A major FM Global task force addresses the dark and dreaded crimes of data breach and information hacking;
There are countless media reports of cyber thieves hacking into well-known multinational companies, stealing financial information for millions of customers. These thefts can expose a company’s customers to fraud and tarnish its hard-earned reputation.
But the threat from cybercrimes goes well beyond stolen credit card and social security numbers. In an increasingly digital world, cyberattacks can shut down assembly lines, block customers from placing orders, and damage the data or even the equipment companies rely on to run their business. FM Global has long understood the dangers of cybercrime: It has covered the damage done by cyberattacks for more than a decade. As clients have become more reliant on technology, FM Global’s property coverage has evolved to keep pace.
This year, FM Global has gone a step further in an effort to keep up with businesses’ ever-increasing reliance on technology and the ever-changing Internet of Things. The company has formed a special cyber task force that is working to better understand the exposure to cyberattacks and what steps clients should take to protect their business.
“We want to leverage the unique relationship we have with our clients to help them protect against cyberattacks from a loss prevention standpoint,” explains FM Global Vice President Paul Pendolino, who is a member of the new cyber task force. “It’s still evolving, but what we’re trying to do from an engineering services perspective is to help our clients recognize the cyber exposures as they exist today”.
Data is property
Cyber threats are nothing new to FM Global. Its policies have covered damage done by computer virus since computers became a vital part of the business infrastructure. In 2003, they added data coverage, becoming one of the first companies to treat data as property. As online retail sites grew, FM Global included Denial-of-Service Coverage in its policies and recently added Cloud Coverage, protecting data stored in virtual environments.
“In 2003 we introduced data coverage into our policy terminology, and began treating data as property, which was unique,” Pendolino says. “As the risk exposure developed, we enhanced our policies to meet our clients’ needs. It’s part of our core coverage, so we’ll protect against damage from a cyberattack just like damage from fire and weather.”
Insurance coverage from cyber threats is becoming an increasingly important topic. Pendolino says it is one of the biggest concerns among clients, who are often confused about how to insure against cybercrimes. That confusion is partly because technology is changing to rapidly, and partly because cybercrimes tend to fall at the intersection of property and liability insurance.
There is ongoing debate in the insurance industry as to where the coverage should be provided in the event of a cyberattack. Many property insurance companies don’t cover damage done by a cyberattack, and others are developing specialty insurance that deals with all aspects of cyberattack, spanning liability and property damage.
FM Global treats a company’s data no differently than a production facility or a distribution warehouse. If the data is corrupted, altered or destroyed, leads to a business interruption or causes damage to other insured property, it is treated like any other property damage.
But since FM Global is a property insurance carrier, their coverage only extends to physical damage, business interruption and denial of service. The coverage doesn’t protect against losses from data being exposed, stolen or copied. Stolen financial data, like the ones that make headlines, fall under a a company’s liability policy, as would the loss of reputation and penalties, fines or the costs of notifying clients of a breach.
Pendolino says that the liability exposure of cyberattacks is currently the greatest risk for companies. The legal fallout from exposing customers’ financial information has resulted in the greatest financial loss to date. A study by IBM and the Ponemon Institute found that the cost to a company per stolen financial record is US$154 and some breaches have exposed millions of records.
The more companies rely on technology, the larger the property risk from cyberattacks becomes. If a business stores product in a temperature-controlled room, hackers could destroy the product by tapping into the temperature control system. Automated production lines could be brought down through a cyberattack, halting production. Hackers can create backlogs to online service centres, denying customers access to their online accounts or ceasing their ability to place orders.
Pendolino says that extracting financial information or stealing money outright is still the top motivator for cyber thieves, but hackers can be motivated by a host of reasons. Many cyberattacks occur just to prove it can be done. Self-driving cars have proven to be irresistible to hackers who’ve exploited flaws in the vehicles entertainment system to take over control. Hackers will target universities or government agencies, often to point out flaws in their security systems.
For years, programmers have been battling computer viruses designed simply to inflict damage. Businesses can be targeted by groups or organizations that object to their business practices. Political unrest can lead to cyberattacks on business that are seen as allies to the government or even lead to government-sponsored attacks. Cyberattacks have been launched by competitors, disgruntled employees and customers with a grudge against a company.
Last year, cyberattacks hit energy and utilities companies, defence and aerospace contractors, communications firms, retail outlets and health care providers. And not all the attacks were financially motivated.
Last year, hackers reportedly were able to bring down a power grid in the Ukraine. Earlier this year, Nissan’s corporate websites were hacked to protest Japanese whaling practices.
And in 2014, the German Federal Office for Information Security reported that a German steel mill suffered significant damage when hackers disrupted the control systems so that a blast furnace couldn’t properly shut down. While details of the hack and the damage it caused are limited, it is one of the first incidents on record of hackers causing actual physical damage to a production facility.
Pendolino says the potential for loss is what led FM Global to form its cyber task force. The team includes representatives from just about all disciplines in the company, including IT, engineering, marketing, research and insurance operations (claims, client service). He says the group will work to better understand this specific risk, and may conduct research projects and provide formal recommendations.
“The task force is looking at what we can do from a cyber risk assessment and a loss prevention point of view” Pendolino says. “We’re not trying to become a third-party cyber security vendor. We’re trying to put our arms around this from an engineering standpoint.”
Pendolino says FM Global’s approach to cyber threats is no different than its assessment of other risks. FM Global often puts teams together to examine emerging risks, like 3-D printing, or the use of robots in manufacturing. He likens the cyber effort to the approach FM Global takes in protecting data centres. FM Global looks for backup systems, redundant power sources and off-site storage as a way to mitigate the risk to data centres.
He sees the cyber team developing similar recommendations to protect against cybercrimes. These may include on-site systems that control access to a facility, overrides of electronic controls, or backup or redundant IT systems that can take over in the event of a cyberattack.
“It’s not just an IT problem.” Pendolino says. “We want risk managers to start to think about data like the other property they own.”
While FM Global may offer recommendations to prevent cyberattacks, Pendolino says there is already an entire industry dedicated to providing firewalls, Internet security, intrusions testing and a host of other cyber security services. And given the nature of cyber threats, it is nearly impossible to completely stop cyber criminals from gaining access to sensitive data and critical controls systems.
“Most companies already have all the right stuff in place and hackers are still able to get around it,” he says. “The majority of losses are preventable, but you’re never going to be hack-proof. There are just too many access points.”
He says FM Global will likely focus on mitigating the risk and ensuring that companies have protections in place that allow them to continue to operate after a cyberattack.
“For critical operations systems, we are going to look a reasonable steps to take to protect them,” Pendolino concludes. “We want to minimise the risk of a cyberattack happening and, if something were to happen, do companies have the right things in place to move on.”
This article first appeared in FM Global’s Reason Magazine, 2016. You can download Reason Magazine 2016 here.