The overlooked non-financial risks of a cyber-attack

More than ever before, organisations are aware of the potential financial impact of a cyber-attack. Many wrongfully assume that the steep, monetary burden of a cyber-attack (exacerbated by new, higher fines under the GDPR) is exclusively tied to damaged digital assets, lost records, and the price of investigating and reporting a breach. While those expenses represent a considerable hit, damage to an organisation’s physical assets can be just as harmful.

Cyber-attacks that cause physical damage typically occur when a hacker gains access to a computer system that controls equipment in a manufacturing firm, refinery, power station or similar operation. After the hacker gains access to an organisation’s machinery, they can then control that equipment to damage it or other property.

These types of events can lead to major disruptions and costly damages. To safeguard their physical assets, it’s critical that organisations understand what types of businesses and assets are exposed to these attacks.

What’s at Risk?

To better understand what kinds of physical losses can occur following a cyber-attack, it’s helpful to compare to a natural disaster or other industrial accident. Following these kinds of incidents, organisations often incur costs to repair and replace damaged equipment in addition to any lost revenue caused by the disruption.

Unlike natural disasters, however, cyber-attacks that cause physical damage aren’t limited to a geographic location and can impact an entire network. This means that damages caused by a breach can be widespread, affecting multiple sectors of the economy depending on the target.

Because of this, cyber-attacks that cause physical damage are often dynamic and extensive. When an attack on critical infrastructure occurs, it not only affects business owners and operators, but suppliers, stakeholders and customers as well.

When discussing these attacks, many experts cite power and energy sector organisations as the most at risk. However, vulnerabilities also exist in utilities, telecommunications, oil and petrol, petrochemicals, mining and manufacturing, and any other sectors where industrial control systems (ICSs) are used.

How Do I Protect My Organisation?

Insurance cover for cyber-attacks that cause physical damage is still in its infancy, and your organisation may have gaps in protection. Even if your commercial property insurance policy includes physical or non-physical damage covers, that does not necessarily mean you’re covered from first- or third-party losses from cyber-attacks.

The level of protection your company has depends largely on the structure of your policies. As such, it’s critical for businesses to do their due diligence and understand if their policies do the following:

  • Impose any limits on cover, particularly as it relates to physical damage of tangible property
  • Cover an attack and any resulting damages
  • Provide contingent cover for attacks that aren’t specifically targeted at the organisation

While it’s important to speak with a qualified insurance broker about your cyber-risk policy options, there are a number of steps businesses can take by themselves to protect their physical assets. In addition to implementing a cyber-risk management plan, businesses should consider doing the following to protect their data:

  1. Keep all software up to date.
  2. Back up files regularly.
  3. Train employees on common cyber-risks and what they should do if they notice anything suspicious.
  4. Review your exposures and speak with your insurance broker to discuss policy options for transferring risk.