Infrastructure Investor: When did cyber risk first emerge?
Stephen Wares: From an insurance perspective it emerged around the mid- to late-1990s. The first insurance products to cover hacking risk hit the shelf around 1996-97.
It would appear from the take-up rate in the late 1990s that the insurance industry was ahead of the game. It was not recognised as being as critical by the commercial world as it was by the insurers. It was thought that a lot of insurance would be sold due to the dotcom boom and that online e-commerce businesses would want to protect their investment. But that expectation did not materialise.
Demand caught up with what the insurers were offering around 2003. Security breach notification laws arose in the US whereby you had to tell individuals if you had lost their data. California first introduced such laws in 2003 and then most US states followed. This brought in significant costs and encouraged class actions. So insurance for hacking events became more popular between 2003 and 2006 and the market has continued growing 30 percent year-on-year since then.
Now it has come to Europe, which does not have the same litigation or legal framework as the US but where companies have recognised that their reputations are at stake and that they need to do the same. Sales of cyber insurance products in the UK and Europe have increased dramatically.
II: And when did cyber risk begin to impinge on infrastructure?
SW: The insurance market has started to deal with infrastructure in the last 18 months. It has shifted from personal data attacks to attacks on businesses and physical damage being inflicted.
There have been a few triggers. The first wake-up call was Project Aurora, a laboratory trial where physical damage was done to a generator through a simulated hack. Then you had the Stuxnet computer virus in 2010 which attacked a uranium enrichment facility at Natanz in Iran.
In the last few years you have seen those operating industrial control systems warned by specialist departments in government that have been set up to help and give advice to companies on the nature and level of the threat. For example, you have US-CERT in the US (Cyber Emergency Response Team).
We also have CERT UK as well, and they help deal with emergencies and provide details of vulnerabilities. They have been vocal in warning of the threat and there is much more awareness of the issue, it is much more highlighted.
II: What sort of insurance products are being offered?
SW: In June last year Marsh launched a product focused on the energy sector which provides cover for physical damage from a hacking attack and for the business effects as a result of that physical damage.
Clients are starting to apply for these products – they have been looking for ways of mitigating against the threat for the last 18 months. We would expect appetite to grow considerably as we would not expect the noise around cyber risk to quieten down. There have not been many reported incidents to date, but in December of last year the German Federal Office for Information Security disclosed in its annual report that significant damage was caused at a steel mill following the unscheduled shut down of a furnace. This is providing us with a real live event to demonstrate the risk and adds weight to the warnings issued by government and others.
II: Would you expect attacks to broaden to other types of infrastructure? And could hacks eventually become more serious, perhaps shutting down entire systems?
SW: We expect the pressure to continue on any kind of organisation operating industrial control systems that run physical processes including critical manufacturing, power and utilities and the energy sector as a whole which is certainly becoming a target for hackers.
Ports and terminals with IT systems that track cargo could also be at risk. If their data was corrupted, it would be hard to move goods in and out of ports.
Would it be possible to bring down an entire network? That’s another question entirely. It’s speculation but I think it would be particularly difficult. You can certainly attack particular components but a catastrophic attack that would knock out an entire utility for example would be difficult to carry out.
II: And how aware of cyber risk is the infrastructure investment community?
Martin Bennett: It’s an issue we come across regularly in our discussions with investors. There is strong awareness of cyber risk in relation to sectors such as utilities, water, power, aviation etc. which are heavily IT dependent, but less so for other asset types.
Risks and potential consequences of a cyber-attack are known but robustness of response and strength of business continuity planning to deal with attacks is however still an evolving practice.
Overall, I’d have to be positive. Cyber risk is known about. It may not be front and centre when considering the top risks which keep investors awake at night. But everyone reads in the press of the damage cyber attacks do cause by creating system outages and the consequences of this new crime. If this trend continues, then consideration of cyber risk will continue to rise. It’s already more of a concern for investors than has been the case historically.
US ON GUARD
Some markets have tightly regulated frameworks for operators of critical infrastructure; elsewhere, self-regulation suffices
As a security expert for many years, Andrew Wadsworth has formed a view of how different markets around the world have responded to today’s threats – and he sees the US as being in the vanguard:
“The US is extremely sensitive about the security of its infrastructure, especially the electric grid,” says Wadsworth, who is head of process control security at corporation Lockheed Martin, which owns Industrial Defender Solutions, a control systems security business. “The grid is seen as ‘super-infrastructure’ because so many other things depend on it,” he adds.
Indeed, critical infrastructure security in the US is regulated by the NERC (North American Electricity Reliability Corporation) CIP (Critical Infrastructure Protection) regulations. Wadsworth says that penalties for security non-compliance can be as much as $1 million per day.
In the UK and Europe, he says, security is largely self-regulated. In many countries, there are guidelines for operators of critical infrastructure and operators of critical assets may be requested to complete questionnaires to check that they are meeting the guidelines. In Europe, there is no punitive element for non-compliance. However, there is a view that Europe may move towards some kind of regulation in the future.
In terms of the rest of the world, the Middle East – where two of the more prominent hacks of recent times took place (Stuxnet and Saudi Aramco) – there is a particular sensitivity, especially in the Gulf States. Wadsworth says the United Arab Emirates first introduced mandatory, regulated standards for critical infrastructure operators and other countries such as Oman and Qatar are following suit.