How to Approach Maritime Cyber Security
Be the Hammer, not the Nail when it comes to Maritime Cyber Security
Maritime security professionals understand the value of a layered approach to risk management. Cyber security posture continues to develop as a critical component of a maritime security strategy, and cyber security insurance has become a valuable layer of protection that risk managers must consider.
While the insurance industry has decades or more of actuarial data on various kinds of risk (typhoons, tornados, earthquakes, etc.), no such substantive data exists yet for cyber risk.
In June 2014, the Center for Strategic and International Studies [CSIS] cited statistics that should get any risk manager’s attention in the maritime industry: at least 3,000 U.S. companies were the victims of some kind of cyber crime last year, and the global cost of this problem is estimated to exceed $400 billion. The bad news is that in reality, these numbers are likely higher, since some of these costs are difficult to measure. The good news, if there is any, is that C-Suite executives and corporate boards are beginning to focus on cyber risk management in a meaningful way. Since the maritime industry is truly a data-driven environment, cyber security has to be part of the risk management equation.
The Three Things
The basic approach to incorporating cyber security insurance into any maritime risk management portfolio has three primary components. These essential elements are:
INFORM When the right questions are asked, and intelligence resources are tailored to a firm’s discreet business profile, those resources can expose and illuminate weaknesses and vulnerabilities. Significant capabilities are currently available to risk managers to manage security intelligence through world-class field operators. The best front-end information management solutions will provide firms with the input required to identify and respond to actual global threat activity. When cyber threat responses are tailored by specific intelligence relevant to a particular business, maritime security executives can optimize the impact of their security operations and cyber risk management programs.
ASSESS There are multiple assessment tools and methodologies being offered in the marketplace which can come bundled with a virtually endless combination of deliverables and assessment output. This has caused some confusion with regard to what constitutes an appropriate cyber security assessment. Unfortunately, the current approach to risk assessment often gets reduced to a “check-the-box” exercise. Firms are better served to assess actual versus general risk. Reviews of internal policies, governance, and operations, as well as a gap analysis focused on accepted industry standards and best practices should be included in any assessment. Additionally, it is important that firms evaluate all network endpoints to look for exposures. It is important to include a firm’s technology team as a risk assessment partner. Including key stakeholders directly into the assessment process enhances the results. The CISO / CTO, or equivalent, are often armed with the best possible real-time data and informed business cases that are directly relevant to C-Suite executives and other key corporate leaders. Once the entire network is evaluated, expert assessors can determine whether companies are prepared to deal with the specific threats and risks that are likely to impact the firm.
ACT By using assessment output as a risk management work list, firms can work with their insurers to directly manage their specific risk profile and, subsequently, lower their premiums. Risk managers should suggest this kind of collaborative effort to their insurers. Because a world-class assessment process will typically identify actual vulnerabilities, exposures, and potential network problems, this information can also be used to inform an insurance underwriting decision. When a collaborative effort is made to assess vulnerabilities, firms can begin to immediately work with their insurer to take action focused on risk mitigation. Like in other maritime insurance specialties, the cyber liability insurance carrier will demand that both parties work together in this way. Establishing a regular and open dialogue, allows for ideas to be shared, and actively builds on mutual trust.
Manage Risk Before it Manages You
The goal should not be to completely eliminate cyber security risk, because that isn’t possible. A realistic objective is to manage risk rather than to eliminate it. This means that cyber risk management initiatives start with leadership. Many firms lack the time and resources to study the profiles, capabilities and motivations of all potential adversaries. But resources are available in the security market to help corporate leaders of any sized organization prepare for disruptive events. By working with experts to understand risk appetite (tolerance for risk), and the corresponding level of preparedness, maritime industry leaders can make informed risk management decisions about cyber security.
In the maritime industry, intellectual property and proprietary data about shippers, carries, commodity types and consignees can truly be a firm’s crown jewels – their prized possession that ensures a competitive advantage and anchors their ability to survive disruptive events. So what does it mean in terms of corporate viability when those crown jewels are at risk? There are numerous, recent examples where a single cyber security-related incident proved to be catastrophic.
Insurers need to understand the risk profile of a particular candidate insured in order to inform their underwriting decisions. But how do they predict the unpredictable? Cyber threats are developing and being identified at a very rapid pace. And inherently unpredictable behavior presents a dilemma for most insurance companies as they try to evaluate cyber risk in the maritime industry. Insurers and insureds who place emphasis on cyber security intelligence, and assessment data, are best positioned to collaboratively mitigate risk. Firms that subscribe to this Intelligent Cyber Insurance approach have the greatest potential for success.
Corporate Boards and Chief Executives should be asking the hard questions: If a cyber security breach does occur, is the firm prepared to rapidly remediate and re-constitute business operations? Who will be the lead agent in charge of the various aspects of the response and remediation? Which executive has been assigned to provide timely and accurate information to employees, customers, and to the press? Is the firm prepared for the various legal and regulatory compliance tasks that may result from a breach? And when was the last time that the IT, security, legal, and human resources teams met to plan for contingencies? Cyber security should not be treated as just another Information Technology [IT] challenge in the maritime industry. That approach over-simplifies and under-estimates the threat…and has a high probability of failure. Maritime firms are better served to cultivate a culture of security and resiliency and to counter cyber threats by investing in a layered approach to risk management.
Dress for Success
A “well-dressed” risk manager should be looking to include as many of the following cyber security insurance policy features and benefits into their risk management approach as possible:
General protections: Do you have coverage for loss in profits as a result of negative press? Is the jurisdiction of your policy worldwide, with a provision that claims can be brought outside of the U.S.? Does your policy include coverage for accidental damage or destruction, and administrative mistakes? If your reporting period doesn’t extend to 3 years, you should think about re-negotiating your coverage.
Regulatory and Compliance Coverage: Are you covered for expenses related to voluntary customer notifications? Can you claim losses related to exposure of commercial, corporate and employee confidential information?
Business Interruption Coverage: Does your policy cover privacy liability and losses related to cyber extortion? Can you claim expenses related to crisis event management, and dependent business income lass? Can you get reimbursed for digital asset restoration expenses? Are security breach response costs covered?
Collaborative risk partnership: Are you and your insurance carrier in consistent dialogue over Cyber Liability issues? Is the carrier assisting you in driving the firm’s culture towards active cyber security.
Exclusions: Finally, what is truly covered and what is excluded in your policy? Many policies exclude Terrorism, Acts of War, and State-Sponsored Criminal Activity. Does the Cyber policy you currently have or do the policies you are currently considering cover these emerging and destructive risks? Risks driven by a “Lone Wolf” hacker are now a small portion of cyber criminality. Sophisticated, “state-sponsored” cyber attacks have become increasingly more common and devastating to global businesses.
Commercial survival may depend upon the ability to rapidly reconstitute business operations following a major disruptive event. If your insurance broker hasn’t already provided you with cyber coverage that facilitates follow-up procedures for discovered threats; access to rapid, post-incident response resources; implementation/integration of monitoring and enterprise forensic tools; and regular analysis of security policies including physical security, internal controls, and data backup, then you may need to reconsider your coverage options.
Be the Hammer
While short-term consequences of a breach are usually fairly obvious, the long-term consequences are not as clear. According to the U.S. House of Representatives, Small Business Sub-Committee on Health and Technology, approximately 60% of small businesses close their doors within half a year of being victimized by cyber crime. Costs associated with finding & fixing vulnerabilities, updating systems, as well as public relations expenses and legal fees, can conspire to destroy previously viable enterprises.
There are four words that no corporate executive wants to hear: “the network is down.” Stakes may have never been higher related to the financial and reputational risk tied to cyber security threats. Target’s fourth-quarter earnings release in February 2014, revealed that it incurred $61 million in breach-related expenses following their very public cyber problem. After the company received insurance payments, its net expenses for the hacking incident still totaled approximately $17 million. Few companies can afford this type of “shock” loss and must look to the insurance industry in order to transfer some of their risk, and to tap into industry expertise that can provide risk mitigation support.
Maritime professionals will continue to be held accountable by customers, shareholders, and the general public for their security decisions. A comprehensive cyber insurance program can serve as focal-point for closing cyber security gaps, and investing in resiliency. The right underwriting process can lead to assessing, correcting, and even predicting cyber exposures and their potential business impact in the maritime industry. In order to position their firm to be insurable, risk managers must have access to the requisite cyber risk mitigation expertise, be able to identify and understand cyber risk profiles, and be familiar with existing cyber security insurance coverages and exclusions. Deciding how much cyber liability insurance to invest in, prior to experiencing a significant breach, requires informed and inspired leadership. Corporate risk management policies, plans, procedures and governance are incomplete without a consideration for cyber security insurance. Be the hammer, not the nail.
Luke Ritter is Executive Vice President at Ridge Global, a firm affiliated with Ridge Insurance Solutions Company (RISCO). John Baskam is Chief Underwriting Officer at Ridge Insurance Solutions Company (RISCO).
(As published in the March 2015 edition of Maritime Reporter & Engineering News - http://magazines.marinelink.com/Magazines/MaritimeReporter)