Embracing technology has helped the manufacturing industry to automate processes, enhance research and development, and optimize production, but in this increasingly connected world, the sector has also become a high-value target for cyberattacks.
“As more manufacturers move online, their business risks do too. Cybercriminals increasingly view manufacturers as high-value targets for financially-motivated cyber attacks like extortion and ransom demands, or to disrupt operations and steal trade secrets,” explains global cyber insurance underwriter CFC. “Cyber insurance helps protect manufacturers against the financial loss resulting from cyber attacks, data breach, system failures and much more.”
While traditional cyber insurance has been concerned with unseen intangible attacks that wreak financial havoc from the cloud in the form of data theft, phishing, ransomware, and other digital crimes, manufacturers need to be prepared for “real world” mayhem from cyberattacks which makes it wise to consider adding bodily injury and property damage to your cyber policy.
“The days of attacking zeros and ones, personal information, and otherwise confidential information needs to give way now to the thought of how interconnected we are and how problematic the issues will be with respect to property damage and bodily injury if third parties are able to intercept these devices, infiltrate them, and cause problems,” Marc Voses, partner at global reinsurance law firm Clyde & Co told the Insurance Journal.
From driverless vehicles to smart appliances to healthcare monitors the benefits of connected devices are promising, but when it comes to manufacturing equipment, there are the dangers of cyberattacks which can result in bodily injury and property damage.
In a cyber-physical attack, a malicious actor can take control over manufacturing equipment and other infrastructure, causing physical damage – sometimes resulting in bodily harm or property loss.
While manufacturing facilities have on-site security to protect their perimeters and operations from real-world threats, these cyber-physical attacks can be launched stealthily by cybercriminals on the other side of the globe.
“Think about tangible things, things you can touch,” Voses said. “They’re going to be machinery, they’re going to be computer components themselves, they’re going to be Internet of Things devices, they’re going to be industrial items, they’re going to be doors, they’re going to be heating elements, a whole bunch of physical things.”
Cyber insurance is needed in the manufacturing industry, not only for the possibility of cyber-physical attacks but to protect organizations from ransomware threats.
A Sophos white paper published in June 2023 found that 56 percent of respondents reported that their organizations were hit by ransomware in the previous year, this is up from 36 percent in 2021.
“Cybercriminals have been developing and refining the ransomware-as-a-service model for several years. This operating model lowers the barrier to entry for would-be ransomware actors while also increasing attack sophistication by enabling adversaries to specialize in different stages of an attack,” said “The State of Ransomware in Manufacturing and Production 2023” which surveyed 3,000 leaders responsible for IT/cybersecurity across 14 countries, including 363 from the manufacturing and production sector, conducted in January-March 2023. “With adversaries now able to consistently execute attacks at scale, ransomware is arguably the biggest cyber risk facing organizations today.”
Among the findings published in this white paper:
o Compromised credentials 27 percent.
o Exploited vulnerability 24 percent.
o Malicious email 21 percent.
o Phishing 20 percent.
The white paper also found that manufacturing organizations with cyber insurance were considerably more likely to recover encrypted data than those without such policies.
The type of cyber coverage made very little difference:
“There are likely several factors behind this variance: First, cyber insurance typically requires organizations to have backups and recovery plans as conditions of coverage. In addition, insurers are also able to guide ransomware victims through the recovery process in order to optimize outcomes,” explained the white paper.
Cyber insurance can help mitigate the rising costs of these cyberattacks with the average ransom payment by manufacturers in a ransomware attack in 2023 over $1 million ($1,260,207), almost doubling from a year earlier.
“The proportion of manufacturing organizations paying higher ransoms has increased from our 2022 study, with 40 percent paying a ransom between $100,000 and $999,999 vs. 29 percent who paid this amount in 2022. In addition, 20 percent reported payments of $1 million or more compared to 8 percent last year,” wrote the white paper authors.
Of course, ransomware payments are just one of the financial elements of a cyberattack with the average attack costing the manufacturing sector an average of $1.08 million in recovery costs in addition to the actual ransomware payment.
The manufacturing sector also reported that almost one-third of the companies attacked lost a lot of business/revenue (32 percent) and almost half lost a little business/revenue (444 percent).
Finally, the white paper estimated that almost half of the manufacturing organizations targeted by cybercriminals required up to a month or longer in recovery time:
“Ransomware continues to be a major threat to manufacturing and production organizations. As adversaries continue to hone their attack tactics, techniques, and procedures (TTPs), defenders are struggling to keep pace, resulting in increased encryption rates,” concluded the white paper.
Manufacturers and other businesses with cyber insurance may find coverage gaps between those specific policies and their standard commercial liability and property insurance.
While traditional commercial liability and property insurance policies may cover certain aspects of cyber risks, they typically do not address bodily injury or property damage resulting from cyber-attacks.
On the other hand, typical cyber insurance policies cover a range of expenses associated with cyber incidents.
These may include costs related to:
Additionally, cyber policies often provide coverage for third-party claims resulting from data breaches, privacy violations, or intellectual property infringement.
However, bodily injury and property damage resulting from cyber-attacks are generally excluded from traditional cyber insurance policies.
This coverage gap underscores the importance of seeking specific bodily injury and damage cover within cyber insurance to adequately protect against potential liabilities arising from cyber incidents.
Dataprise, which offers managed cybersecurity, says that while cyber insurance is a must for businesses, not all policies are created equally.
“This is, in part, because it’s difficult to underwrite risk accurately. From the lack of data to the constantly evolving tactics of hackers, there are a lot of moving pieces,” explains Dataprise.
In addition to not covering bodily injury and property damage, some common exclusions for cyber insurance policies, says Dataprise, include:
It is imperative that businesses confer with their insurance specialist to determine if their comprehensive insurance plan covers all aspects of cyberattacks, including any resulting bodily injury and property damage.
“Despite the introduction of specific cyber policies to cover the risk, many insureds still expect to be covered under their property and liability policies — and yet, they are not,” says Risk & Insurance. “This phenomenon is known as silent cyber or non-affirmative cyber: Where potential cyber-related events or losses are not expressly covered or excluded within traditional policies.”
The publication says that carriers may end up having to pay arising claims that were both unexpected and not priced properly. And because of the confusion around coverage, policyholders also run the risk of having unexpected coverage gaps.
The key is achieving affirmative cyber coverage for bodily injury and property damage to make sure that your business and its resources are properly protected.
“From a broker standpoint, failure to have clarity on cyber risk within policies can cause coverage disparity over what events are and aren’t covered,” Kelly Castriotta, managing director and global cyber underwriting executive at Markel, told Risk & Insurance. “For insurers, it can cause accumulated losses not necessarily priced for, and for the policyholder, they may not have the right coverage to offset the operational disruption as well as the physical damages and losses caused by a cyber event.”
Contact Dean & Draper today for a free analysis of your manufacturing organization’s cyber and other commercial insurance policies and the protection they provide in the event of cyberattacks, such as ransomware and even those that result in bodily injury and property damage.
The recommendation(s), advice and contents of this material are provided for informational purposes only and do not purport to address every possible legal obligation, hazard, code violation, loss potential or exception to good practice. Dean & Draper Insurance Agency specifically disclaims any warranty or representation that acceptance of any recommendations or advice contained herein will make any premises, property or operation safe or in compliance with any law or regulation. Under no circumstances should this material or your acceptance of any recommendations or advice contained herein be construed as establishing the existence or availability of any insurance coverage with Dean & Draper Insurance Agency. By providing this information to you, Dean & Draper Insurance Agency does not assume (and specifically disclaims) any duty, undertaking or responsibility to you. The decision to accept or implement any recommendation(s) or advice contained in this material must be made by you.