As the cyber insurance market develops it is clear that the majority of cyber insurance is being purchased by those businesses at risk of data breaches, including retailers and financial services providers. However, data breaches, cyber-attacks and indeed IT system failures can affect any business in all industries and the manufacturing industry, which consists of companies in the automotive, aviation, construction, building materials, machinery and defence industries is far from immune.
Cyber-attacks and data breaches have been on the rise in the manufacturing industry in recent years. The fact that factories are increasingly computerised, automated and digitally integrated brings an increased vulnerability to cyber hacking, IT system failure and human error with resultant data breaches and the potential for physical damage, bodily injury and business interruption losses.
The current trend of automation and data exchange in manufacturing technologies is known as Industry 4.0. It includes cyber-physical systems, the internet of things and cloud computing. Industry 4.0 creates what is known as a smart factory in which cyber-physical systems monitor the physical processes of the factory and make decentralised decisions.
However, cyber-attacks or failures in the manufacturing IT system can lead to data manipulation that, if left undetected, may result in, for example, changes in product formulation or fundamental health and safety risks, in addition to intellectual property theft, loss of customer databases and deletion of critical data. If, for example, a robot is hacked or suffers a technical fault a production line may be interrupted for hours or days at significant cost to the business. If an algorithm is wrong or IT systems fail global supply chains could be severely disrupted.
Industrial Control Systems (ICS) are prevalent in smart factories but are also found in the utilities sector, healthcare, transportation and even consumer appliances.
One particular incident was reported in 2014 when a German steel mill experienced a spear-phishing1 attack which enabled hackers to gain access to the corporate network and ultimately to the blast furnace control system disrupting it to such a degree that it could not be shut down resulting in extensive damage.
In 2015, security researchers managed to successfully breach Fiat Chrysler’s in-car system, Uconnect, which allowed hackers to take control of a Jeep on the highway prompting the recall of 1.4 million vehicles in the United States. Remote hijack vulnerability can result in a hacker remotely operating the brakes or even shutting off the engine, the potential consequences of which are extreme.
There are a number of examples of ICS attacks targeting electric, oil/gas and water utility systems, such as the Maroochy Shire incident in Australia in 2000 and the Ukrainian Power Grid cyber-attack in 2015. The Maroochy sewage system utilised a SCADA operating system which was hacked by a disgruntled former employee causing pumps to stop working, alarms to fail and about 200,000 gallons of sewage to flood vast areas destroying nature reserves and countless fish and wildlife.
In 2015, Ukraine hackers successfully compromised the information systems of three energy distribution companies temporarily disrupting electricity supply to the end consumers. This involved prior compromise of corporate networks using spear-phishing emails with malware and subsequent seizure of the SCADA control system allowing hackers to remotely switch substations off.
Clearly businesses in the manufacturing industry and those using industrial control systems need to take cyber-security seriously and part of the risk management process should be to consider cyber liability insurance cover. A growing reliance on cloud providers, greater sophistication of hackers globally and increasingly digitised systems means that all industries have an increased exposure to cyber incidents.
However, in the event of a cyber-attack that shuts down a factory, manufacturers may not be covered by existing property and liability policies which are not naturally designed to give true cyber cover and which also require physical damage before they pay out. Furthermore, traditional cyber insurance policies are often designed for data breaches but the fast-growing and serious threat to manufacturers is more likely to be an attack on the ICS or supply chain. The current policies may not be designed to cover those particular exposures which may involve property damage and bodily injury.
Coverage in the marketplace is currently very varied but cyber policies generally tend to include a mix of third party liability coverage for damages suffered by third parties due to loss of data and first-party coverage for response, remediation costs, fines and penalties.
I have set out below some key considerations for manufacturers to bear in mind when arranging adequate and appropriate insurance cover:
- Determine the extent of cover required.
This will involve an assessment of potential financial and/or physical losses on a worst case/total loss basis and companies should assess their potential risks and exposures from cyber damage by carrying out a full cyber risk assessment. Critical business functions must be identified and a business continuity plan is essential.
- Understand what is already covered within any existing policies, the extent of that cover and any exclusions that apply. It is clear that the wording and exclusions of any existing general insurance policy should be carefully scrutinised to determine the level and extent of the protection it may offer in the event of a cyber loss. The interpretation of policy wording and exclusions both in general insurance and in stand-alone cyber policies may well become the subject of litigation in the event that insurance providers decline cover in the event of a loss. Until such time as insurers adopt standard form wording for cyber policies, policyholders are advised to consult with specialist insurance brokers and, where necessary, to seek legal advice in an effort to negotiate appropriate terms with insurers or to determine and understand the potential extent of cover in the event of a loss.
- Ensure that any cyber insurance policy is drafted broadly enough to capture both known and unknown future forms of cyber extortion or risk and is not limited only to named risks.
- Particular attention should be paid to “retention or waiting periods” which is the length of time for which the interruption must last in order to trigger business interruption cover. Many conventional insurance policies have waiting periods of 24 to 48 hours and typically cyber policies have waiting periods of around 6 to 12 hours. However, numerous businesses, including those in the manufacturing industry, may experience significant losses within minutes of a cyber loss occurring and it is important to consider with your broker whether the proposed waiting period is suitable for your business or whether a financial deductible is capable of agreement as an alternative.
- Be aware of policy exclusions relating to IT systems. For example, some cyber policies contain a “failure to patch” exclusion, which purports to exclude cover for losses attributable to a failure to install, or implement on a timely basis available software patches for known software
The cyber insurance market continues to evolve. Wordings have yet to be tested in court and it is clear that the scope of protection is also likely to change as insurers build up the available claims data. However, the potential for disputes is evident and businesses and their insurance brokers should be alive to the increasing need for cyber insurance cover.
Edwin Coe’s specialist insurance lawyers act only for policyholders assisting and advising a wide range of corporate policyholders in relation to the adequacy and extent of existing cover. In addition to dealing with disputed insurance claims and coverage issues arising from denial of liability and policy avoidance insurers.
If you require any further information or advice in relation to cyber risks, insurance or coverage issues, please contact Nicola Maher – Insurance Litigation Partner, or any member of the Edwin Coe Insurance Litigation team.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.