Industrial organizations face many threats. Notable among them are hackers seeking to exploit organizational system vulnerabilities. It is important to recognize and guard against these intrusions, and to have the right insurance protection in place in the event such intrusions occur.
Hackers can have a number of different motivations, including:
a. Achieving financial gain by obtaining Personally Identifiable Information (PII) and selling or using it for identity theft purposes
b. Achieving a competitive advantage by accessing confidential information such as trade secrets, formulas, designs processes and methods
c. Thrill seekers with no agenda other than the challenge of hacking
d. “Hactivists” with an agenda or desire to expose a perceived injustice
e. Cyber-terrorists motivated by social, ideological, religious or political objectives
f. Espionage conducted by, or on behalf of, nation states.
These threats are serious, with many examples widely reported over the last several years. The most notably publicized incident within the industrial space was likely the May 19, 2014 indictment of officers of the Chinese People’s Liberation Army. It involved motivations characterized by cyber espionage. The indictment alleged that these individuals hacked or attempted to hack well-known entities, including Westinghouse Electric Co., United States Steel Corp. (U.S. Steel), Allegheny Technologies Inc. and Alcoa Inc.
A common cyber threat may manifest itself in a myriad of possible outcomes. Be careful not to overlook the entire story when addressing the immediate threat. Some of the biggest exposures impacting industrial organizations include:
- Unauthorized Access to Confidential Information
- Cyber Extortion
- Damage to Data
- Business Interruption
- Destruction to Property
- Bodily Injury
- Theft of Funds
- Reputational Risk (loss of trust from customers, resulting in loss of sales).
Take for example the recent escalation in ransomware attacks. The media has reported on these events accurately, but oftentimes there is a lot more to the story. When a ransomware crisis has fallen out of the headlines, organizations still need to evaluate the impact upon compromised servers for any disclosure of PII and take appropriate action according to privacy regulations. In addition, an intrusion into a computer system may have triggered a system interruption that caused business income loss.
Emerging Technology: The Internet of Things (IoT)
The rise in connected technology has led to a growing cyber threat that relates to the Internet of Things (IoT). According to Techopedia, IoT is “a computing concept that describes a future where everyday physical objects will be connected to the Internet and be able to identify themselves to other devices… The IoT is significant because an object that can represent itself digitally becomes something greater than the object by itself. No longer does the object relate just to you, it is also now connected to surrounding objects and database data.”
When many objects act in unison, they are known as having “ambient intelligence.” Ambient intelligence refers to electronic environments that are sensitive and responsive to the presence of people. This new threat creates a way for hackers to infiltrate databases through IoT. For example, people who wear Apple watches or Fitbits may have a greater vulnerability to being hacked because they are constantly connected. In turn, those same connected devices may pose privacy and security concerns to the manufacturers that produce and deploy them to technology hungry consumers -- who expect the technology to be secure and to protect their rights of privacy.
Prudent Tips for Protecting Data
Every company needs to focus on cyber security. Some commonly cited best practices that are helpful to prevent network security intrusions include:
- Cultivating a culture of security awareness, including deployment of social engineering training and targeted employee phishing exercises
- Maintaining strong network password requirements and changing default passwords
- Using secure remote access methods
- Segmenting networks, with appropriate access controls
- Implementing necessary patches and updates
- Applying firewalls
- Developing and enforcing mobile device policies (including encryption, when applicable)
Prudent Actions to Take Before a Breach
Managing cyber risk can be an onerous process. It’s important to set priorities in order to isolate cyber risk issues and create a baseline understanding of an organization’s cyber risk profile. This involves bringing together every functional area of the organization with the responsibility of managing cyber risk. It is recommended that an organization begin by focusing on the following key areas: cyber security readiness; the protection of PII; regulatory and business compliance; pre and post breach preparation; vendor management; and the data classification process.
To be prepared in the event of a breach, organizations should have in place an Incident Response Plan. Employees need to be educated and trained to report any suspicious activity or potential or actual breaches. The organization should also interview several qualified breach response attorneys, selecting two to three qualified firms in the event that a conflict arises. Many cyber policies designate three to four qualified and preapproved breach response attorneys. Some policies allow insureds to select counsel of their choice.
Prudent Response to a Breach
The following steps should be taken when a breach occurs to properly position the organization to respond and to ensure that insurance will apply:
a. Contact the qualified breach response attorney immediately to establish attorney/client privilege and to begin the process of investigating the incident. This attorney will also work with the organization to ensure all potentially relevant information and documentation is preserved and protected from destruction.
b. Retain a forensics investigator with the guidance of the breach response attorney. This selection may also require the insurance company’s approval. The breach response attorney will engage the forensic investigator on behalf of the organization to protect the exchange of information under attorney/client privilege.
c. Based upon the specific conditions of the cyber insurance policy, the insurance company may require immediate notification. Many insurers offer a 24-hour cyber breach hotline that allows for immediate, direct interaction. This is particularly important if prior approval is required before engaging the breach attorney and forensics investigator. Immediate notification should also be given to the insurance broker. These notices should only include the facts that are available at the time of notification. Updates should be provided to both the insurer and the broker as they become available.
Clearly, cyber security has become a Top 5 management concern for organizations, oftentimes ranking first or second in priority. Industrial organizations are constantly seeking solutions to manage their evolving vulnerabilities to cyber risk. Unfortunately, even the most vigilant network security and most comprehensive privacy policies can still be vulnerable to increasingly smarter hackers, rogue employee activity, social engineering, vendor negligence and human error. Therefore, all organizations must take a holistic approach to cybersecurity.
Adam Cottini is the managing director of Arthur J. Gallagher & Co.’s Cyber Liability Practice.