Cyber risks in the aluminium industry

In the previous publication we commented on how c-suite executives have become increasingly concerned about cyber attacks due to the increasing use of remote workers.

Whilst most industries view cyber risk through the lens of data breach, the aluminium industry are also at risk from this type of cyber-attack with the added danger of attacks causing damage to physical systems.

Whilst we may not know the real number of cyber property damage events due to the lack of regulation around reporting of such incidents, several major incidents demonstrate the capabilities of attackers.

The 2010 Stuxnet attack on the centrifuges of Iran’s uranium enrichment facility demonstrates the threat from what is believed to be nation state actors and the potential physical damage caused by a cyber-attack.

In December 2014, the German Government’s Federal Office for Information Security released their annual findings report[i]. One particularly worrying incident they referenced specifically was a malicious actor infiltrating a German Steel mill. Once the attackers had successfully navigated their way from the corporate to the plant network, they altered critical process components resulting in a loss of control and eventual massive physical damage to the individual control system components as well.

February 2020 saw Kobe Steel announce that their systems had been penetrated by a nation state actor in both 2015 and 2016, with subsequent malware left on their systems[ii].

The most relevant example that we see in the aluminium sector, was the 2019 ransomware attack on Norsk Hydro – demonstrating the common motivator for attacks in 2019/20 of financial gain.

On the 19th March 2019, 22,000 computers were hit across 170 different sites in 40 different countries. The entire workforce – 35,000 people – had to resort to pen and paper. Production lines shaping molten metal were switched to manual functions, in some cases long-retired workers came back in to help colleagues run things “the old fashioned way”. In many cases though, production lines simply had to stop. The company [iii]confirmed the cost of the incident at between £45M and £65M, with a cyber insurance policy in place to transfer aspects of the cost.

While many companies may have considered their exposure to a cyber event, they may not have considered purchasing a standalone cyber insurance policy and will not have looked at the impact of a cyber event on their wider insurance portfolio.

A traditional cyber policy, would likely exclude coverage for ensuing property damage and increasingly property policies are now excluding cyber events from their coverages. This is especially relevant where a cyber event can lead to a stopped production line and subsequent physical damage to equipment from rapidly hardening liquid metals.

Following the major NotPetya and WannaCry ransomware incidents of 2016 and 2017, where global property insurers suffered nearly USD3bn of losses[iv] from these cyber-events, global regulators and reinsurers have insisted that all markets should be taking steps to reduce the unintended exposures caused by non-affirmative or ‘silent’ cyber coverage in their policies.

Lloyd’s of London has issued its directive to make sure all policies provide cyber on an affirmative or non-affirmative basis, with no ambiguity for all first party property damage policies incepting on or after January 1st 2020. This has been echoed with other global insurers, such as AIG group and AXA XL, following suit.[v]

With the changes in the global reinsurance market, more clients should expect to see their insurance portfolio impacted by cyber exclusions. This represents a challenge to companies to carry out a detailed assessment of their risks to accurately identify and manage non-affirmative cyber risk. It is vital firms receive advice on the risk and insurance implications from their broker. Some lines of business have a greater exposure to silent cyber than others, whilst other lines are lower in their non-affirmative risk. As well as the more well known CL380 exclusion (prevalent amongst energy and marine polices), there are a number of others across various lines of cover which relate to cyber impacting other policies.

The cyber market has demonstrated its ability to pay complex cyber losses and in 2020 a number of leading markets confirmed they are able to provide cover for subsequent physical damage and debris removal as an extension to their cyber solutions. Limits available range from £50M-£150M depending on the insurer and enable companies to transfer their real concerns to the insurance market.

Gallagher is here as an insurance broker to advise companies on the way to map their exposures and transfer their risk using both captives and direct insurance.

The Major Risks Practice of Gallagher are a Sponsor at ALFED. For more information, please contact Bill Makin, Executive Director: Bill_Makin@ajg.com.

This information is not intended to constitute any form of opinion or specific guidance and recipients should not infer any opinion or specific guidance from its content. Recipients should not rely exclusively on the information contained in the bulletin and should make decisions based on a full consideration of all available information. We make no warranties, express or implied, as to the accuracy, reliability or correctness of the information provided. We and our officers, employees or agents shall not be responsible for any loss whatsoever arising from the recipient’s reliance upon any information we provide and exclude liability for the statistical content to fullest extent permitted by law.

Arthur J. Gallagher Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: Spectrum Building, 7th Floor, 55, Blythswood Street, Glasgow, G2 7AT. Registered in Scotland. Company Number: SC108909

[i] bbc.co.uk/news/technology-30575104

[ii] https://www.bleepingcomputer.com/news/security/japanese-defense-contractors-kobe-steel-pasco-disclose-breaches/

[iii] https://www.hydro.com/en/media/on-the-agenda/cyber-attack/

[iv] https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war

[v] https://www.lmalloyds.com/LMA/News/LMA_bulletins/LMA_Bulletin_2013/LMA19-031-PD.aspx