Cyber security insurance

Legalities: Don’t think the threat of industrial security breach isn’t real. Now there’s insurance to help mitigate financial risks related to cyber security and other threats to control system integrators and their clients.

By Graeme Newman June 29, 2012

Control system integrators (CSIs) are playing an increasingly important role in helping our world go round. In fact, it would be difficult to find a person not touched in some way by the work CSIs do. But the insurance industry has been slow to understand and accommodate this industry, meaning most CSIs are buying policies that are unsuitable for them; many policies fail to address and even exclude coverage for some of the basic exposures CSIs face, including cyber security threats.

As parts of the world develop and we all become increasingly reliant on control systems of all kinds in our everyday lives, it will be more important than ever that these gaps are addressed. So let’s go back to the basics by exploring what types of coverage CSIs should really be on the lookout for.

Breach of contract

The single biggest risk facing CSIs is breach of contract. Control systems such as industrial control, manufacturing execution, and plant automation systems, even in their simplest forms, are critical to business success. Delivery delays and not delivering in accordance to what clients expect are two major exposures here. If a client experiences a loss of income due to a delay, error, or even a simple misunderstanding, one can expect the client to claim these costs back from the systems integrator.

The problem is that insurance policies very often have an exclusion for contractual liability. Most professional liability (PL) policies, also known as errors and omissions insurance, were written for traditional professionals like doctors and lawyers, where there is a clear duty of care between the insured and their client, and therefore the contract is merely implied. For CSIs, contracts are central to the way work is undertaken. Take care when looking at this part of a policy to ensure that contractual liability is covered.

Bodily injury, property damage

CSIs use industrial automation equipment and software in the implementation of projects across many industries. A risk lies when these components end up in operational situations that can give rise to bodily injury or property damage. Examples include everything from malfunctioning theme park rides to faulty drilling systems in use on oil rigs as demonstrated by the Deepwater Horizon oil spill in 2010.

Frequently, professional liability policies only include financial loss, so it is vitally important for CSIs that their PL policy is extended to include contingent bodily injury and property damage. Ideally, the professional and general liability coverage would be combined in the same policy in order to avoid the potential for gaps in coverage or arguments arising between insurers. It is also essential that policies do not contain any definitions of technological activities that could restrict coverage.

Cyber threats

An emerging but already very real risk for CSIs is the threat of a cyber attack. Highly sophisticated hackers are increasingly targeting control systems in order to cause major disruption, whether motivated financially or ideologically. A good example of the latter is the Stuxnet virus, which was used in 2010 to disable an Iranian nuclear power plant. The ability to cause havoc from afar is incredibly attractive to terrorist organizations, national defense departments, hackers with a point to prove, and many others.

Indeed, Norton predictions indicate that 2012 will be the worst year so far for hack attacks fuelled in part by so called “hacktivist” protest attacks and cyber terrorism.

With clients increasingly seeing their control systems being the target of cyber attacks, it is inevitable that they will seek to recover any losses through a claim against the integrator. As a result, it is more important than ever to ensure that any terrorism exclusion in a professional or general liability policy is amended to ensure that coverage is still provided for cyber attacks.

Although the insurance market has been slow to catch up with the evolving needs of CSIs, this is changing. Specialist insurance policies that have been tailored specifically to address the risks outlined above are available through groups like the Control Systems Integrators Association.

Also see July cover story on cyber security.

– Graeme Newman is director of CFC Underwriting and discussed insurance with Control Engineering at the CSIA 2012 Executive Conference. Edited by Mark T. Hoske, content manager CFE Media, Control Engineering, Plant Engineering, and Consulting-Specifying Engineer, mailto:mhoske@cfemedia.com.

www.cfcunderwriting.com 

www.csia.org 

ONLINE extra

Search “Legalities” atop www.controleng.com for other engineering legal discussions.