Recently, it's become almost impossible for Manufacturers to purchase cyber insurance here in the US.
At face value this seems odd; they rarely hold PII/PHI/PCI. Maybe they fall under CMMC, but that's circumstantial and not really enforced at the moment. Surely, they have trade secrets and proprietary information, but it's hard to put a dollar figure on those intangibles. So why is getting a policy or keeping one so difficult?
Following a cyber event (data breach or ransomware) the largest costs are going to be business interruption, extortion payment if applicable, forensics, and attorney - generally in that order.
Let's say you're a CPA firm and you fell victim to a ransomware event. You have to be down for a long time to evidence true business interruption costs. Cyber insurers rationalize this by saying that you can always do that tax return a few weeks later. There may be some reimbursement for overtime costs, but that pales in comparison to the cost of business reimbursement.
Now, let's say you're a manufacturer that makes widgets. You fall victim to a ransomware attack.
Business interruption reimbursement costs can be astronomical. When evidencing business interruption costs for a manufacturer it's generally as simple as saying, "When I make this widget it is sold for $X. With my systems down I was unable to sell my widgets so now I want reimbursement for that loss." Cyber insurers don't really have any pushback. In short, business interruption costs can quickly escalate into the millions.
And the chance of your manufacturing facility being hit with ransomware or some other type of malware is greater than your probably realize. A recent report by Morphisec estimates one-in-five manufacturing companies in the U.S. have been the victims of cyberattacks over the last 12 months. And on top of that, the ransom amounts demanded have tripled.
Additionally, manufacturers are becoming notorious for social engineering losses. This is because they tend to push around large dollar figures on a regular basis. A simple phishing email designed to look like an invoice from a vendor could introduce this type of attack.
In turn, this means that manufacturers must evidence an increasingly strict cybersecurity posture and control set to even qualify for cyber insurance (or if they have a policy, in order to renew it).
So, what do you, an Idaho manufacturer do? You will need to meet with your IT department or managed IT services partner to evaluate your current cybersecurity standing. Then create a roadmap to fill the gap between your current cyber posture and what is now required by insurance carriers. Hint: a good place to start is with CIS Controls.
If you are feeling lost on where to start when it comes to cybersecurity, cyber insurance, or cybercrime prevention, give us a call. You can also download our new eBook Cybersecurity Essentials for Business Owners, which goes over basic cyber hygiene, cyber response frameworks, and the CIS Controls.
This article was written in collaboration with Joseph Brunsman of Brunsgroup.