How to line up your cyber defences
Kevin Richards, global cyber risk leader at Marsh, outlines key cyber risks and ways to counter them in a hyper-connected era
For all its benefits, our hyper-connected world brings a new set of challenges. Let us be honest; cyber-attacks are a clear and present threat to every business in the Middle East and beyond. This is especially critical for the energy sector. Its digital backbone is vulnerable to failures from various sources. Ranging from human error, which might be innocent, to software failures in systems developed within the sector’s increasingly complex supply chain or operations - threats from both inside and out of an organisation continue to grow.
A wide range of malicious external actors often target power grids, motivated by financial goals, such as ransomware or intellectual property theft, and sometimes aim to cause broader economic and social harm. To compound the problem, energy companies may end up being collateral damage from an attack not directed at a specific company. An example of this is the fast-spreading malware NotPetya attacks in 2017.
It is natural that this growing level of interconnectivity and complexity can create vulnerabilities and malfunctions that sabotage the energy sector and impact the broader economy. Take the recent widespread blackout impacting approximately 48mn people in Argentina and Uruguay. While the cause remains unknown, destabilisation of the grid led almost immediately to the power being cut. Trains and subways were halted, traffic lights did not function, and the water company’s distribution system was compromised. The havoc wreaked was massive.
So how do organisations tackle this challenge? For starters, they must consider external communications and what information needs to be communicated to regulators, police, government officials, as well as other business stakeholders, including insurers. The timing of information-sharing is critical.
Organisations need to thoroughly think about how to communicate and report breaches. Response plans should include preliminary drafts of communications to all stakeholders including customers, suppliers, regulators, employees, the board, shareholders, and even the general public. However, in MENA, this is only applicable to GDPR and if an organisation is listed on a stock exchange that mandates notification.
In the US, the Department of Energy and the Federal Energy Regulatory Commission are both restructuring the rules for utilities to report grid cyberattacks to regulators and are broadening the definition of what constitutes a reportable incident. The format and timeliness of communications to customers, staff, and the media are also essential. A key learning of the US’s GridEx 2017 exercise, which is conducted for utilities to demonstrate how they’d respond to and recover from simulated coordinated cyber and physical security threats and incidents and bolster their crisis communications relationships, was the need to focus on social media in external communication procedures and how to address misleading or false information on social channels.
Bear in mind that If the risks of cyberattacks on energy companies were substantial before, now, with the evolving digitalization of the energy industry they are ever higher and more difficult to communicate and manage than ever. And as the digitalization of the energy industry continues, so will its reliance on interconnectivity, the potential for cyberattacks, data and financial losses – this should remain a key concern for energy executives. Building and maintaining dynamic resilience must be a continuous exercise. A regular cadence of exercises will develop an organisation’s muscle memory to respond and help identify when and how overall digital resilience can be strengthened.
Next, organisations can run simulated scenarios to consider and test assumptions about existing cyber insurance coverage and traditional property and liability insurance policies, which may not implicitly include or exclude cyber risks. Cyberattacks can be costly events and require significant resources to recover once the immediate crisis is over. In many instances, organisations go through a lengthy and costly forensic recovery effort requiring specialist expertise to recover data that has been corrupted, manipulated, or rendered inaccessible.
Given the amount of disruption these attacks can cause, cyber insurance can play a foundational role in recovering direct costs. These can include: business interruptions loss (e.g., loss of profit or increased costs of working during the period of downtime and any additional specified period); incident response costs (e.g., notification costs, call center costs, credit monitoring costs, and public relations costs); IT forensics; replacing damaged hardware; digital asset restoration; damage to persons or real property; and even, cyber ransom and extortion costs.
Insurance should be viewed as an critical component in strengthening a dynamic resilience framework. The process of renewing or purchasing cyber insurance coverage supports the development of baseline capabilities and the other elements of dynamic resilience as insurers can share aggregate lessons learned and recommend opportunities to resilience.
Since 2016, Marsh & McLennan and Swiss Re Corporate Solutions have been working with the World Energy Council to improve the resilience of the energy sector as part of a broad research programme. This has included a focus on strengthening digital and cyber resilience with the development of cyber scenarios and hypothetical gaming approaches that can be used by the Council’s members.
All in all, the importance of cyber insurance cannot be overstated. Cyber-attacks will continue to grow as the energy sector gets more digitally connected and it is nigh on impossible to predict them or completely prevent them. This is the reality of today’s world. In my opinion, the best organisations can do is to be prepared for such eventualities.