The next cyber frontier: Attacks on operational technology

The next cyber frontier: Attacks on operational technology | Insurance Business

The next cyber frontier: Attacks on operational technology

WestRock, the second-largest packaging company in the United States, recently fell victim to a ransomware attack that impacted some of its core operational technology (OT) systems and hindered production.

The manufacturing giant, which has more than 320 facilities around the world, catering to the packaging needs of high-profile clients like Heinz and Home Depot, first announced the ransomware incident on January 25, 2021. The cyberattack impacted key OT systems in select WestRock factories, including the mill system production and packaging-converting operations, which resulted in lagged production levels.

In a company update released on February 05, WestRock said its “mill system production through February 04 was approximately 85,000 tons lower than plan”. In response to the attack, the manufacturer had to implement business continuity processes, and initiate response containment protocols with the support of cybersecurity experts, including proactively shutting down certain systems in an abundance of caution. 

Read next: Cyber insurers have an obligation to help customers avoid large rate increases

“Companies that rely on operational technology, like those in the manufacturing sector, are becoming increasingly vulnerable to ransomware and other cyber-related risks,” said Christopher Keegan (pictured), senior managing director, and cyber and technology practice leader for Beecher Carlson, a Brown & Brown company. “As the ransomware threat actors get more sophisticated, they’re targeting OT systems as well as network technology.

“The level of sophistication behind OT systems has reached a point where software is running manufacturing operations. If that software can be compromised, the expense, time and energy needed to replace that equipment could potentially be much more significant than the cost of replacing data on a workstation or server.”

The immediate impact of a cyberattack on OT is business interruption, especially if a manufacturer’s logistics and supply chain processes go down. This was the case in March of 2019, when Norsk Hydro ASA, one of the world’s largest aluminum producers, experienced production outages after being hit with ransomware that affected the manufacturer’s operations in Europe and the United States.

The longer-term impacts include potential reputational damage, management liability issues, and, with regards to recovery, some possible challenges and uncertainty around insurance coverage and which policies should react to cyber-triggered property damage and contingent business interruption claims.

This relates to the concept of silent cyber, which refers to potential cyber-related losses stemming from traditional property and liability policies that were not specifically designed to cover cyber risk. In recent years, there has been some market movement on the issue of silent cyber following many calls from brokers and an announcement from Lloyd’s of London in 2019 that it would require all insurance policies to clearly state whether they will or will not provide affirmative cyber coverage.

Read more: P&C insurers must move cyber risk from the shadows to the light

“We’ve seen the extension of cyber policies to cover contingent business interruption on the upstream and downstream parts of the supply chain. We’ve also seen a push from the brokerage side to expand coverage in the cyber market out to property damage and bodily injury,” Keegan told Insurance Business. “A good number of insurers have responded to that. We’ve been able to get quotes and put programs in place to cover those types of incident, whether it’s the possibility of [cyber-triggered] explosions or pipelines being vandalized.

“There are examples of transportation networks, utilities, and energy companies being impacted. I think this is going to become a key focus in the cyber industry – which parts of the market are going to cover different types of cyber exposures. I think it’s likely, based on the progress we’ve seen so far, that most cyber risks are going to end up in the cyber market rather than the property and casualty markets.”

The interesting dynamic, according to Keegan, is that the push for more cyber-related risks to land in the actual cyber market is happening at a time when the cyber market is tightening. With the frequency and severity of ransomware incidents hitting record heights in recent years, insurers have reacted by seeking more rate and shoring up their underwriting guidelines. Some have even started sub-limiting ransomware and applying co-insurance provisions, forcing insureds to share more of the risk.

When asked how the market should respond to these challenges, Keegan replied: “The key to all of this is dynamism in the marketplace. This is a very fluid and fast-paced market.”