[BreachExchange] Cyber Insurance Becomes a Must for More Manufacturers

Mon Apr 17 18:52:48 EDT 2017

https://www.wsj.com/articles/cyber-insurance-becomes-a-
must-for-more-manufacturers-1492426801

Abbott Laboratories ABT 1.50% was pilloried last week by regulators for, in
part, botching its response to a report that certain company defibrillators
and pacemakers could be manipulated by hackers. Shares of the health-care
giant, which acquired the devices in its purchase of St. Jude Medical Inc.,
fell 1.9%.

The criticism, which came in a warning letter from the U.S. Food and Drug
Administration, casts another spotlight on the fusillade of cyber dangers
facing manufacturers.

For years cyber insurance was overwhelmingly purchased by consumer-facing
business—retailers, financial-service providers and hospitals. Mostly this
was to protect against customer data theft. The St. Jude situation helps
explain why manufacturers are now rushing to make sure they are covered.

Manufacturers paid $36.9 million in premiums for cyber-specific policies in
2016, according to Advisen Ltd., an insurance consulting firm, based on its
sample of over 9,000 mostly U.S. companies. That is up 89% from the year
before. Manufacturers accounted for 12.6% premiums tracked in 2016 compared
with 9% the year before.

“There’s certainly an increased exposure in the industry overall,
especially with more reliance on cloud providers, greater sophistication of
hackers globally and increased consumer interactions through social media,”
said Daniel Steiner, enterprise risk manager at Kimberly-Clark Corp. , the
maker of Kleenex tissues and Huggies diapers. The company began buying
cyber insurance in 2009.

Factories are increasingly computerized, automated and digitally integrated
with other parts of a company and keeping those networks secure is
critical. “It’s hard to think of an area of our business that is not
touched by this, as business is only becoming more connected,” said Eric
Dobkin, director of insurance and risk management at drugmaker Merck & Co.
in an email.

“Nobody should be able to look at themselves in the mirror and say ‘I’m not
exposed to this’,” said Robert Wice, leader for technology, media and
business services of Beazley PLC in the U.S. “It should be top of mind.”

As for St. Jude, a company spokeswoman declined to say whether it carried
cyber insurance to cover the cardiac devices. A 2016 filing said it did not
carry product liability insurance. An Abbott spokesman declined to comment
on whether the company has cyber insurance.

In the event of a cyberattack that shuts down a factory, manufacturers may
not be covered by existing policies. Many property and casualty, or P&C,
policies require physical damage before they pay, explained Ben Beeson,
cyberrisk practice leader at brokerage Lockton Cos.

A wake-up call for manufacturers came in December 2014 when the German
Federal Office for Information Security reported that a cyberattack caused
“massive damage” at a steel plant it didn’t name.The report highlighted how
cyberattacks can be more destructive than prosaic events like floods that
are covered by typical P&C policies.

“When you look at severity, you have to consider they are cyber-based,”
said Brent Pickens, director of global risk management at Bemis Co. Inc., a
maker of plastic packaging that was an early buyer of cyber insurance.

Selecting a cyberpolicy forces manufacturers to set priorities on what to
protect, he said, particularly at larger companies that can have policies
tailored for different plants and situations. “You get the best return out
of [insuring] what is most important for you,” Mr. Pickens added.

The market for manufacturers is young, therefore premiums vary greatly and
are based on revenue, specific lines of business, and the number of records
involved. Premiums range from $10,000 to $15,000 for every $1 million of
comprehensive coverage for manufacturers with $1 billion or more in
revenue, said Michael Blake, part of the cybersecurity practice at Alliant
Insurance Services Inc. That is about half of what retailers and banks pay.

“It’s not a difficult sell,” said Mr. Blake.“There is not a risk manager
out there who wants to walk into a board meeting to explain why he didn’t
think to get a cyber insurance quote, especially since it’s so cheap.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170417/c3e60ccc/attachment.html>