Could a cyber risks cause disruptions to critical business infrastructure

Cyber Risks to critical business infrastructure

When a scheduled flight of a wide-body airliner is cancelled it can cost the airline up to $43,000. So you can imagine what kind of day executives at LOT, the Polish national airline, were having last year when 20 flights were cancelled after computers that issue its flight plans were breached.

“The aviation industry’s growing reliance on data networks, and onboard computer and navigation networks, is rendering it increasingly vulnerable to cyber risks,” says Erlend Munthe-Kaas of Bloomberg Intelligence. “Airlines rely on computers for almost every aspect of operations. As a result, cyber incidents can have devastating consequences, including business interruption and loss of reputation.”

“There’s beginning to be a shift beginning to educate businesses to see the wider, deeper cyber risks picture that in many cases has gone unacknowledged.”

Think of it as cyber creep. The risks aren’t just about protecting your customer’s data, although that remains important. They are insinuating themselves into every nook of your business, creating the possibility of mass disruption to operations and critical infrastructure. As the world becomes more connected, and businesses rely more on machine-to-machine communication and automated manufacturing, the cyber risks pile up. One day, production might grind to a halt. Critical transactions might not take place. Shipments could be steered to incorrect destinations. Planes might not take off.

Cumulative effects of cyber risks

Businesses in eight countries—including Japan, Germany and the U.S.—consider cyber risks the top concern to doing business, according to the World Economic Forum’s (WEF) Executive Opinion Survey of business leaders in 140 economies. The report also notes that cyber dependency is the third most important trend in shaping global development over the next 10 years. A bit of extrapolation supports a view that the cumulative effects of cyber risks are not being sufficiently taken into account.

“Cyber security and information privacy have historically been looked at as separate risks by businesses—in some cases, even isolated from other risks,” says Lori Bailey, Global Head of Special Lines, Zurich Insurance Group. “However, there’s beginning to be a shift beginning to educate businesses to see the wider, deeper cyber risks picture that in many cases has gone unacknowledged. The goal should be to develop resilience and protection, because as cyber risks accumulate it becomes more difficult to anticipate them all.”

“The main reason that boards of directors are interested in this challenge is that part of their responsibility is protecting the company’s assets, and an increasing number of those assets have cyber connections.”

The Internet of Everything (IoE), where the cyber and physical worlds collide, is fueling the accumulation of cyber risks. (The IoE, cloud computing and BYOD trends also contribute to serious systemic vulnerabilities that are difficult to quantify, and can only be managed and mitigated by public/private partnerships.) The automotive industry, for example, relies heavily on complex and highly interconnected technologies that are tightly coupled with design, assembly and distribution. Disruptions in one system puts all systems at risk, and a faulty vehicle—heavy with potential liability—might be the end result. “Unless you start thinking about cyber risks at the very beginning of the development process and perform quality assurance along the way to make sure that security is working from the beginning of design all the way through production and release to market, the marketplace will be filled with vulnerable products,” says Gerry Kane, Cybersecurity Segment Director, Zurich North America.

Who’s in charge?

As businesses transfer more and more of what they value onto digital networks, they should be thoroughly evaluating assets they are putting at risk and putting in measures to protect those. This extends beyond personally identifiable information, to areas such as intellectual property, confidential internal communication and, increasingly, physical objects and infrastructure. How are these assets guarded? How would the company respond if they were attacked? And where does the responsibility for these and all other cyber risks sit within the business?

“What’s important in the board room is having a translation between what’s happening on the IT security side and what the board needs to do to understand the risks.”

Businesses are becoming increasingly aware that cyber risks must be managed at the board room level. Gus Coldebella, former Acting General Counsel, U.S. Department of Homeland Security, and Principal, Fish & Richardson, a global patent and intellectual property law firm, says: “This is partly due to the attention paid to cyber incidents in the media and greater scrutiny on companies that may have experienced cybersecurity incidents. The main reason that boards of directors are interested in this challenge is that part of their responsibility is protecting the company’s assets, and an increasing number of those assets have cyber connections.”

In Coldebella’s view, it’s a mistake to assume that boards don’t have the interest or capability to take part in the management of cyber risks. “What’s important in the board room is having a translation between what’s happening on the IT security side and what the board needs to do to understand the risks, to mitigate the risks, to assume the risks and to insure against the risks,” he says. “Part of that is making the circle bigger. If you just have the directors and IT security people in the room, you’re going to end up talking about which box we just bought to solve this problem. If you have the legal department, HR and finance in the room at the same time, you can tilt that conversation to types of questions that boards have been effectively answering since time immemorial.”

“Public company directors can grapple with these questions and should, whether or not there is someone with an IT background on the board.”

Many boards today are considering adding a director with an information security background, and some regulatory bodies are considering making such an appointment mandatory. Such a requirement, however, could unintentionally imply that boards should not or cannot oversee the management of cyber risks.

“Public company directors can grapple with these questions and should, whether or not there is someone with an IT background on the board,” says Coldebella. “Requiring such a seat at the board table would almost send a message to all of the other public company directors that they should just let the tech guy worry about cyber risks. And that is not the right way to address this growing challenge.”

Key takeaways

  • Cyber risks aren’t isolated breaches. They accumulate with the potential to disrupt every aspect of business operations and infrastructure.
  • The cumulative effects of cyber risks are not being taken into account by most businesses.
  • The Internet of Everything fuels cyber risks accumulation to a level that requires consistent board-level attention.
  • As businesses transfer valuable assets onto digital networks, they should consider what they are trying to protect, and how to protect it.
  • “Translating” technology risks appropriately will help boards take the lead in managing and mitigating cyber risks.

Source: Lori Bailey
Global Head of Special Lines Zurich

First Published April 11, 2016

Need Cyber Insurance?

Compare Cyber Insurance

1300-Insure

Please note Cyberliabilitycomparison.com.au Insurance News is an information service sometimes provided by third parties Insure 247 Australia doesn’t warrants the accuracy of any information contained there in, readers should make their own enquiry’s before relying on information in the stories Terms of Service

Compare Australian Cyber Insurers

Please note that any advice given has been provided without taking into account your objectives, financial situation or needs. It is also based on information we have obtained from you. You must ensure the information is accurate and complete. Otherwise, this advice may be based on inaccurate or incomplete information. You should consider whether the advice is appropriate in light of your objectives, financial situation and needs

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.