2016 Business Insurance Risk Summit Observations

On March 22 to 23, 2016, I attended the Business Insurance (BI) Cyber Risk Summit in New York City. I believe getting the message out about Industrial Control Systems (ICS) cybersecurity to the insurance industry and to Wall Street rating agencies is very important as they can influence end user behavior where attempts at regulation have not succeeded.

There were approximately 120 attendees. Most of the discussions were around IT risk. The ICS issues were new to many (I presented at a previous BI conference in September in San Francisco).

A few of the key points were:

    • ICS cyber incidents are real and can be very costly
    • There are minimal ICS cyber forensics or appropriate training so many ICS cyber incidents will not be identified as cyber
    • Loss control engineers generally are not trained to address ICS cybersecurity
    • The recent Ukrainian cyber attack should be a wake-up call to risk managers as it can happen here. Most U.S. utilities are unprepared, and the attack vectors can also impact other industries.

There was progress as we had a lunch breakout on power grid hacking that someone else had proposed. The breakout session noted the following:

    • It will take time before the cause is known (was it really cyber)
    • If there is no damage, it could take 2-3 days before power is restored
    • Restoration will be on a priority basis based on life safety, etc.
    • Restoration teams are preassigned
    • Maintain order in workplace
    • Transportation can be an issue due to road/bridge closures (need prearranged passes for utility vehicles)
    • Alternate communications (and batteries) need to be available - AM/FM radio, satellite phones, etc.
    • Crisis management needs to be strengthened for cyber
    • Manual back-ups need to be available and crews need to be trained to use the them
    • Lack of mutual aid can be an issue if there are cyber attacks against multiple utilities

There was a session on securing supply chains. The three speakers viewed supply chain in its “retail concept.” That is, workplace injuries in “sweat shops” in Southeast Asia and other “supply chain” impacts such as delays in getting finished goods to the retailer. The concept of ICS supply chain issues such as where do the computer chips come from and what is embedded them, was not discussed.

This was a great opportunity for the insurance and risk managers to get an initial understanding of the issues associated with ICS cyber security and what it can mean to insurance risk.

—Joe Weiss