Bodily harm: The next frontier for cyber
By Joshua Motta | September 12, 2018 at 05:30 AM
Imagine for a moment that your organization is the victim of a cyber attack or widespread technology failure. You’re probably picturing a data breach, ransomware, or some sort of business interruption event. Each is scary and costly in its own right. But what if the peril extended beyond a breach, financial loss, and any resulting reputational harm? What if people’s lives were at risk?
It may sound like science fiction, but bodily harm is the next frontier in cyber risk. All computers can be hacked or fail, and when they do, so too do the mechanical processes they increasingly control. Even though most cyber attacks — and computer failures — don’t start out with destructive intent, the unintended consequences of even a simple ransomware attack or systems failure can, and increasingly will, have physical consequences.
Cyber-physical risks: driven by connectivity
The root of this cyber-physical risk is that computers now control nearly every mechanical process. Cars, for example, have essentially been turned into giant computers. When you apply pressure to the brakes you no longer trigger a mechanical response, but dispatch an electronic signal that travels through the car’s onboard computer. The same is true with office buildings. Thermostats, HVAC systems and locks, among others, are now increasingly just interconnected computer systems. Hacking the network of an interconnected smart building could provide access to all connected devices. As the adoption of technology and connectivity increase, physical cyber attacks and failures have become a reality for many industries, from health care facilities to power plants, aviation to manufacturing.
The implications of a physical cyber incident are not solely confined to bodily harm; damage or impairment to tangible property, as well as damages resulting from liability to a third party, including regulatory fines or pollution liability, are all distinct possibilities. Although it may be difficult for many to imagine a scenario in which a criminal actor actively seeks to cause bodily harm or destruction of property, intent is not a prerequisite. Any attack or failure that cripples the computer systems of an organization can now disable critical safety systems, impair manufacturing processes, or even disrupt access to power, water,coolants or other critical resources. What starts off as a financially motivated attack or simple technology failure can quickly turn into something far more catastrophic. Not to mention that deliberate, motivated attacks are on the rise as well, with private corporations increasingly finding themselves on the front lines of cyberwarfare.
The risk is real
We’ve already seen many real world examples of bodily harm and physical damage resulting from cyber crime. Perhaps the most direct link between hacking and destruction occurred in a 2015 cyber attack against a German steel mill, in which hackers disrupted a control system to such a degree that the mill’s blast furnace could not be properly shut down. The following year, a Ukrainian power plant was similarly hacked, resulting in the sabotage of a regional electricity distribution network. These examples provided some all-too-real context for the threat of physical damage stemming from cyber attacks.
Equally unsettling are the unintended consequences of cyber attacks against the health care sector — from a 2017 breach of the UK’s NHS to a ransomware attack against Merck later in the same year. Both caused wide-reaching systems shutdowns and, in the case of Merck, disruptions to the production of numerous medicines and vaccines. Nor are all such examples the result of cyber crime. Earlier this year systems failures at fertility clinics in California and Ohio resulted in the damage and destruction of thousands of human eggs and embryos.
How organizations can protect themselves
Perhaps the single most important things an organization can do to protect itself from such peril is to build redundancy into critical processes, and to separate and segment the networks used by operational technology (OT) and control systems, which should not be accessible on the Internet, from the information technology (IT) and computers that most organizations need on the Internet. No one can eliminate the risk of a network intrusion, but using network segmentation can keep an intruder and any resulting malware that may arise on one network from spilling over and unintentionally causing bodily harm or property damage on the other.
Equally important as prevention is an organization’s readiness to respond when all else fails. All organizations, and particularly those using OT, should have well-documented incident response, disaster recovery and business continuity plans in place to minimize disruption and contain damage. Crisis management and communications plans should also be formulated.
Finally, organizations should seek out comprehensive cyber insurance coverage that proactively covers these new perils, with affirmative coverage for bodily injury, property damage and pollution, along with coverage for the physical replacement costs of systems or equipment damaged or destroyed during such an incident. Although there is a perception that cyber insurance is solely for responding to data breaches and hacking, it can also play an equally important role in the event of unintentional system failures, as in the fertility clinic incidents previously referenced. You can’t eliminate cyber risk, but you can eliminate the cost of it.
As many business have discovered, cyber attacks and failures can pose an existential risk, with simple security failures cascading into costly, if not catastrophic, losses. Given the increasing pervasiveness and severity of cyber attacks, the risks of remaining unprepared, and uninsured, are rising.
Looking to the future
We now live in a time when cyber risk encompasses literally the entire known spectrum of risk. Consequently, cyber risk is now falling across many lines of insurance. Cyber attacks can result in D&O, property, CGL, marine, aviation and even auto claims, among others. Although cyber insurance continues to expand to affirmatively cover more of this exposure, it is paramount to consider how this risk falls across an organization’s entire portfolio of insurance.
Organizations should also take stock of those aspects of the risk that are difficult if not impossible to fully cover, such as reputational harm, intellectual property loss and other intangible assets.
Looking forward, the world is becoming more and more connected, and we need a complete paradigm shift in the way that organizations, vendors and insurers think about managing this risk, as well as who covers what. In a world in which cyber attacks and technology failures can have very real and all too tangible consequences, good risk management must encompass planning for all of these possibilities.