Cyber exposure is a serious risk not only to the traditional buyer of cyber insurance – large scale data owners and processers worried about their privacy and data protection liability – but to any business relying on a physical supply chain. Mauro Signorelli, Senior Cyber and Technology Underwriter at Aspen Insurance, looks at why brokers have to work with clients and underwriters to avoid unforeseen gaps in coverage and assess how different policies interact.
The way inwhich organisations protect information assets, corporate networks andmanufacturing systems is rapidly evolving to meet the ever-changing threatlandscape. As the complexity of corporate networks has grown, so has thesophistication of cyber attacks. Recent trends suggest a move by criminals awayfrom targeted attacks on largescale information processers – with the intentionto steal trade secrets, credit card numbers and personally identifiableinformation – toward attacks designed to create disruption in the physicalworld. Business supply chains have become a multifaceted and interconnected webof software developers, cloud computing providers, outsourced operations,component manufacturers, raw material suppliers and a plethora of otherdownstream clients and vendors. Ensuring the control and security of the supplychain has become a matter of everincreasing significance, with failures capableof crippling business operations – be it an automotive manufacturer reliant oninventory management and just-in-time production, or an application providerdependent on an outsourced cloud solution. As evidence of this diversificationof approach by malicious actors, surveys show that 48 percent of UKmanufacturers have been subject to a cyber security incident1, with half of them sufferingfinancial loss or disruption to businessas a result.These core business operations relyon industrial control systems, which canbe broken down into three main groups:Programmable Logic Controllers (PLCs);Systems Control and Data Acquisition(SCADA); and Distributed ControlSystems (DCS). These systems havebecome a focus of recent attacks involving‘CrashOverride’ – a malware targetingelectrical grid operations which causeda Ukrainian power outage – and ‘Trisis’,a malware targeted at control unitsdedicated to safety2. Given the highlydisruptive capability of these attacks,activity in the Industrial Control Systemspace is only set to increase.The potential impact has beendemonstrated through the multi-milliondollar losses suffered by Maersk, TNTExpress and Mondelēz, just to name afew, the root cause of which was Not-Petya,an encryption ransomware thatexploited vulnerabilities in accountingsoftware used by many multinationalorganizations to process tax paymentsfor their Ukrainian subsidiaries. Banks,airports, manufacturers and logisticcompanies across the world wereparalysed as a result3. In another instance,a software vulnerability in a popularutility tool, CCleaner4, was exploitedto spread malware to more than twomillion PC users. In a separate case,hackable chips were also implanted intodevices and systems via Supermicroproduction facilities, which ultimatelyaffected the servers of 30 U.S. companies.The examples are numerous andgrowing in frequency.Supply chain exploits have traditionallyinvolved software attacks carriedout by malicious actors attempting toaccess a network through third parties’connections to it. However, hardwarevulnerabilities being exploited andmotherboards and micro-chips becominga stealth doorway into companies’networks is a more recent trend. Therecent Supermicro exploit5, combinedwith the fallout of the Spectre andMeltdown hardware vulnerabilities,demonstrates the potential for systemichardware issues to materially impact thesupply chain and physical capabilitiesof any business.
The cyber insurance market has alreadytaken important steps to addressthese exposures by helping insuredsprotect themselves against supply chainrisk. Clients are increasingly seekingthe extension of Business Interruptioncover to include events that occur atthird-party IT vendors, resulting in aloss of income and additional expensesincurred to mitigate the impact. Arecent challenge has been requeststo expand this cover to include nonIT vendors. This opens insurers upto claims arising from a failure of ITinfrastructure occurring at the premisesof any of its suppliers, regardless of thetype of service or product delivered. Thisis a material exposure which is almostimpossible to underwrite adequately.With the absence of informationand lack of direct oversight overthird-party controls and procedures,it is as difficult for businesses toprotect themselves from third-partyrisk as it is for underwriters to assessthe exposure. However, there arekey practices underwriters can lookfor when considering supply chainexposure within a business and thepotential loss scenarios emanatingfrom them. These include businessesconducting appropriate due diligenceand vendor audits and ensuringthat their security controls are ofan equivalent level or exceed that ofthe insured’s. Underwriters can alsolook for assurances that the insuredlimits vendors’ network access towhat is needed for critical businessoperations, ideally with vendorsoperating on a segregated part of thenetwork and using a multi-factorauthentication method. Securingagainst hardware vulnerabilitieswithin industrial control units canbe more difficult given the fact thatsystems tend to be older (and thereforeharder to patch), have a broader attacksurface, are less standardised andare generally not designed to operatein a highly connected environment.As such, businesses should have aMauro SignorelliJoined Aspen Insurance in February2017 and is a Senior Underwriter in theAspen Insurance Global Tech E&O andCyber team. Based in London, he focuseson the growth of the international cyberportfolio by writing large and complex risks.He has extensive experience as anunderwriter in international technologyand cyber having insured some of thelargest European corporations.Before joining Aspen Insurance, Maurospent five years at XL Catlin leadingthe development of their European strategyin the space. Prior to that, he workedfor AIG and trained at Simmons & Simmonsas a lawyer.Having worked in Milan, Paris and Londonhe has an in-depth knowledge of theEuropean market and is fluent in Italianand Spanish.Mauro has a Masters in Law and maintainsa Certified Information Privacy Technologist(CIPT) designation.good understanding of the risks andconsequences before integrating thesehistorically air-gapped systems intoan interconnected network.When transferring these risks tothe insurance market, additionalcomplexities must be considered.For example, there is often an overlapbetween standalone cyber policies andother insurance lines – particularlyproperty and casualty – where, in theabsence of a specific cyber exclusion,there is debate over whether cybercover is provided – so called ‘silent’ ornon-affirmative cyber. This can causeconfusion in how different policies willrespond and may delay the mitigationand settlement of claims as a result.This situation arose in a recent incidentinvolving a large pharmaceuticalcompany, where, parallel to the cyberpolicy, there was a property programmein place that did not exclude businessinterruption coverage relating toa cyber event6.Confusion surrounding this issue canmaterially affect the size of a potentialclaim given the urgency for responseand mitigation demanded by a cyberevent. Most cyber policies offer a panelof breach response and forensics firms,which the insured can call upon tomitigate potential breach events. Clientsshould look for insurers that providedirect access to industry-leading breachconsultation and PR expertise to helpmitigate further damage to their brand.It is always preferable for the insuredto call an expert for advice for a nonevent rather than have it go unresolvedand grow into a material loss and causesignificant damage to their reputation,which is then difficult to recover fromand rebuild.As businesses continue to adapt tothe ever-increasing complexities ofsupply chain exposure and the evolvingthreat landscape, the insurancemarket is stepping in to ensure peaceof mind and clarity of coverage in aworld of increasingly intangible risk.However, brokers have to work hard to ensure the overlap of coverage isanalysed and discussed thoroughly atthe placement stage, both with clientsand underwriters, in order to preventunintended gaps in coverage and ensurethe interaction of different policiesdoes not become an after-thought inthe event of a serious issue.
Mauro Signorelli
Joined Aspen Insurance in February2017 and is a Senior Underwriter in theAspen Insurance Global Tech E&O andCyber team. Based in London, he focuseson the growth of the international cyberportfolio by writing large and complex risks.He has extensive experience as anunderwriter in international technologyand cyber having insured some of thelargest European corporations.Before joining Aspen Insurance, Maurospent five years at XL Catlin leadingthe development of their European strategyin the space. Prior to that, he workedfor AIG and trained at Simmons & Simmonsas a lawyer.Having worked in Milan, Paris and Londonhe has an in-depth knowledge of theEuropean market and is fluent in Italianand Spanish.Mauro has a Masters in Law and maintainsa Certified Information Privacy Technologist(CIPT) designation.
1. www.computerweekly.com/news/252439718/Nearly-half-of-UK-manufacturers-hit-by-cyber-attacks
2. www.computerweekly.com/news/252436129/Cyber-threat-to-industrial-control-systems-highest-yet
3. www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world
4. www.thehackernews.com/2018/04/ccleaner-malware-attack.html
5. www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
6. www.mobile.royalgazette.com/re-insurance/article/20170915/insurers-grappling-with-scale-of-cyber-risk&template=mobileart
