The session was called “So You’re Not a Retailer, You’re Still a Target (pun intended),” which not-so-subtly makes the point that cyber risk is a threat to B2B businesses just as much as it is to retailers and other B2C enterprises. A key point that the panelists made was that even if your business doesn’t have customer data or payment information, cyber risk is still a major exposure for you.
Okay, who hasn’t heard by now that their organization needs to take cyber threats more seriously? I think attendees really sat up and took notice, however, when the panelists began talking about the many surprising forms cyber attacks and events can take. A particularly illustrative example of that was the exposure that manufacturers can have in their industrial control systems, where cyber attacks have led to unanticipated first-party damage to physical property.
In one example, cited here, hackers disrupted the control systems at a German steel mill, preventing a blast furnace from shutting down. The details of the physical damage aren’t publicly known, but the report by German authorities characterized the damage as “massive.”
Here’s where it gets interesting for risk managers: From the inception of cyber coverage, most policies have been focused on third-party loss scenarios like network breaches or viruses. “The goal was to cover a company for the liability it incurred due to a cyber event rather than its own losses,” as the report cited above notes. The upshot? The “massive” damage may well have gone uncovered even if the insured had cyber coverage.
I took away three key lessons from the session:
My sense of the mood at the Cyber Security Summit was that many of the attendees were feeling a bit overwhelmed with all the information and scenarios being thrown at them. However, Ventiv’s advice (based on our long experience in the world of risk management systems, claims management systems and safety management systems) is to address cyber risks like you would any other: set relative goals that your organization can meet, and continue to improve incrementally from there. As we’ve said before, analyze your biggest cyber exposures and set priorities around them. Then keep calm and carry on.
Stephen Rhee is CEO of Ventiv Technology. Contact Stephen at Stephen.Rhee@Ventivtech.com.