Manufacturers are being targeted more and more not only by traditional cyber-criminals, but also by competing companies and even foreign nation states engaged in corporate espionage. With more industrial control systems connected to each other and to the internet, ransomware is able to infiltrate at the weakest point and then spread throughout the entire supply chain. Cyber security in the manufacturing business isn’t something that should be assumed simply as an IT function or a task outsourced to a vendor. It’s a way of doing business that needs to start at the top and permeate the entire organization and their critical vendor relationships. Companies must be prepared to protect their cyber assets, have a working plan for restoring service and provide for financial losses through budgeting and/or cyber coverage.
Globalization has created an extended supply chain that is far more difficult to secure, and that often results in relying on outsourcing to companies that may not have proper cybersecurity. Many of the security systems developed for manufacturing companies were created at a time when cyber-security was far less of an issue. Hackers are able to install ransomware that essentially hold business operations hostage until they meet increasingly expensive demands. They can steal information to sell to competitors or exfiltrate and publish sensitive information online. They can misdirect orders, use data to make false tax declarations or infiltrate suppliers and business partners as well as the primary manufacturer. Because the Coronavirus disease (COVID-19) pandemic has caused shelter-at-home orders in most states, some manufacturing employees are working remotely. If they are not careful about following corporate remote work policies, including enhanced mobile device manager software and other security controls (such as secured VPN, multi-factor authentication and corporate Wi-Fi), they may be more susceptible to outside attacks.
Preparing for and managing cyber risks
The most recent Marsh/Microsoft Cyber Perception Survey showed that two-thirds of all respondents ranked cybersecurity as a Top 5 risk management priority, but only 19% expressed confidence in their organization’s ability to manage and respond to a cyber event. Only 30% have developed a plan to do so. The fact that small and mid-sized manufacturing companies perhaps don’t see themselves as targets is a key reason why many have been reluctant to invest in the latest technologies, especially ones that can protect them from — or help them respond quickly to — cyberattacks.
The first step in preparing for cyber risks is to identify potential sources of risk. This should include conducting audits to fully understand how employees access and use critical and sensitive data. The audit should determine who has access to information and critical systems, and examine existing capabilities for monitoring inappropriate system access and potential security vulnerabilities. Next, institute formal, written policies on the use of corporate networks, and ensure that access to sensitive data and critical systems is restricted only to parties that require it (concept of least privilege). Companies should also encrypt/secure critical technologies (laptops, smartphones, tablets, portable media devices), as well as emerging technologies that can represent significant data security threats or entry points into a network and train employees and others on how to identify, avoid and report potentially malicious activity on corporate networks. Companies should also implement strong internal controls, including re-setting passwords every 90 days and restricting password re-use (by utilizing a verification service). Companies should regularly review and update firewalls and security/software patches; institute secure file sharing, advanced email and web filtering, and create separate Wi-Fi networks for third parties; and assess the cybersecurity processes of any third parties that access or retain critical data or access into your network.
Managing risk associated with third-party vendors is also important. Ensuring you’re not held responsible for mistakes or errors made by a vendor can provide critical business protection. A contract that clearly and specifically spells out which party is responsible in the event of a cyber loss — before work begins, could save your company time and expense in the event of litigation, and also help to improve crisis management following an incident. Companies should build favorable “hold harmless” agreements into contracts with third-party vendors and establish procedures to evaluate the cyber practices of third-party service providers (if applicable). In addition, contracts should be clear on overall issues of liability, whose insurer should cover the costs of an incident and which company should manage an incident. The optimum outcome is to fully transfer risk with an adequate financial backstop, although this is not always realistic.
Finally, create a detailed, tested incident plan that clearly spells out how you will deal with different kinds of cyber incidents, and how to get your systems up and running again with a minimum of disruption.
Breaches are expensive, so it’s prudent to have contingent budgets available and also review the options for covering some of the potential losses with cyber coverage. According to the 2020 NetDiligence Claims Study Report, which analyzes actual paid claims, small to mid-sized companies have been hit with an average of $175,000 in total incident costs, with crisis services averaging $131,000 and legal costs averaging $83,000. Lost income for small and mid-sized firms averaged $435,000 per incident, with business interruption costs averaging $276,000 and the expense to recover systems and files averaging $33,000. Equally as bad, there were an average of 504,000 records exposed to hackers, which produces a per-document cost of $208 on average.
First-party coverage includes reimbursement for lost revenue and expenses caused by a technology failure, computer system outage or cyberattack. Optional coverage may include contingent business interruption resulting from a third-party/supply chain event; costs to recreate or reconfigure information and electronic data assets, with additional option to include cost to replace hardware or to rebuild; and costs for notification and investigation of privacy and security breaches, including legal and forensic services, with additional option to include losses from unauthorized price alteration. First-party coverage may also include coverage of cyber extortion, cyber-crime and reputational-based income loss.
Third-party cyber coverages can include failure to prevent breaches of confidential personal information; actual or alleged failure of computer security to prevent or mitigate an Internet of Things (IoT) or computer attack; costs to defend regulatory actions and for certain fines and penalties; and penalties for PCI industry settlements, fraud recoveries, chargebacks and forensic investigations.
In today’s cyber insurance marketplace, demonstrating the above-referenced security best practices is even more important to be able to obtain cyber insurance quotes and to reduce broad brush rate increases from underwriters.
There is no perfect solution for this growing, changing problem. Companies must be fully and continually prepared, have a plan for restoring business and understand how to cover losses should a breach occur. Complacency is not an option.