With cyber risk a top-level concern for all organisations, FM Global Executive Vice President Michael Turner provides insight on this growing business threat.
Q: What might motivate an individual or organisation to attempt a cyber attack?
A: In today’s environment, most threat factors continue to be motivated by financial gain, whether they are stealing individuals’ personal identifiable information in a data breach or using ransomware to extort the target.
That said, not all attacks are financially motivated – as we saw with the Dyn denial-of-service attack last October ; there is a subset of hackers that is purely interested in causing maximum business disruption on the internet. And, not surprisingly, nation states and terrorist organisations are attempting to cause physical damage or interruption of certain services through cyber means.
Q: Cyber attacks seem to follow trends. Most attacks from 2014 and 2015 were on information assets. In 2016, more information and product technology platforms were targeted. What has been the focus of attacks in 2017?
A: As hackers become more sophisticated, we are seeing more incidents involving the interruption or shutdown of business operations. This is a huge concern for organisations, as it can have a financial and reputational impact.
Additionally, threat factors are becoming increasingly interested in exploiting vulnerabilities associated with the Internet of Things – physical devices connected to the internet. And with many companies now relying on industrial control and building automation systems that are also connected to the internet for improved efficiency, attacks on these physical devices – known as cyber-physical attacks – represent a new frontier.
Q: Threat factor motivations seem to evolve with time, as does cyber coverage in the property insurance marketplace. What types of cyber coverage are prevalent today?
A: Just a few years ago, we tended to view the cyber insurance market as providing primarily a third-party liability product. But now, most cyber carriers also provide first-party coverage for things like notification fees, credit monitoring services, crisis management expenses and computer forensics, as well as coverage for corrupted or damaged data and business interruption.
The area in which we’ve seen the greatest degree of expansion is business interruption (BI), particularly contingent BI coverage for the interruption of data services.FM Global continues to provide broad cyber coverage in our form, including for the interruption of data services, plus coverage for damage to data and interruption of our client’s network. And, unlike others in the cyber market, we provide coverage on an all-risk basis for physical damage resulting from a cyber attack.
Q: What challenges does the insurance industry face, with cyber attacks becoming less virtual and more tangible?
A: While FM Global has covered data as physical property for more than 15 years, the cyber community views “tangible” as what we would consider resulting physical damage to real or personal property. And considering the proliferation of physical devices that are connected to the internet and to business networks, we know that threat actors are constantly seeking new ways to exploit these vulnerabilities.
These devices represent another way to access a company’s network, only now malicious acts can have physical consequences. There are but a few known examples of successful cyber-physical attack – Stuxnet, a malicious computer worm that was responsible for causing substantial damage to Iran’s nuclear program, plus the control system hacks at a German steel mill and the Ukrainian power grid – but regardless of whether it’s politically motivated or simply attention-seeking behavior, many expect to see an increase in similar cyber attacks.
Q: How has preparing for enterprise resilience changed relative to evolving cyber risks?
A: As cyber threats evolve from theft of personal information to more sophisticated attacks that can impact business operations, organisations need to evaluate whether they can bounce back from a cyber incident. FM Global’s approach is designed to assess the client’s company culture, preparedness, response capability and resiliency in the event of a cyber attack.
Ultimately, organisations want to understand their exposure and be in a position to quantify their cyber risk. They are looking to their insurance carriers not only to provide coverage, but also to help them expand their knowledge on the subject, assess and understand their cyber risk, and provide them with practical mitigation solutions so they can recover after a cyber incident. It is all about being resilient.