Q
A recent cyber attack in Germany caused extensive physical damage to the furnaces in an iron plant. Is this a new arena for cyber threats?
A
I don’t think this attack changes the landscape, it just challenges people to accept the threats that have been discussed for years. Security experts have been talking about physical risks arising out of cyber vulnerabilities for a long time—and Hollywood screenwriters even longer—but people have a hard time believing it until they see it. I hope this will spur a little more urgency.
Q
Does this attack represent a serious escalation in cyber crime?
A
There’s no doubt cyber attacks are going to increase. Technology is integral to everything we do. Information networks, software—these are the building blocks for 21st century business, so it’s inevitable people will find ways to attack these assets. Any sector that relies on physical machinery is probably vulnerable to a cyber attack, and the risks of existing industrial control systems are widely acknowledged. People have been working very hard to address vulnerabilities in control systems, but it’s never going to be perfect.
Q
If attacks are inevitable, what should companies do?
A
Technology aimed at prevention is not enough. No amount of spending can take your cyber risk to zero, so you can’t ignore it. You have to treat cyber risk like all of the other risks your organization might face. You assess it. You evaluate it. You model it. You do what you can do to prevent and mitigate it, but you also prepare to respond. You look for the elements you want to retain and the elements you want to transfer.
Even though technology is at the core of attacks like this, ultimately this is not just a technology problem. This is a challenge that needs to be addressed by the entire organization—finance, legal, operations—and risk management should be driving that discussion. Cyber risk is an enterprise-wide issue that should be managed at an enterprise-wide level.
Q
What are the insurance implications of cyber attacks that cause physical damage?
A
It definitely becomes more complicated than a purely electronic cyber attack, and there’s no universal answer because every insurance program is different. Most cyber policies aren’t built to deal with physical damage, and most traditional programs aren’t built to deal with cyber risks. Given the variability in policy language, the availability of coverage is very fact specific; it’s essentially TBD. That means the real question is what are agents and brokers doing to help their clients prepare for this risk? Clearly, for clients concerned about threats to physical assets, it’s not going to be enough to just buy a cyber policy without a detailed gap analysis.
