Don’t Overlook Operational Cyber Attacks — They Can Be Just as Costly as a Data Pilfer
In just the first half of this year, cyber attacks have been bigger and broader.
“The hacks have targeted vendors or the supply chain,” said John Farley, managing director of the cyber practice at Gallagher.
“That has affected thousands of other companies.”
Or, in the case of the Colonial Pipeline extortion, millions of drivers. In one unnerving attack at a powerplant in Ukraine, plant operators reported that they saw manual cranks moving by themselves, being manipulated by the hackers.
While there is no question the market is hardening, there is no stampede for the exits as was seen in marine lines over the past few years. A few underwriters have left, “but this is not a market that most carriers can exit,” said one source.
Andrew Lipton, vice president of cyber claims at AmTrust Financial Services, said, “Generally speaking, cyber coverage was initially very broad and is now being restricted, but cyber insurance placed by a specialized broker is still the first step. Owners should come to the insurance industry first, even with the hardening of the market.”
In several high-profile cases, the companies that have been hacked have paid the ransom, which at first blush might seem like capitulation, but is part of the cold calculus of the recovery process.
Company officials — in consultation with their carriers, response specialists and law enforcement — assess the damage done, potential for further harm, and the aggregate costs of paying ransom or not.
Many of the latest attacks came with a diabolical new twist: The disabling of operating systems is only the visible part of the iceberg.
Many companies have redundant systems or even mechanical backups and could resume some level of operations without too much trouble.
Not only are the hackers demanding six- to seven-figure ransoms, they are threatening to disclose sensitive information, such as human-resources or client records, on top of the operational disruption.
That is also why health care and educational institutions, even school districts have been targeted.
Not because they have deep pockets, but because they have compelling responsibilities. That’s why the coverage has had to evolve very rapidly or risk becoming irrelevant.
“In its short life, cyber coverage has undergone tremendous change,” Farley said.
“Initially underwriters did not ask a lot of questions about data security. Over time, hackers became more sophisticated and successful, claims became larger and more frequent, and the underwriting community took note. Carriers started to ask more questions and pulled back on some coverages. We’ve seen a hardening of the market starting in 2019 and continuing through last year.”
Some carriers are pulling back, and others are imposing new sublimits for ransomware claims, Farley noted.
“That said, everything is negotiable. If an insured has backup systems, and they are encrypted, and there are other protections in place, then coverage can be secured. That is particularly true if the insured can handle higher retentions.”
In any case, Farley urges owners to carry some level of cyber coverage, if only to gain access to a cyber response network.
“Virtually all policies come with a comprehensive ecosystem of experts: information technology and forensics, crisis management and corporate reputation experts,” he said.
“That can be difficult to replicate. When a breach happens on a holiday weekend, who are you going to call, and how much is it going to cost?”
Have a Plan, but Secure the Plan
Even the most elaborate contingency and resiliency plan is useless if it only resides on the hard drives or servers that have been hacked.
Cyber security advocates suggest key response contacts be kept on different phones connected to different networks; that response plans be saved on laptops kept turned off and physically removed, “air gapped,” from the internal network or internet; and that essential data be segmented and stored separately.
Even though cyber attacks are moving from mostly IT to include operational technology, “nothing has changed in terms of coverage,” said Jacob Ingerslev, head of global cyber risk at The Hartford.
“When it comes to cyber attacks aimed directly at a company, cyber insurance policies don’t distinguish between IT and OT,” he said.
“Policy definitions have always had broad application to technology [network] overall, whether IT and OT. However, cyber attacks to a company’s critical infrastructure supply chain, which often involve OT, may not be covered.”
That is because “most cyber policies exclude coverage for contingent business interruption due to critical infrastructure outages. Exclusions typically apply to services such as electricity, water, gas, internet and telecom, but not cloud services or other outsourced IT,” Ingerslev added.
Ingerslev suggested carriers help policyholders through a more structured risk management process: identify and remediate critical vulnerabilities, insurance and response to incidents.
“When it comes to cyber resilience, start by eliminating as many unknowns as possible and determine what you can and cannot control,” Ingerslev urged.
“Establish your risk tolerance to outages whether direct or indirect; durable versus non-durable manufacturing output, for example. That begins with a map of all supply chain dependencies and understanding the liabilities of various providers of critical infrastructure.”
For internal cyber security, seperating OT from IT can help.
Ingerslev said “Separate OT from IT as much as possible. Physical separation is very challenging these days. However, logical separation or segmentation — using firewalls, subnetting, access controls, and the principle of least privilege — can reduce the risk significantly.
“Reduce the attack surface by disabling unnecessary network services and blocking internet-facing ports. Use multi-factor authentication, and perform daily backups. Store backups offline,” he added.
The vulnerability of legacy software is well known, but the vulnerability of legacy architecture may be even worse, noted Wade Chmielinski, staff vice president, group manager, cyber security consultants at FM Global.
“Even though enterprise resource planning systems have to share data, it is actually possible to secure the connection between IT and OT,” he stated.
“Traditional firewalls control traffic. And you can create a ‘DMZ’ between IT and OT where all connections terminate. Ransomware attacks are network based. Take the time to build architecture with security in mind.”
While many traditional risk management tenets hold true in the brave new world of cyber perils, the intelligence behind them — both human and artificial — mean the threats will evolve.
“Offline backups are absolutely recommended,” said Chmielinski, noting that harkens back to age-old precautions for important information.
“There should be one copy online, a second copy offline and secure, and an additional copy somewhere. The offline can be a snapshot, daily, weekly, monthly.”
Chmielinski elaborated more on this in a Risk Insider column for Risk & Insurance,® where he contrasted those fundamentals of risk management with the insidious nature of cyber threats.
“Fire doesn’t think about how not to trip the smoke alarm,” he said. And fire does not think where to cause the most damage: “The bad guys go for the backup data first,” while they are still undetected.
“Then they shut down the operations,” Chmielinski said.
Like carriers, law firms are providing evaluations and guidance — not just response and recovery services.
“We do a lot of proactive work with clients,” said India Vincent, chief privacy officer of Burr & Forman.
“It’s about equal time as we spend on response. We work with a lot of manufacturing clients and with their insurance brokers to assess their coverage, especially now that carriers are tightening their standards. We get a lot of questions about business interruption coverage and reputational damage.”
Vincent stressed that one of the documents kept securely offline is the cyber coverage policy.
“It can be used as a way for the hackers to set the ransom terms. We are aware of cases where the ransom demands matched the policy coverage exactly.”
She added customer and supplier contacts to the list as well and not just to protect them from disclosure or becoming the next victims.
“There are legal reporting requirements, as well as contractual ones,” but to comply with those mandates will be very difficult if the contacts have been made inaccessible, she noted.
“Cyber insurance is such a fluid market,” added Robert Given, partner at Burr & Forman.
“It is difficult for clients/insureds to understand all the costs and elements of a response. There is first-part coverage and third-party exposure. There is business interruption, but what is the waiting period? Is there continent BI or supplier BI? Are partial attacks covered? Are civil or contractual penalties and fines covered?” &