Manufacturers not only are at risk of having their own information compromised, but they could be liable for putting their customers at risk, too. And failure to address such issues could result in regulatory fines even before an attack occurs. Abbott Laboratories was warned by the U.S. Food and Drug Administration in January that its defibrillators and pacemakers could be manipulated by hackers. The FDA had said in a letter that if the company didn’t immediately correct the violations, its actions could include “seizing, injunction and civil monetary penalties.”
Cyber insurance often has been purchased by hospitals, financial service providers and retailers to protect customer information against theft. But more companies are tailoring policies to manufacturers now that threats against the industry are rising. According to insurance consulting firm Advisen Ltd., manufacturers pair more than $36 million in premiums for cyber insurance policies in 2016, up nearly 90% from the year before.
David Steiner, enterprise risk manager at Kimberly-Clark Corp., said the company began buying cyber insurance in 2009. “There’s certainly an increased exposure in the industry overall, especially with more reliance on cloud providers, greater sophistication of hackers globally and increased consumer interactions through social media,” Steiner said.
Erik Dobkin, director of insurance and risk management at Merck & Co. also said that as business becomes more connected, there’s barely an area of the business “that isn’t touched by this.”
The risks that manufacturers face can differ from other industries, however. Coverage of policies can vary, but it most often includes a number of third-party liability coverages for damages incurred due to loss of data. This can include fines, penalties, remediation costs, intellectual property, business income and errors and omissions. General liability and property policies typically feature exclusions from some of the most prevalent cyber risks, and manufacturers usually need a dedicated cyber insurance policy to attain end-to-end protection.
Arthur J. Gallagher recently announced a new custom insurance product to protect what it calls a “perfect storm” of cyber attacks against the manufacturing industry. The Manufacturer’s Cyber Policy protects against property damage and bodily injury resulting from a control system interruption. There’s also coverage for contractual penalties, contingent direct supplier interruption, and any increased costs of working due to a cyber attack.
The company’s white paper on the issues says that while manufacturers’ process control and systems have long been deemed “impenetrable” due to their proprietary and customized networks, digitization has opened the door to theft of proprietary information. It also notes that growth in IoT applications will further increase the risks. Many of these devices are connected to industrial control systems which were originally built without the sophisticated security measures in today’s devices.
“All these factors make manufacturers’ industrial control systems particularly vulnerable to cyberattack,” the paper said.