grandeduc - Fotolia
A New Jersey manufacturer of life science products fell for a phishing attack hook, line and sinker. But, as the company's accountant tells the story, it was the kind of scam that would have tricked almost anyone.
In spring of 2016, the manufacturer's head of human resources received an email from the CFO, asking her to open an attachment with instructions to compile a report that would include the W2 tax information of the company's 1,200 employees. Days after preparing and emailing the report, when she had not heard anything, she asked the CFO if he had received it. He replied, "What report?"
That's a story Anurag Sharma, principal of the accounting firm WithumSmith+Brown's cybersecurity practice, shares to support his pitch for why manufacturers should purchase cyber-risk insurance, also known as cyberinsurance or cyber liability insurance coverage
A hacker spoofed the CFO's email address, leading the HR executive to believe she was actually communicating with a colleague, a scam that can befall even the most tech savvy, Sharma said.
As the cyberinsurance industry wants to communicate to prospective customers, cleanup from a data breach is costly and complex, and no one is immune to an attack. The manufacturer, for example, had to hire a credit monitoring service to ensure the 1,200 employees' personally identifiable information (PII) wasn't illicitly used.
But between having faith in their cybersecurity programs -- and their employees' vigilance -- and thinking their industry isn't attractive to hackers because they don't deal with consumer PII, many manufacturers believe they don't need a cyber-risk insurance policy.
Whether they do or do not depends on whom you ask. Insurers expectedly say manufacturers should strongly consider cyber-risk insurance because, even if the manufacturers are not handling customers' PII, they're storing employee PII, vendor data and their own sensitive financial and operational information. Moreover, insurers say, manufacturers are at risk of a breach-initiated industrial shutdown.
"If there's internet connectivity, and a hacker's only goal [is] system manipulation to cause injury or damage infrastructure, that type of loss would be focused on with cyberinsurance," said Rob Rosenzweig, a vice president and the national cyber-risk practice leader at Risk Strategies Company. "Even if a manufacturer has limited internet, it has to ask, 'Is that enough for a bad actor to cause damage?'"
But Gartner analyst John Wheeler tells manufacturers that have no consumer component to their businesses that they shouldn't rush to cyberinsurance because it is, in many ways, duplicative of current coverage.
"There's a lot of hype out there with cyberinsurance," Wheeler said.
Beyond the hype, insurers are carving out cyber-specific products from their standard policies as a way to increase business and downsize their share of risk, he added.
Most companies aren't publicizing, or even privately sharing, the details behind breaches from which they've suffered, so the insurance industry lacks the information needed to set standard coverage amounts. Insurers are instead underwriting policies on a case-by-case basis, asking companies to detail their security practices, and then crafting policies -- with limits and exclusions -- to cover the gaps.
The cyberinsurance industry is immature, Wheeler said, adding that, "The policies are conservative."
Cyber-risk insurance: Duplicative or proactive?
The Risk and Insurance Management Society found that 80% of 272 surveyed companies bought a stand-alone cybersecurity policy in 2016, and almost 70% of them transferred risk of cyberexposure to a third party.
It's difficult to pinpoint how many manufacturers have cyberinsurance, but many signs indicate they lag behind customer-facing companies in securing this specialized coverage.
Insurers believe that's because many manufacturers have a relatively low number of digital channels, in contrast with consumer-focused companies, which could have as many as thousands of digital entry points. Many manufacturers have only a website and one email domain, and they believe they don't face tremendous risk, leading them to decide cyberinsurance would only duplicate general liability coverage.
According to Wheeler, first-party cyber-risk insurance is designed to be a cost-recovery tool for consumer-related breaches, regulatory penalties from the mishandling of data, the cost of credit monitoring and post-breach forensic investigation, and, occasionally, payments for ransomware. But most of those areas can be covered with general liability policies. Also, third-party cyberinsurance provides limited coverage on the cost of damages incurred by an outside breach.
Rather than investing in a cyber-specific policy, Wheeler recommended that most manufacturers should first strengthen their cybersecurity programs, and then closely review their general liability and property and casualty insurance for cyber-related event coverage.
But Rosenzweig urged manufacturers to think of cyberinsurance as a proactive policy plan that's akin to having an attorney on retainer. Cyberinsurance covers the costs of hiring the cyberexperts that manufacturers need to hire after a system compromise or the unauthorized disclosure of data.
"If you're a mid-market company, you might not have a chief breach officer, or you're outsourcing those duties," Rosenzweig said. "So it's all the more important to know what should happen when those incidents happen. There are so many moving parts to breach response."
Cyber-specific coverage also pushes risk off the balance sheet, he added.
Look under the policy's hood
Sharma of WithumSmith+Brown said upfront that the cyber-risk insurance industry is evolving and challenging.
"Each insurer handles it differently," he said. "There is no standard clause."
He recommends that manufacturers ask prospective brokers to list the cyber situations they cover, how much deductibles are and how much the insurer covers.
"Make sure the list of coverage is complete," Sharma said. "Make sure no clauses would lead to exposure for them, [causing] their claim [to] be denied."
If a manufacturer does consider cyberinsurance, Wheeler advised looking at not just product and coverage, but also under the hood. For example, insurers recognize that cyber-risk is so diffuse and complex that their policies cover breaches that specifically target an organization, but they don't cover an event that's caused by a widespread virus that hits many businesses.
Where the industrial internet of things vulnerabilities are
What the manufacturing sector should know about internet of things risks
What companies should know about device security