Playing catch-up with cybersecurity
Cybersecurity risks need help from contracts and insurance beyond technologies, policies, and people. Pretending cybersecurity risks aren’t there isn’t on any list of best practices.
The word on the factory floor—if you are the one person in this industry who still has not heard—is manufacturing processes are vulnerable to hacks. Not from hacks dressed in suits and ties—that discussion is for a different day—but from the ones in hoodies sitting in front of a computer screen or among those sinister ops teams overseas. Those scoundrels will hold data for ransom, steal intellectual property (IP), or turn things on and off for the fun of it. According to the experts, there’s not much standing in their way.
What exactly is the state of the art in hack-resistant sensors and actuators these days anyway? Let’s just be kind and say that in a security sense the automation and robotics industry is still in its adolescence. Or as I recently put it during a panel discussion at CFE Media’s Global Automation in Manufacturing Summit in Chicago at IMTS 2018: “We were at the starting gate a decade ago, but we just didn’t know it.”
So, how does a person managing cyber risk hope to navigate those white-capped waters? There are no easy answers. (Part of the solution, of course, will always be technical, but because I’m an automation and robotics lawyer, not an engineer, you won’t get that solution from me.)
Minimize cyber risk, impact
What you will get are the next-best ideas for consideration, meaning: If the technology cannot (yet) prevent the hack, what can you do to minimize the odds or the impact? Here’s my take:
Wherever possible, address the risk in your contracts. While this is rather obvious low-hanging fruit, it is nonetheless important. If cyber intrusion occurs, be sure to ask:
- What was your company’s contractual connection to the event, even if just via proposal or purchase order?
- Is there any argument that the intrusion happened because there was a vulnerability in your equipment or procedures?
- Could best practices have prevented the intrusion?
If the event is serious enough, all those questions (and more) are likely to be directed at you—and your company will be in a much better place if the answers can be framed by supportive language in the applicable project terms and conditions.
Beyond the scope
If you are the integrator or supplier, it means, wherever possible, generally disclaiming any obligation to prevent or indemnify against cyber intrusion—for the simple reason this work is (hopefully) beyond the scope of what you were hired to do, or, assuming that such a broad disclaimer cannot be had, at least specifically excluding liability for cyber intrusion to the extent it arises from pre-existing vulnerabilities, including legacy systems or equipment.
Procuring this type of exclusion need not involve use of the provocative words like “cyber,” “hacking,” “intrusion,” “security,” and the like. The optimal protection is an overall limitation of liability for any type of claim. Or, failing that, protection could very well be ensuring that the customer is only liable to the integrator, or vice versa, to the extent there has been some degree of negligence in any kind of work without any mention of those keywords. This leaves the integrator free to contend that the intrusion “was not my fault,” especially if, as is often the case, nowhere in the contract papers is cybersecurity flagged as any sort of deliverable.
If you are an end user, the considerations are very different—unless the integrator is a major company with a significant footprint (which most frequently it is not). Which is to say: for the end user, it matters little whether you can push the contract responsibility to the “other guy” if the “other guy” has no way of paying for the liability or insuring it.
Putting aside for the moment the coverage that current insurance products provide and that the insurance industry is still playing catch-up like the rest of us, end users might begin their analysis of risk by considering what those insurers are looking at.
An examination of applications for cyber insurance coverage can be helpful as a guide for curtailing potential exposure, according to suggestions from my partner Patrick O’Connor.
Among the questions asked:
- How much of the information technology (IT) is outsourced?
- How many names can be found in databases under your control?
- Do you have a third-party endorsement of your privacy processes and practices?
- What is your encryption strategy?
- What physical security strategies are in place to control human access to the servers?
- Do you have a chief security officer?
I am not the one to tell you how the actuaries take all that information and turn it into a premium, but I do know the people who figure out that equation will be the insurance heroes of tomorrow. The larger lesson is more basic: at present, contracts and insurance can only do so much. The cyber “front line,” for now, is in your own company’s ways of doing things.
Mark Voigtmann leads the automation practice at Faegre Baker Daniels, a law firm with offices in the U.S., the U.K. and China. Voigtmann is a member of the Control Engineering Editorial Advisory Board. Edited by Mark T. Hoske, content manager, Control Engineering, CFE Media, firstname.lastname@example.org.
KEYWORDS: Cybersecurity risk mitigation, legalities
Cybersecurity considerations extend beyond technologies to contracts and insurance.
Contract wording can limit liability without sounding ominous.
Ask these questions to broaden understanding of cybersecurity risk.
Beyond technologies, do your contacts and insurance address cybersecurity risk?