Laetitia Fouquet, Head of Speciality Lines & Global Head of Cyber, Charles Taylor Adjusting shares how cyber-attacks affect the Natural Resources sector and how businesses can manage this evolving risk.
Cyber is an emerging and fast-moving market where businesses are becoming increasingly aware of their potential liabilities, heightened risk of damage and the potential financial and reputational repercussions, particularly following high profile incidents.
How do cyber-attacks affect the natural resources sector?
There have been cyber-attacks affecting the industry for some time. Not all are publicised for obvious reasons, but we should not mistake low mediatisation for a paucity of attacks.
Where in other industries attacks tend to result in data breaches affecting many consumers, in the natural resources sector, the main aim of attackers seems to be more around stopping operations and holding an organisation to ransom or extracting corporate sensitive data or espionage. Increased connectivity and complex supply chains mean that natural resources companies are using a mix of old and new systems. This increases the risk of an attack, particularly when access is also being given to outsiders and subcontractors who are often used in the industry.
What are the likely impacts of cyber-attacks?
The impact of cyber-attacks in the natural resources sector is multi-faceted. Firstly, there is the potential for property damage, particularly as the industry is encouraged to have better connectivity between IT and Operational Technology (OT). This doesn’t just apply to the “back office“ systems, like emails, orders or the finance systems – physical assets have been compromised by attacks too.
This was the case for a Ukrainian attack in 2015 when hackers took down almost a quarter of Ukraine’s power grid for 7 hours. The hackers had combined the use of malware to direct utilities’ industrial control computers to disconnect the substations and a wiper virus that made the computers inoperable.
An attack on IT which leads to an attack on OT may have serious repercussions. It can inflict property damage, stop production and cause revenue loss. There is also a threat of pollution either by causing the release of material impacting the environment or by not detecting a pollution event.
There are also severe financial implications associated with cyber-attacks. They prevent visibility across deliveries, order communications and invoicing facilities, which may then create a breach of contractual obligations and penalties, as well as reputational harm. Access to corporate information can also lead to further attacks, be leveraged in a secondary extorsion, or sold on the dark web.
What are some of the migration strategies?
Minimum security measures such as antivirus software and a firewall no longer offer adequate protection. Attacks are becoming ever more sophisticated, so protocols need to be reviewed and adapted very regularly.
A holistic strategy is necessary to prevent access to both industrial equipment and computer systems to ensure the physical security of the assets. Investment in robust security, endpoint monitoring, behavioural monitoring are all necessary.
Additionally, appropriate staff awareness and training, penetration testing and/or simulated attacks exercises should be considered, with a clear and tested cyber incident response strategy put in place.
How must the insurance market adapt its response to cyber risk?
Standard cyber policies are geared more to the professional, financial, and retail sectors and were driven by data privacy, so they have taken time to adapt to other sectors such as manufacturing, marine, aviation and natural resources. With the drive to move to affirmative cover, we have seen quite a few cases where this has left gaps or overlaps, particularly to silent cyber.
Standard cyber policies will generally cover cyber extorsion payment (within the limit or sub limited cover), IT Investigation and remediation costs, including data restoration, data privacy costs, legal representation and notification costs (GDPR), as well as fines and penalties and data subjects’ claims, communications and monitoring costs, business interruption losses and increased costs of working.
They would not cover any betterment or improvements to IT/OT systems or sometimes purchase of new licences (depending on the wording). This may be particularly relevant when the OT system is old and moving to a new software would render the OT inoperable. They also usually don’t extend to obtaining new licences or recertification, to having to pay contractual penalties and do not cover physical damage, bodily injury, damage to third party property or contingent business interruption, pollution, and war – a particularly prevalent point given the increase in cyber activity as a result of the Ukrainian/Russian conflict.
In January 2022, the Lloyd’s Market Association (LMA) published four new cyberwar exclusions with clauses excluding coverage for “war” from cyber insurance policies. War is defined broadly to mean the use of physical force by a state against another state or as part of a civil war or unrest but also “military or usurped power or confiscation or nationalisation or requisition or destruction of or damage to property”. We have not yet seen this being applied but continue to closely monitor current developments.