Connected industries highly vulnerable to cyber-attacks and liability risks
- Cyber-attacks in utilities and manufacturing sectors could cause physical damage as well as business interruption with ill-prepared industrial control systems targets
- Industry 4.0 solutions will reduce physical frequency losses but overall loss potential is rising
- For digitized businesses, intangible assets are becoming more important and require new risk management and insurance strategies
PRESS RELEASE. London/New York/Munich/Singapore, June 1, 2016.
Three utilities companies in the Ukraine, the Israel National Electricity Authority and most recently a German nuclear power plant have suffered cyber-attacks in recent months. As energy, transportation or telecommunication companies, but also the manufacturing sector, become more reliant on automation, robot technologies and digital networks of connected devices, they are also increasingly vulnerable to cyber-attacks. Rather than stealing data, cyber-attacks against critical infrastructure and manufacturers are more likely to target industrial control systems (ICS) to manipulate or shut-down operations. The current issue of Global Risk Dialogue, the Allianz Global Corporate & Specialty (AGCS) magazine about corporate risks and insurance, focuses on how increasing cyber risks for utilities, networks and smart factories can be mitigated.
There is growing concern about the vulnerability of ICS, which are used to monitor or control processes in industrial and manufacturing sectors. For example, there were 295 recorded ICS cyber incidents in the US last year – up 20%[i]. A cyber-attack against an ICS could result in physical damage, such as a fire or explosion, as well as business interruption (BI), says Nigel Pearson, Global Head of Fidelity, AGCS. “A number of ICS still used by manufacturing and utilities companies today were designed at a time before cyber security became a priority issue.” In addition, ICS are also vulnerable to both technical failure and operator error which can be much more frequent and severe in terms of impact and are often not captured in cyber reports.
Smart factory opportunities and risks
While ICS are a particular issue for the utilities sector, similar cyber-related physical damage and BI risks exist in manufacturing. So-called smart factories of the Industry 4.0 era heavily rely on automation, robots and connected supply chains. From an insurer’s perspective, this brings new risks as well as opportunities. “Continuous monitoring and predictive maintenance of automated production lines will reduce small scale frequency losses and increase equipment lifetime,” explains Michael Bruch, Head of Emerging Trends, AGCS. “Supply chains will be better monitored, more predictable and visible with improved tracking options and losses reduced from spoilage or expiration.”
However, interconnectivity of supply chains and production processes will increase cyber vulnerability, especially as security flaws built into embedded software code are difficult to detect. “Overall loss potential is rising significantly, creating high accumulation potential with larger and more complex claims,” Bruch explains. Should a robot be hacked or suffer a technical fault, a production line could be interrupted for hours or days, at a potential cost of tens of millions of dollars per day. If an algorithm is wrong or IT systems go down, global supply chains could be severely disrupted and losses could spread across regions and industries. Meanwhile, new technology could raise liability issues. For example, claims may be leveled against the developers and vendors of predictive maintenance software in cases where injury occurs.
How can increasing cyber risks in the industrial sector be efficiently prevented and mitigated? “While there is no such thing as 100% security, a comprehensive cyber and IT risk governance strategy involving various corporate functions is necessary to successfully combat cyber risks,” says Jens Krickhahn, cyber insurance expert at AGCS Central and Eastern Europe. “High technical IT security standards of networks, software and mobile devices, staff awareness trainings, continuous process optimization and rigid management of access rights and guidelines must go hand in hand. To manage the residual risks, cyber insurance is becoming a core element of IT risk management for many companies.”
Refining existing risk services
In future, digitalization will also shift the nature of corporate assets from mostly physical to increasingly intangible. Brand value and reputation, as well as intellectual property, technological know-how and supply chain networks, will become more important assets. Bruch adds: “Coverage for a company’s factory will increasingly demand cyber, reputational and specific non-physical damage BI covers to adequately protect intangible assets. Refining existing and developing new risk services beyond the traditional is key for both insurers and businesses to prepare jointly for the next industrial revolution.” To mitigate supply chain risks in the digital era, for example, providing a risk solution is more than just an insurance policy, but rather a bundle of services including risk analysis, benchmarking and mitigation advice that can help analyze quality and resilience. “We can provide company-specific scoring for suppliers locations and benchmark this for a given industry”, explains Volker Muench, AGCS Global Property Practice Group Leader. “The more information we have, the better we can model and monitor exposures and be in a position to offer higher limits of insurance coverage.”
[i] Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)