Cyber risks in heavy industry: perpetual motion

At a recent Mining Insurance & Risk Association conference in Vancouver, a cyber risk specialist informed a travel-weary auditorium of insurance and risk professionals on their 2nd cup of joe, that she had researched the Dark Web (basically the underground hackers hangout) and found that 28 out of 30 attendee companies had some form of exposed data available for sale or freely available for use by others.

As you can imagine, in a room full of people (technical underwriters, global risk managers, risk engineers, loss adjusters and humble insurance brokers) who generally eat, drink and sleep thinking about risk, we quickly shook off the morning shroud and starting scribbling some furious notes.

There is perhaps a perception that because the mining and construction sectors operate often with a distinct separation between their computer networks and the ‘coal face’, it was possible that operations could continue despite a cyber attack.  The prospect of a prolonged shutdown, or worse a malicious physical attack using their own systems against them, has historically been considered improbable.

Two worlds collided…

The creep of IoT (the internet of things – that is the automation and interconnectivity of operations) has bought serious improvements in production, safety and processes to our Operational Technology (OT) that was historically separated from our Information Technology (IT) systems.

The joining of these two worlds has now merged enmeshed operational risk with technology, creating entry points for potential cyber attacks – and every business is susceptible, irrespective of how

prepared some may think they are.  Previously unimagined risks now likely, and the evolution of these are in perpetual motion, with more creative cyber criminals and in some instances state-backed actors, constantly shifting the goal posts.

Automation of heavy industry processes and plant and machinery has created an opportunity to exploit and develop physical manifestation for cyber criminals to act beyond the hijacking and ransoming of computer systems – physical consequences are now a reality.

Interestingly, the aforementioned cyber specialist casually mentioned that manuals for automated machinery including trucks, drill rigs, longwalls, schematics and designs of remote operational control rooms, and instruction and training materials for heavy industry automated machinery and equipment are all now in demand on the Dark Web.  If cyber criminals are trained in their operation, and they gain control of the network systems, their ability to wreck some serious havoc is very real.

Won’t my ISR / Property insurance program respond?

Ah, not really.

While there are a few exceptions where insurers do cover some damage arising from cyber attacks, more broadly since 2019, the Lloyd’s Market Association (LMA) has developed two exclusions specifically designed to address when and if the property insurance programs can respond to Cyber and Data losses.

Without going into the technicalities, in short, you will likely find either the LMA5401 which is a total exclusion whereby any damage or resulting business interruption is excluded on your ISR policy, or the LMA5400 which provides a very limited writeback of some cover for fire or explosion resulting from a Cyber Incident (as defined).

Either way, the full extent of an actor penetrating your network, gaining control and causing damage and subsequent business interruption is likely to be excluded or at least heavily curtailed.

With these clauses being developed in the context of Cyber claims starting their prevalence, before Cyber claims began blowing up insurers portfolios in 2020, there is reluctance from the property insurance market to step up their coverage; in fact its gone very much the other way.

What about a Cyber-Terrorism attack?

Beneficially in Australia, the Australian Reinsurance Pool Corporation (ARPC) which is the reinsurance vehicle created to provide insurance backing for Terrorism incident in Australia, has confirmed that this would extend to a Cyber-Terrorism attack.

The main problem is accessing it.

There has only been one Declared Terrorism Incident (DTI) in the last 20+ years since the ARPC’s inception; the Lindt Café siege in Sydney, 2014.  The ARPC’s claims system recorded 92 claims totalling $2.3Mn of insured claims from 20 insurers as a result of the DTI – mainly minor property and predominantly business interruption.

The APRC is capitalised to meet up to $14Bn in claims.

Is Cyber Insurance the answer?

Well, no, not really.

As with most insurance products, it’s not going to prevent anything happening, and is unlikely to make you entirely whole after an event occurs.

The policy was originally designed with 2 critical exclusions that prevented them from responding adequately;

  1. a property damage/bodily injury exclusion which excludes loss, damage or destruction of tangible property, and
  2. extends to any resulting business interruption from said loss, damage or destruction of tangible property.

Further, the limits purchased under a Cyber program are fairly small in comparison to an ISR/property program, and therefore are unlikely to truly assist companies meet the full ramifications of a cyber attack that manifests physical damage and resulting business interruption.

So why buy it?

It’s still better than nothing and there are significant advantages to having it.

While the policy simply can’t respond as broadly as we would like in all contexts, we have seen its worth proven when called upon.

Most beneficially, having access to a threat response team that knows how to respond to a threat actor who has a clients systems compromised or even entirely out of their hands is invaluable as these resources are not usually in-house for most clients.

The process of applying for a cyber insurance program provides some excellent resilience checks, balances, and guidance but the 4 key elements to lock down as a priority are:

  1. Increasing end-point detection within the Operational Technology environment, meaning that all of your linked systems are constantly monitored to detect and investigate any threat penetration
  2. Enhancing and expanding Multi-Factor Authority (MFA) and encryption across all access points in the operations
  3. Regular scenario planning and penetration testing
  4. Understanding how manual overrides and fail-safe mechanisms can be deployed and by whom