for companies delivering products and services. Implementing proper risk management procedures should be top priority, including understanding the significant threat posed by business interruption (BI).
The one minute dialogue
- Cyber incidents are often associated with data loss or privacy but, more and more, business interruption is becoming a key risk for companies
- Even though smart factories will reduce the number of physical damage losses, the number of cyber-driven BI events is predicted to increase
- As seen in the recent WannaCry case, ransomware attacks can easily stop production across many different industries
- Cyberattacks create a lot of public awareness about cyber risk but, more often, it is often mundane technical failures and IT glitches that cause cyber BI
A single cyber incident can lead to a severe interruption of normal business. And the number of incidents is growing. Globally, distributed denial of service (DDoS) attacks will increase over twofold to 17 million by 2020, roughly 25% per year. Network service provider, Akamai, noted a 77% increase in infrastructure layer attacks just in the period from Q3 2015 to Q3 2016, the largest of which – the Mirai botnet – brought down the infrastructure provider, Dyn, and affected websites including Netflix, Twitter, the Guardian and CNN in October 2016. Technical computer infrastructure failures are also increasing, causing transportation stoppages and manufacturing production interruptions.
As businesses rely more on digitalisation to control and optimise production, insurance solutions address fast-moving and difficult to prevent or predict cyber exposures.
Reported data breaches, not including other cyber events, are expected to grow 40% a year by 2019. “Whether due to a technical glitch, human error or a highly skilled cyberattack, these incidents are surfacing around the globe, which implies, collectively, the emergence of a ‘new normal’,” explains Rishi Baviskar, Senior Cyber Risk Consultant, Allianz Global Corporate & Specialty (AGCS).
As digitalisation joins together smart factories, grids, machines, public networks and other facilities, cyber incidents may disrupt many industries. New vulnerabilities are arising in which cybercriminals could exploit the increase in interconnectivity. Whether accidental or planned, the end result of these incidents is business interruption.
Hacking into the hospital
An example of the vulnerability of one sector – healthcare – was seen when a hospital in Germany came under ransomware attack.
Staff at Lukaskrankenhaus Hospital in Neuss, Germany, noticed one morning that the system was running slow and unusual error messages were popping up. The entire system, including servers and email, was moved offline.
After weeks, the hospital still experienced problems and months passed before normal business resumed. What damages resulted in the cyber incident? One-fifth of hospital operations were cancelled; emergency room services were sharply curtailed; hospital IT staff had to contract expensive British IT specialists to eradicate the virus; and doctors, staff and patients were inconvenienced for weeks.
Luckily, no patient information was corrupted. The incident shows the devastation that cyber incidents can cause and the resulting interruption that can afflict a business.
“Although in this scenario the focus was on the ransomware, the key consequence was unavailability of systems, as well as the slowdown of operations and services – in other words, cyber BI,” says Georgi Pachov, AGCS Global Practice Group Leader Cyber, CUO Property.
Smart still means vulnerable
“Cyber risks are not isolated to a particular segment, but span across different industries and company sizes,” says Pachov. “A cyberattack, for example a DDoS, can overload an online retailer’s web server and render it inaccessible. Technical glitches such as incompatible software components and sensors or inaccurately set temperature or pressure parameters can also cause the interruption of normal business activity.”
Businesses increasingly rely more on digitalisation to control and optimise production. Likewise, interconnectivity makes the digital supply chain a fundamental part of business. Such dependencies make BI incidents ever more non-physical in nature.
Digitalisation is especially evident in the heavy manufacturing sector. The world now includes 1.1 million working robots and about 80% of the car manufacturing work is allocated to robots. Today, over 3.5 billion machines are connected within the global supply chain – a number that will only increase in future, to an estimated 50 billion machines over the next decade.
The applicability of interconnected devices, smart factories, smart machines, and real time monitoring, will lead to a convergence of IT (desktop applications, emails and office tools) and OT (smart machines, production devices and sensors) domains in the next 15 to 20 years.
Cyber insurance solutions
Insurance solutions address the fact that cyber events are fast-moving and difficult to prevent or predict. Because of the uncertainty, many companies may not even know they have been impacted until long after the initial event. Standalone cyber insurance has been designed to specifically cover business losses and liabilities arising from cyber exposures.
Cyber insurance focuses on non-traditional, non-damage cyber BI following an event. When an incident occurs and physical damage or machinery breakdown results, the resulting claim for damages typically falls under the standard property damage policy, due to the existence of physical damage as well as the difficulty to prove a cyber trigger in case of severe damage.
“The market needs to work on the ‘grey areas’ in cyber policies, as well as policy gaps and overlaps across different solutions,” Pachov says. “We are seeing more cyber covers that include a range of BI elements,” adds Emy Donavan, Global Head of Cyberand Tech PI, AGCS.
As the industry grapples with the ‘silent’ cyber exposures that may be triggered in routine incidents, and covered in traditional property and liability policies, it tends to study traditional wordings more closely in order to understand and calibrate new exposures. The issue, however, is that reported loss history is limited, particularly related to BI, and risk aggregation is difficult to quantify.
“AGCS has had a Cyber BI product since the beginning of the 21st century,” says Pachov, “so it’s not something new for us. But the cyber BI severity we are seeing is definitely not driven by cyberattacks and data breaches, nearly as much as hidden, non-reported technical/technological failure and/or internal operational errors.”
Donavan says that a way for companies to mitigate against cyber risk is to install a Chief Information Security Officer (CISO) or equivalent to implement a comprehensive information security management system (ISMS). “Although it is costly and time-consuming, it is necessary not just for information security but also for the long-term health of the business. This is why it should be a board-level concern,” she says.
Cyber risk mitigation tips for companies of all sizes:
- Consider potential exposures in line with the long-term strategy and prepare for potential incidents
- Know your assets and how to prepare, process and protect data
- Implement monitoring and early warning systems to guard against data compromise and manipulation, digital anomalies along the business chain, viruses, etc.
- Implement downtime tracking tools/software in order to reduce idle time and increase productivity
- Develop a cyber strategy in conjunction with a business continuity plan (BCP)
- Train employees how to identify data flow dependencies and related anomalies, fake emails and not to click through on suspicious links
- Ensure 100% backup and timely recovery for all real time data-driven processes
- Backup data off-site, segmented apart from the company’s network
- Use role-based permissions for employees and do not grant more data access than needed for their jobs
- Appoint a Chief Information Security Officer (CISO) to oversee the company’s operational technology (OT) landscape