As middle-market industrial companies adopt new technologies to become leaner and more competitive, they may be exposing themselves to risks they may not fully understand.
The risks connected with new technologies, of course, come from their internet connections, exposing virtually all aspects of an enterprise to cyberattack. Where cybersecurity once focused on strengthening a company’s perimeter, this approach has become less effective as companies not only are more porous due to their greater connectivity, but also because hackers’ methods and targets are constantly evolving.
Today, cybercriminals increasingly avoid businesses that holistically protect themselves, such as those in the financial, retail and healthcare sectors, and are finding success among companies that until now have considered themselves below the radar of public attention — such as middle-market industrial companies. When attacked, these companies can suffer financial loss through theft or extortion, as well as losses due to interference with production, damage to corporate reputation, and harm to employees’ health and safety, as well as that of community residents.
To deal with these issues, industrial companies should align their cyber oversight to their unique risk profile and work to incorporate and reinforce cyber risk mindfulness throughout the enterprise. Companies must develop policies to protect and monitor their systems, as well as develop plans to minimize damage if those systems are breached. For example, they should establish standards and rules so that intelligent systems stop connecting with each other and lock into safe mode when abnormalities are detected.
Based on our experience as a long-time risk consultant to a variety of businesses, here are some basic recommendations for industrial companies to help manage cybersecurity risks:
Conduct a risk assessment. The first step in developing procedures to evaluate the specific risks related to a company’s operations and business is to conduct an enterprise-wide assessment that includes participation from a cross-section of the company. There should be representatives from IT, legal, the risk team, operations, finance and business development.
Make the process ongoing. Because of the evolutionary nature of cyber threats, cyber risk management must be interactive and iterative. It must be viewed as an ongoing process that is part of normal operations, and be broad enough to encompass the people, processes, and technologies that constitute information and management systems.
Don’t look for an off-the-shelf solution. Unless a company develops its own specific risk matrix, it will waste time and resources on mitigation tools that will not adequately or comprehensively protect the company.
Develop control and mitigation processes. These require properly considered processes that are security driven, a properly configured set of technology security controls, and a security-conscious and knowledgeable workforce.
Companies also should consider transferring some of their cyber risk to an insurance company. If used properly, cyber insurance can be an effective way of managing risk, as long as a company understands its particular risks and vulnerabilities so that it can make an informed decision about the coverage it is purchasing.
Policies vary in their coverage, and the depth of information now being required by carriers from insureds in order to underwrite a policy is far greater than it was just two years ago. Technology vendor governance is a major underwriting consideration and carriers often will require a list of the applicant’s top technology vendors along with more clarity around IT best practices and contract terms.
For small- and medium-size industrial companies, cybersecurity risk can only grow. Fortunately, there are ways to control the risk if management is proactive.
Kimberly Patlis Walsh
President & Managing Director
Kim brings over 25 years of insurance underwriting, program structuring, and multinational client risk advisory representation to her CRS engagements. Prior to joining CRS in 2003, Kimberly served as SVP of AIG’s Mergers & Acquisitions Group, structuring insurance & financial solutions to a variety of corporations (publicly traded and privately held) to limit or transfer liabilities within corporate transactions, recapitalizations, bankruptcies and other M&A situations. While at AIG for over 11 years, she held various positions within various underwriting groups to non-traditional risk transfer/finance insurance to address known risks as well as serving as relationship point to a number of global investment clients, deepening strategic relationships in all asset classes. Previously, Kim was in Investor Relations at a NYSE-listed apparel company, and a paralegal at Fried, Frank, Harris, Shriver & Jacobson.
Kim is active in both the alternative investment community as well as the insurance & risk community. She speaks frequently on a variety of topics related to risk management and insurance. She is involved in RIMS and PLUS. She holds a bachelor’s degree from the State University of New York at Albany.