P&C the April 2022 issue

The New World of Warfare

If your clients work in critical infrastructure, their cyber security should be a top priority.
By Jody Westby Posted on April 1, 2022

Maybe not across the board, but it is worth examining what industries are most vulnerable and where the greatest harm could occur. Those are the industry sectors that agents and brokers should put on their priority lists so they can help them manage cyber risks and avoid business interruption claims.

Chemical

Commercial Facilities

Communications

Critical Manufacturing

Dams

Defense Industrial Base

Emergency Services

Energy

Financial Services

Food and Agriculture

Government Facilities

Information Technology

Nuclear Reactors, Materials, and Waste

Transportation Systems

Water and Wastewater

The federal government has designated 16 industry sectors as critical infrastructure, but a few of them are “super-critical”—electric and water utilities and communication networks. Without water, electricity and communications, most societies grind to a halt, and lives are immediately at risk. Utilities—and numerous other critical infrastructure sectors—have operational technology (OT) and industrial control systems (ICS) that have complex supervisory control and data acquisition (SCADA) systems that can wreak havoc if disrupted, causing massive business interruption losses and liabilities. These systems are rich targets for cyber criminals.

Threats to ICS and OT

The “SANS 2021 Survey: OT/ICS Cybersecurity” report noted that technical integration of legacy and aging OT with modern IT systems was the biggest challenge survey respondents (59.4%) faced in securing their systems. Insufficient personnel resources to implement security plans ranked second (56%), and trying to secure OT systems with IT staff who do not understand the operational requirements (52.2%) was the third biggest challenge. None of these are easy to fix, and they certainly aren’t going to be addressed quickly at the tail end of a pandemic with a remote workforce and a shortage of experienced IT/security personnel.

The three top threats to OT/ICS systems were identified as ransomware and financially motivated crimes (54.2%), nation-state cyber attacks (43.1%), and unsecured devices and things added to the network (31.3%). The bad guys are winning, nation-states are collaborating with the bad guys, and internet of things devices are so prevalent that CIOs/CISOs often do not even know they are on the network. Again, no easy fixes.

The survey noted that the three sectors most likely to have a compromise of their OT/ICS that would impact the safe and reliable operation of the system were energy, water/wastewater, and healthcare and public health. This is scary; that is two super-critical sectors plus healthcare, which is highly dependent upon electricity, communications/IT, and water/sewage systems and includes hospitals, which have their own ICS systems. One must remember that cyber attacks on ICS/OT systems can also cause fires, explosions, machinery failures, water damage, and property losses.

Cryptocurrency and Sanctions will Drive Cyber Crime

Cryptocurrency is cyber criminals’ preferred method of payment because it is anonymous, unregulated, hard to track, and easily laundered. Since Russia is one of the leading countries for cyber-criminal activities, it makes sense to assume that the sanctions imposed on Russia as punishment for its invasion of Ukraine will fuel a new round of cyber attacks on Western countries. Why? Simply because cryptocurrency will be the only currency in Russia worth anything and it will be used as a means of skirting sanctions.

“Some of these attacks may involve triggering malware that is already present in systems,” notes John Hammond, senior security researcher with Huntress, a leading security intelligence company. “Threat actors maintain access by leaving behind a beacon or implant so they can come and go inside the target environment as needed,” he explains. “When activated, the malware can exfiltrate data, open ports, call back to the command and control servers, erase or corrupt data, whatever,” he warns. Hammond notes that the malware is stealthy and has an average “dwell time” of 24 days (according to a 2021 study from Mandiant), making it difficult to detect the full path of activity.

Adequate log files, up-to-date asset inventories, robust incident response plans, and tested backup/recovery plans are the four areas most critical for response and often the least developed in the cyber-security program.

Responding to these attacks usually requires the assistance of a skilled forensic team and log files going back six months to a year. This is where companies fall short and the gaps and deficiencies in their cyber-security programs bite them. Adequate log files, up-to-date asset inventories, robust incident response plans, and tested backup/recovery plans are the four areas most critical for response and often the least developed in the cyber-security program. All companies, no matter what size, should review these four areas and ensure they have deployed multifactor authentication and have robust access controls.

Following Russia’s invasion of Ukraine, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a “Shields Up” bulletin to all industries advising them to report incidents or anomalous activity to the 24/7 CISA Central line at (888) 282-0870 or the FBI’s 24/7 CyWatch line at (855) 292-3937 and provided a list of actions that would help secure systems. This is good information, but it is doubtful that two hotlines can handle all the calls from across America if major cyber attacks start hitting companies.

Critical Role for Agents and Brokers

According to the Allianz Risk Barometer 2022, companies feared business interruptions from cyber incidents the most (52%) followed by natural disasters (36%). Addressing that fear is a natural role for insurance professionals. Agents and brokers should peruse their client lists, identify critical infrastructure clients, and reach out to them to see if they need assistance with risk assessments, business interruption evaluations, or risk transfer reviews in the context of a serious cyber attack.

Organizations need to assess their preparedness for a major cyber incident, review/identify mission critical systems, discuss operational requirements, and review incident response and backup/recovery capabilities. Then, they need to evaluate potential business interruption scenarios and quantify the cost.

Today’s circumstances warrant disrupting the normal annual review cycle. Organizations need to assess their preparedness for a major cyber incident, review/identify mission critical systems, discuss operational requirements, and review incident response and backup/recovery capabilities. Then, they need to evaluate potential business interruption scenarios and quantify the cost. These actions are what risk managers and insurance professionals excel at.

Helping clients bring together IT, security, risk managers, legal, and business leaders to discuss cyber preparedness shows value and leadership from the agent/broker. Introducing them to partners or vendors who can provide managed security services or technical assistance, develop robust incident response plans, or test backup/recovery plans helps cement the client relationship and turns the agent/broker into a trusted advisor.

More in P&C

Parametric Flood Cover Rolling In
P&C Parametric Flood Cover Rolling In
Q&A with Adam Rimmer, Co-Founder and CEO, FloodFlash
P&C 2022 M&A Cyber Checklist
This guide to M&A cyber due diligence activities will help your clients avoid cy...
Tailor-Made Safety
P&C Tailor-Made Safety
Foresight, a tech-centered MGU focused on workers compensation, says integrating...
Sponsored By Foresight