Insuring against cyberattacks

South Africa’s state-owned infrastructure specialist Transnet SOC Ltd. confirmed media reports in July 2021 about an IT breach that affected its operations for a week. Although the company’s systems were operational, the cyberattack disrupted cargo movement. Transnet’s systems were down for a week, but the impact went far beyond the company.

For instance, South African aluminum producer Hulamin reported losses of 2,000 metric tons and 200 million rand (about $12.6 million) in July sales because its shipments were delayed at the Port of Durban. The busy terminal was one of many victims of the data breach. Durban sees 60 percent of South Africa’s freight container traffic, and the cyberattack translated to slower cargo clearance.

Like Hulamin, many metals producers and scrap processors have experienced similar threats to their systems and data and sometimes even physical injury—also called cyber physical attacks. The number of these incidents seems to have increased since the onset of the ongoing COVID-19 pandemic.

Over the past few years, this sector has made advances in the usage of technology, especially to streamline and strengthen the supply chain. However, the threat of cyberattacks also has increased despite that benefit.

A company can take a month or more to recover from a cyberattack, as Nidhi Turakhia, executive vice president at Houston-based Allied Alloys, discovered after her company experienced a cyberattack in March 2020. She highlighted the impact of that incident in a June 2021 webinar hosted by the Washington-based Institute of Scrap Recycling Industries (ISRI). She said it took Allied Alloys almost 30 days to recover six months’ worth of stolen data after the company’s IT department reported the cyberattack.

Stronger measures against cyberattacks also are evidenced through a June 2021 report, which revealed that about 12 percent of the world’s metals and mining CEOs listed cyberthreats in their top 10 priorities in 2020. This is down from 14 percent in 2019 and 21 percent in 2018.

Still, Tim Berg, vice president of business development at Murrysville, Pennsylvania-based Applied Systems Associates (aSa), says issues with cybersecurity likely will grow, given the copycat mentality. If one attacker sees monetary gain, others also will try.

Berg has witnessed many of his clients fall victim to cyberthreats, which include ransomware or malware that corrupts machinery, power supplies, production lines and vehicles; data breaches or cyber espionage that can corrupt software; and phishing emails.

To get systems functional as soon as possible after a cyberthreat, Fred Dawson, aSa’s technical specialist, and Turakhia recommend companies invest in cloud storage solutions, multifactor authentication, data backup and disaster recovery strategies. However, on the ISRI webinar, Turakhia stressed that an appropriate cyber insurance policy really can help to secure a firm.

The case for cyber insurance

The question arises, however, as to whether cyber insurance is coverage or leverage. According to many insurers, it certainly has transitioned from being niche to necessary as organizations have started to realize its importance. The benefits are twofold with cyber insurance providers, as they can recover operations and finances. Businesses also can protect their value and reputation if they are insured against such attacks.

Finding a true protection policy, however, is complex. That is why providers do not recommend a one-size-fits-all solution. However, various aspects may or may not be covered. If you are paying a hefty premium, it is essential to know the extent of your coverage.

Exclusions can vary, but a typical cyberattack coverage plan might not offer protection in a number of areas:

• Anticipated loss – This includes any profit shortfalls in the future because of current downtime.
• Physical injury or damages resulting from cyberattacks – These can happen, especially with firms that have equipment that is remotely enabled.
• Intellectual property theft – This comes under cyber espionage, where an attack can potentially hack its way into a producer’s pricing data or innovative ideas.

Financial compensation and data recovery are the two primary inclusions in any regular cybersecurity policy. Insurers might offer customized solutions:

• Network or privacy threats – A breach that harms a company’s server or siphons off sensitive information, such as client invoices or shipments, falls under this type of coverage. They can take place through ransomware or a business email compromise. An organization can claim damages incurred toward recovery and peripheral expenses, such as legal, public relations and IT forensics.
• Virtual business interruption – aSa’s Berg says data recovery immediately after an attack is horrific and leads to immediate losses. Also called business interruption recovery or a waiting period, an outage can result in sales and revenue losses that can be claimed.
• Media or advertising liability – This cover excludes patent infringement losses but protects a company against false advertising and might include social media posts.
• Reputation damage – This isn’t a quantifiable cost, so only limited insurance providers might offer this type of protection. The purview of this clause also will vary. Some providers will cover only brand aversion costs while the threat remains, whereas others might also include media expenses incurred to recover a company’s image.
• Bricking – This coverage is hyper-customized and will compensate for hardware or devices that are rendered useless like a mason’s brick. However, it is essential to know whether the extent of coverage includes a business owner’s or employees’ personal devices and subsequent upgrade after an attack.
• Vendor or third-party services – If a company uses external software or cloud solutions, such as web hosting, customer service management or emails, the policy might cover disruption or damage to these services.

Should cyber insurance become mandatory?

Metal and scrap companies are on the fence regarding this question. Many recommend having a blanket policy starting at $1 million, while some businesses opt for customized coverage.

Berg says cybersecurity needs to be a proactive decision, with consultants and businesses optimizing the best possible redundancy solutions to avoid or minimize cyber risks in the future. His company specializes in providing customized cloud-based solutions that can minimize virtual threats.

Insurance providers do their best to provide coverage, keeping in mind that cyber thieves are getting smarter and evolving with time. However, the heart of the problem is faster recovery. While businesses have varied requirements, Turakhia says having support teams to handle negotiation and IT forensics and legal experts on standby from the insurer’s end greatly would improve security against future cyberthreats.

Huban Kasimi is associate editor, Americas, at Davis Index. Contact her at huban.kasimi@davisindex.com.