If the AK-47 was the 20th Century’s icon for affordable warfare, in 2013 it has effectively been replaced by computers…and the guys who sit at them. The world, having been through both cold and hot wars, has now advanced into an iWar (full credit to Apple), and new battle lines have been drawn.
In 2013 a room full of computer ‘experts’, armed with relatively inexpensive technology, have the capability to wreak havoc on companies, supply chains, and possibly entire countries. And one of the easiest ways to do this is by targeting infrastructure assets.
Investors, owners, and operators of infrastructure-related systems are now facing a range of new threats. While most businesses are fully aware of risks relating to data privacy and denial of service attacks, more sophisticated cyber-attacks should have risen to the top of the pile when it comes to risk assessments. Certainly governments and regulators are starting to pay close attention to how businesses protect themselves. And when they pay attention, so should boardrooms, CEOs, and investors.
The implications of these cyber attacks have not been lost on the insurance industry, and the smart operators are developing policies around executive and corporate risk, business interruption, and supply chain management. But this is a very new area of business, and the potential scale of the risk is not fully understood. However, it is a brave board member or CEO who is not looking at a range of options on how to insure against this sort of risk.
What is the extent of the threat?
If Barak Obama, in his State of the Union Address, and the US National Intelligence Director (in a report to Congress) have both highlighted the risk of a major cyber-attack upon the US—there is no excuse for the private sector to not consider itself ‘warned’. Governments see this as an area of real concern, and the reasons are obvious.
You do not have to look very far to find significant and serious examples of what an attack might look like. In South Korea the TV satiations KBS, MBC and YTN, and the banks Shinhan, NongHyup and Jeju were affected by an alleged North Korean attack in late March. One of the more chilling aspects of the South Korean attacks was that, reportedly, the malicious files had been sitting dormant for some time in systems until the coordinated attack was launched.
Saudi Aramco Oil Company had its operations disrupted in an attack on PC workstations. Pipeline companies, US banks, and the New York Times have been attacked. The AP Twitter account was hacked and false news reporting about an attack on the White House was published, causing a sudden drop in the Dow Jones. This time it was Syrian sympathisers. It’s not all one way. The Stuxnet worm targeted very specific infrastructure-related software and equipment in Iran’s nuclear programme.
The US Department of Homeland Security has reported a significant increase in attacks on US power, nuclear and water systems. It’s a safe bet that ports, transport systems, communications and internet systems, and oil and gas supply are also on the radar. Many of these attacks have apparently been about stealing sensitive strategic information and intellectual property. However, imagine the chaos if, at 5.45pm next Wednesday, every traffic light in town turned red. And stayed red.
The threat is very real and the potential disruption enormous.
How prepared are you?
The question of cyber-attack preparedness is not just an issue for the chief investment officer or IT department. The US government is pushing for greater cooperation around the response to cyber-attacks, and the reporting of such incidents. Responsibility for not taking this seriously is slowly but surely making its way up the corporate food chain.
For corporations, and those at the helm, the implications of cyber-attacks are now becoming increasingly complicated. Can you protect yourself, are you reporting attacks properly (the SEC has issued guidelines on reporting attacks), and what is your downstream exposure to any incident? What could the potential damage, disruption, and financial cost be to your organisation and your brand?
Traditional insurance does not cover a mass cyber-attack on a utility. So right now, there is no coverage for damage and possible liability. Indeed, the market is not big enough to cover a major event of this nature.
Where to from here?
But things are changing, and, as the market demand for infrastructure-related insurance products increases, innovative solutions are being developed. In a practical sense, insurance solutions can now cover risks outside a company’s network. Boardroom coverage is also being looked at closely.
At the core of these events for businesses – of all types – is the question of how they can minimise and recover from their losses after an event as quickly as they can.
Businesses have responded in various different ways. However, if there is anyone hoping to reclaim some of the costs incurred from an existing insurance policy, they may be disappointed to know that many of the traditional insurance policies do not address these emerging risk exposures.
Market leaders, usually in the form of the more innovative brokers, are challenging the status quo and are developing bespoke insurance products and risk management solutions in cyber, data security, and intangible risks with leading insurance markets. These solutions are designed to address the growing demand for first-party and third-party losses associated with these emerging threats.
With businesses looking to expand into new areas of growth, and with infrastructure investors looking at opportunities in high-risk markets, operators and directors will have to start thinking hard about where the cyber risk profile is heading, and take a close look at security prevention and business continuity planning. Businesses also cannot afford to be complacent about business-efficient solutions that may compromise the privacy of sensitive or confidential information.
It is a theme that should, and will, continue to occupy the minds of operators of, and investors in, infrastructure and utilities. And a conversation over coverage is one that is best had with your insurer sooner rather than later.
Ben Beeson is head of London-based insurance broker Lockton’s global technology and privacy practice; Angel Kuan is the development director of the practice