Cyber Liability Beyond Data Security and Privacy
In a world of increased business automation, often the greatest cyber risk companies face is not data security. Rather, businesses that rely upon computers and software to manage their refineries and pipelines, power grids, and a wide range of manufacturing systems face enormous cyber risk should their control systems fail.
Though the media and regulatory agencies have not necessarily classified these failures (and their related consequences) as “cyber” incidents, from an insurance and risk management perspective, these failures may be classified as “cyber” risks and considered as covered perils by a cyber liability insurance policy.
Together with our partners at Stroz Friedberg, we collectively wanted to move the commercial cyber liability discussion forward, beyond data breach and privacy, to prompt the industry to embrace a wider interpretation of the cyber risks that companies face. Clearly, data security is a real concern and has become a top priority for executives in every industry. Yet, as privacy breaches grab headlines today, we recognize that there is a much larger cyber security risk looming that insurance companies, risk managers and regulators must now address.
In the following report, we aim to illustrate the risks of industrial control systems with recent real-world incidents across a range of industries including manufacturing, energy and related infrastructure providers. To simplify terminology in this paper, we will refer to the broad range of systems as “industrial control systems,” recognizing that there are many names and niches of systems that may elsewhere be referred to as SCADA (supervisory control and data acquisition systems), DCS (distributed control systems), PCN (process control networks) and PLCs (programmable logic controllers). Our intent is not to delve into the vulnerabilities of each of these types of systems. Rather, our goal is to shine a light on the pervasive use of these systems and the risks they present to the companies that employ them.
With a more common understanding of industrial control systems, greater knowledge of recent system failures and a broader recognition of the security risks, we hope this report will not only stimulate discussion, but improve risk management practices among the software engineers, corporate executives and regulatory agencies that collaborate on the design and implementation of these essential infrastructure control systems.