By now, risk managers are well-versed in the concept of a data breach in which information is accessed or stolen by hackers. But the cyber risk of the future is far more threatening, extending to property damage and even loss of life.
As industries increasingly blend automation with operational technology (OT), the idea that a cyberattack could cause severe consequential losses is becoming ever more realistic.
The use of OT – hardware and software involved in the direct monitoring or control of physical devices, processes and events – is becoming more intertwined with cybersecurity as businesses’ reliance on technology grows. Those in the energy sector, such as oil and gas firms, as well as manufacturing, are likely to have the biggest risks to contend with.
“There are certainly a lot of near misses out there. There are some well documented cases of some pipelines being interfered with, some examples of oil rigs losing their dynamic positioning because of interference with their systems,” said Dominick Hoare, chief underwriting officer at Munich Re Syndicate.
For organizations in those sectors, cybersecurity now often sits at the top of the risk agenda.
“It is very much growing. Risk managers are increasingly aware, and it’s about trying to get everyone to understand the idea that however good your cybersecurity is, it can never be 100% perfect. It’s that security gap that the insurance product can help fill,” Hoare told Corporate Risk and Insurance.
In the oil and gas sector, there has been something of a lag when it comes to cybersecurity investment up until now.
“It wasn’t that long ago that we had a crude oil price below $50. That meant cash flow was very tight. Perhaps the investment wasn’t made to the extent that it should have been back then, so there’s a bit of catch up now. That’s something we can very much help those clients with in terms of analyzing and isolating concerns in their cybersecurity,” Hoare said.
But though the awareness is growing among the risk management community, it is likely to be hindered somewhat by the lack of claims history when it comes to physical losses as a result of cyber.
“As of yet, we fortunately haven’t had a loss of life, loss of property or big pollution event [caused by a cyber trigger],” commented the CUO. “But we get a sense that as the industry becomes more automated, it will happen, and I think risk managers are also clearer in their own heads that this may happen too.”
Many in the C-suite are already focused on the significance of the risks that come with cyber exposures.
“I think they get it. They have a lot of pressure from their board members and shareholders to address cyber. It’s growing all the time,” Hoare said. “Everyone now wants to have that conversation, whether they buy the insurance or not. They want to talk about it, hear about it and find out what’s available.