Cyber security insurance

Legalities: Don’t think the threat of industrial security breach isn’t real. Now there’s insurance to help mitigate financial risks related to cyber security and other threats to control system integrators and their clients.

06/29/2012


Industrial HMI by Control Engineering, CFE MediaControl system integrators (CSIs) are playing an increasingly important role in helping our world go round. In fact, it would be difficult to find a person not touched in some way by the work CSIs do. But the insurance industry has been slow to understand and accommodate this industry, meaning most CSIs are buying policies that are unsuitable for them; many policies fail to address and even exclude coverage for some of the basic exposures CSIs face, including cyber security threats.

As parts of the world develop and we all become increasingly reliant on control systems of all kinds in our everyday lives, it will be more important than ever that these gaps are addressed. So let’s go back to the basics by exploring what types of coverage CSIs should really be on the lookout for.

Breach of contract

The single biggest risk facing CSIs is breach of contract. Control systems such as industrial control, manufacturing execution, and plant automation systems, even in their simplest forms, are critical to business success. Delivery delays and not delivering in accordance to what clients expect are two major exposures here. If a client experiences a loss of income due to a delay, error, or even a simple misunderstanding, one can expect the client to claim these costs back from the systems integrator.

The problem is that insurance policies very often have an exclusion for contractual liability. Most professional liability (PL) policies, also known as errors and omissions insurance, were written for traditional professionals like doctors and lawyers, where there is a clear duty of care between the insured and their client, and therefore the contract is merely implied. For CSIs, contracts are central to the way work is undertaken. Take care when looking at this part of a policy to ensure that contractual liability is covered.

Bodily injury, property damage

CSIs use industrial automation equipment and software in the implementation of projects across many industries. A risk lies when these components end up in operational situations that can give rise to bodily injury or property damage. Examples include everything from malfunctioning theme park rides to faulty drilling systems in use on oil rigs as demonstrated by the Deepwater Horizon oil spill in 2010.

Frequently, professional liability policies only include financial loss, so it is vitally important for CSIs that their PL policy is extended to include contingent bodily injury and property damage. Ideally, the professional and general liability coverage would be combined in the same policy in order to avoid the potential for gaps in coverage or arguments arising between insurers. It is also essential that policies do not contain any definitions of technological activities that could restrict coverage.

Cyber threats

An emerging but already very real risk for CSIs is the threat of a cyber attack. Highly sophisticated hackers are increasingly targeting control systems in order to cause major disruption, whether motivated financially or ideologically. A good example of the latter is the Stuxnet virus, which was used in 2010 to disable an Iranian nuclear power plant. The ability to cause havoc from afar is incredibly attractive to terrorist organizations, national defense departments, hackers with a point to prove, and many others.

Indeed, Norton predictions indicate that 2012 will be the worst year so far for hack attacks fuelled in part by so called “hacktivist” protest attacks and cyber terrorism.

With clients increasingly seeing their control systems being the target of cyber attacks, it is inevitable that they will seek to recover any losses through a claim against the integrator. As a result, it is more important than ever to ensure that any terrorism exclusion in a professional or general liability policy is amended to ensure that coverage is still provided for cyber attacks.

Although the insurance market has been slow to catch up with the evolving needs of CSIs, this is changing. Specialist insurance policies that have been tailored specifically to address the risks outlined above are available through groups like the Control Systems Integrators Association.

Also see July cover story on cyber security.

- Graeme Newman is director of CFC Underwriting and discussed insurance with Control Engineering at the CSIA 2012 Executive Conference. Edited by Mark T. Hoske, content manager CFE Media, Control Engineering, Plant Engineering, and Consulting-Specifying Engineer, mhoske(at)cfemedia.com.

www.cfcunderwriting.com 

www.csia.org 

ONLINE extra

Search “Legalities” atop www.controleng.com for other engineering legal discussions.



No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
Control Engineering Leaders Under 40 identifies and gives recognition to young engineers who...
Learn more about methods used to ensure that the integration between the safety system and the process control...
Adding industrial toughness and reliability to Ethernet eGuide
Technological advances like multiple-in-multiple-out (MIMO) transmitting and receiving
Virtualization advice: 4 ways splitting servers can help manufacturing; Efficient motion controls; Fill the brain drain; Learn from the HART Plant of the Year
Two sides to process safety: Combining human and technical factors in your program; Preparing HMI graphics for migrations; Mechatronics and safety; Engineers' Choice Awards
Detecting security breaches: Forensic invenstigations depend on knowing your networks inside and out; Wireless workers; Opening robotic control; Product exclusive: Robust encoders
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
News and comments from Control Engineering process industries editor, Peter Welander.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
Anthony Baker is a fictitious aggregation of experts from Callisto Integration, providing manufacturing consulting and systems integration.
Integrator Guide

Integrator Guide

Search the online Automation Integrator Guide
 

Create New Listing

Visit the System Integrators page to view past winners of Control Engineering's System Integrator of the Year Award and learn how to enter the competition. You will also find more information on system integrators and Control System Integrators Association.

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.