During the last year or so, in our blog, we have covered several aspects in the latest revolution in manufacturing – Industry 4.0 – and how manufacturers are now leveraging the advantages of digitization, including connected machines, for productivity gains, cost efficiencies and superior customer service. As manufacturing plants increasingly become digitally connected with other areas in their company, the need to keep networks secure is vital to one’s bottom line. Equally critical is having Cyber Liability insurance designed specifically for the needs of manufacturers. Without this coverage, in the event of a cyber attack, you could end up paying out of pocket for the many expenses that come with a breach.
The good news is that more manufacturers are heeding the call to purchase Cyber insurance. According to a recent article in the Wall Street Journal, manufacturers paid $36.9 million in premiums for cyber-specific policies in 2016, up 89% from 2015. Additionally, manufacturers accounted for 12.6% of premiums tracked in 2016 compared with 9% the year before, based on a sample of more than 9,000 mostly U.S. companies.
No longer the must-have insurance coverage for only consumer-facing businesses, such as retailers, financial services providers and health care providers to protect against customer data theft, Cyber Liability insurance is gaining ground in being considered an integral part of a comprehensive manufacturing risk management program. This is particularly so as manufacturers face emerging risks due to greater automation, network-controlled production lines, the hyper-connectivity of Industry 4.0, the increased sophisticated of hackers, and risks inherited from external connections, such as supply chain and trading partners and service providers. The manufacturing sector, in fact, was the leading target of infrastructure cyber attacks in the U.S. in 2015.
Cyber Exposures Loom
According to a survey of manufacturers performed by Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI), the following are the 10 top cyber threats respondents are concerned about:
- Theft of intellectual property: 34%
- Phishing, pharming, and other related variants: 32%
- Increasing sophistication and proliferation of threats: 28%
- Security breaches involving a third party: 28%
- Social engineering: 27%
- Employee errors and omissions: 26%
- External financial fraud involving information systems: 25%
- Employee abuse of IT systems and information: 25%
- Mobile devices (e.g., smartphones, tablets): 24%
- Attacks exploiting mobile network vulnerabilities: 23%
The Wall Street Journal article mentioned above also provided a couple of examples of the type of cyber threats that have recently affected manufacturers including a development involving Abbott Laboratories. Regulators at the FDA criticized Abbott Laboratories for failing to properly investigate and resolve risks after a report was issued that its pacemakers and defibrillators were vulnerable to hacking. The possibility that hackers could manipulate the devices and cause potential patient deaths caused Abbott’s stock to fall. In addition, the FDA required Abbott to provide a written description of the steps it has taken to correct the violations identified by FDA inspectors and an explanation of how it will prevent similar violations from occurring in the future. If Abbott fails to correct the violations, the FDA could seek to implement an injunction, conduct a seizure and issue monetary fines. The FDA said it wouldn’t make any approvals related to the heart devices until the violations are corrected.
Another example illustrating the type of cyber exposures manufacturers could face involved a steel manufacturer in Germany, which suffered major equipment damage from an attack when hackers manipulated and disrupted control systems to such a degree that a blast furnace could not be properly shut down. A report, issued by Germany’s Federal Office for Information Security (or BSI), indicated the attackers gained access to the steel mill through the plant’s business network, then successively worked their way into production networks to access systems controlling plant equipment. The attackers infiltrated the corporate network using a spear-phishing attack—sending targeted email that appears to come from a trusted source in order to trick the recipient into opening a malicious attachment or visiting a malicious website where malware is downloaded to their computer. Once the attackers got a foothold on one system, they were able to explore the company’s networks, eventually compromising a multitude of systems, including industrial components on the production network.
Addressing Cyber Risks
It’s important to note that traditional property and casualty policies, including General Liability and Property insurance, are not designed to respond to cyber losses, making the purchase of Cyber Liability insurance imperative. Cyber coverage for manufacturers can be tailored to include:
- Data Breaches: Companies are responsible for protecting the personal information of their employees as well as clients. In the event of a breach, there are many costs involved, including forensics to determine how the breach occurred, notification costs to affected parties, public relations/crisis management, and possible fines and penalties, among other expenses.
- Third-Party Damages: These damages can have various forms, from transmitting a virus to another company or a data breach for companies responsible for protecting or maintaining data, and can result in third-party liability suits.
- Business Interruption: Many manufacturers maintain this coverage for losses resulting from fire, natural disaster, equipment breakdown, etc. Most policies won’t provide coverage for loss of use of your computer system due to data breach, virus or other cyber issues that can shut the business down. A Cyber policy can be designed to include business interruption as a result of a cyber loss.
- Cyber Extortion: This is an area of increasing risk where hackers can control websites or networks and demand payment to restore your systems to working order. This may impact the ability to conduct business and can result in significant direct and indirect financial loss without Cyber coverage.
In addition to having a comprehensive Cyber insurance policy in place, strong risk management and best practices are critical in mitigating the potential for losses. This includes:
- Taking a measured, risk-based approach to what is secured and how to secure it. This includes managing cyber risks as a team and increasing preparedness by building cyber risk management strategies into your operation and emerging technologies as they are deployed.
- Monitoring systems, applications, people, and the outside environment to detect incidents more effectively. This includes developing situational awareness and threat intelligence to understand harmful behavior and top risks to your operation and actively monitoring the dynamic threat landscape.
- Being ready for incidents and decreasing their business impact by improving organizational preparedness to address cyber incidents before they escalate. This also includes capturing lessons learned, improving security controls, and returning to business as usual as quickly as possible.
Even with the best Cyber Insurance policy in place, a manufacturer must develop a comprehensive IT disaster recovery (ITDR) plan to minimize disruption and the negative impact to business operations and production that a cyber-attack can cause. The ITDR should include a Recovery Point Objective “RPO” and a Recovery Time Objective “RTO.” The RPO defines how recent the backups need be to cause the least impact when restored. How much data can you afford to lose? If you are filling in a database with various kinds of information, is it tolerable to lose one hour of work, two hours or maybe two days? The RTO defines how long it will take to restore/recover the backups on to working servers or systems.
It’s important to work with an insurance professional that truly understands the risks of manufacturers when securing any type of coverage, including Cyber Liability. At Precision Manufacturing Insurance Services (PMIS), we specialize exclusively in protecting the manufacturing industry with insurance and risk management services. We will assist you in ensuring that the scope of Cyber coverage needed and your limits of liability are aligned with your operation’s exposures. Give us a call at 855.910.5788 to find out more about our custom manufacturing insurance solutions.