Posted in News on 17 Dec 2019
Cyber risk for critical infrastructure has increased exponentially in recent years. Ironically, the increased use of technology to better operational efficiency has also created new opportunities for would-be attackers to disrupt an organisation.
Businesses can never fully eliminate the risk of a Cyber incident, however having a comprehensive and fit for purpose Cyber insurance policy in place to help manage the impact when things go wrong, is these days one of the ways that is considered best practice from a risk management perspective.
For the past few months Alesco’s Cyber team has been working closely with a large municipal utility provider in Northeast Florida to deliver a risk transfer option to help protect them in the event of an attack. As well as the loss of personally identifiable information, this client was also concerned about physical damage to systems and property as a result of Cyber attack (essentially Non Damage Business Interruption (BI) – something that is not typically covered as standard under many Cyber policies. In our experience, clients typically focus on the risk associated with a Cyber event through the lens of a data or privacy breach, particularly as this area has vast amounts of regulation surrounding it (HIPPA, GDPR etc). However, for businesses in the power sector, which often operate large numbers of Industrial Control Systems (ICS), the potential for considerable physical damage is always present and poses a large risk to the balance sheet. Unlike data breaches, there are currently no regulations in place that requires businesses to report when physical damage as a result of Cyber incident has occurred, so the value of damage reported by international businesses to date may not even be close to the actual value of damage incurred.
Historically, Industrial Control Systems and utility infrastructure have operated on their own segregated networks, but with the increase in Internet of Things (IoT) devices and internet connectivity, these network segregations, also known as ‘air gaps,’ are being watered down. Even when great care is taken to make sure critical systems are not connected to the internet in any way, infiltration still occurs (like the Stuxnet virus which was introduced via a USB stick). Similarly, Havex was a remote access Trojan (RAT) discovered in 2013 specifically designed to target industrial control systems. Havex is estimated to have impacted as many as 2,000 infrastructure sites mostly located in Europe and the United States. Spread by Original Equipment Manufacturer (OEM) Vendors delivering upgrades, the virus targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Once infected, Havex scanned the system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network, sending detailed confidential information back to command and control servers.
To find an insurance solution which satisfied the specialist need of our client, Alesco worked closely with one of the market leading insurers that specialises in Cyber property damage. Their proprietary wording combines coverage for standard Cyber liability (CY risk code) with the physical damage element (CZ). Their product is able to provide coverage for Property Damage, Debris Removal, Bodily Injury and Business Interruption from both Physical and Non-Physical events. Other enhancements were made to the wording, including Failure to Supply and System Failure trigger language, giving cover for ‘any unintentional or unplanned outage of the computer system of an insured organization or a third party service provider. Making sure the policy provided is fit for purpose is key when talking about a coverage which is typically excluded in other lines of insurance, affirmative language is crucial to remove ambiguity in the event of a claim.Modern business-wide cyber losses are far broader than just the loss of company data, and as such, enterprises should be reviewing their own exposures and consider effective risk transfer options like insurance. Alesco’s Cyber team can assist the power sector in the risk identification, mitigation and transfer of this ever-evolving and complex risk.
FOR MORE INFORMATION, PLEASE CONTACT
Max Carroll | Account Executive
T +44 (0)77 29442394 | E. Max_Carroll@alescorms.com
 J. Meserve, "Sources: Staged cyber attack reveals vulnerability in power grid," 26 September 2007. [Online]. Available: http://www.cnn.com/2007/US/09/26/power.at.risk/
 D. Kushner, "The Real Story of Stuxnet," 26 February 2013. [Online]. Available: https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
 Matthew G. Angle Stuart Madnick James L. Kirtley, Jr. “Identifying and Anticipating Cyber Attacks that could cause Physical Damage to Industrial Control Systems” Working Paper CISL# 2017-14 August 2017 (revised May 1, 2019)
 NJCCIC, ICS Malware, Havex, https://www.cyber.nj.gov/threat-profiles/ics-malware-variants/havex
 K. Zetter, "There’s a Scary Easy Way for Hackers to Remotely Attack Industrial Motors," 13 January 2016.[Online].Available: https://slate.com/technology/2016/01/vulnerability-lets-hackers-burn-industrial-motors.html
 Jordan Robertson and Michael Riley, "Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar," 10 December 2014. [Online]. Available: https://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar
Alesco is a specialist insurance and risk management business located in the heart of the City of London. Founded in 2008 by a team of experienced professionals, we provide a wide range of risk-management services and insurance solutions which are fundamental for protecting organisations. We work closely with underwriters in the London markets, in key global insurance centres, and with local broking partners in 150 countries.
CONDITIONS AND LIMITATIONS
This information is not intended to constitute any form of opinion or specific guidance and recipients should not infer any opinion or specific guidance from its content. Recipients should not rely exclusively on the information contained in the bulletin and should make decisions based on a full consideration of all available information. We make no warranties, express or implied, as to the accuracy, reliability or correctness of the information provided. We and our officers, employees or agents shall not be responsible for any loss whatsoever arising from the recipient’s reliance upon any information we provide and exclude liability for the statistical content to fullest extent permitted by law.