News & Media

Top 10 Cyber Risks Facing the Transportation and Logistics Industry

Editorial:
Sarah Brailey
Divisional Director, THB UK Professional Risks London
24th September 2020

No doubt you pride yourself on providing sound risk management advice to your commercial clients. So you talk to your transportation and logistics clients about cyber insurance, yes? You don’t? Then you are far from alone. “Cyber liability is rarely considered in the context of transportation and logistics, even by insurance professionals, and yet like every industry it has exposures to cyber risks” explains Sarah Brailey, head of professional risks at THB. “While transportation and logistics firms work very much in the physical world, they rely on both internal and external networks that are critical to their operations.”

A global example of how the physical and cyber worlds collided happened in 2017 when Maersk, the world’s largest container ship and supply vessel operator, was stopped in its tracks by the NotPetya computer virus, and millions of tons of cargo were left in limbo. The ripple effect across the supply chain affected freight forwarding firms, trucking and logistics companies, and manufacturing industries waiting for deliveries, resulting in an estimated total loss to Maersk of US$300 million dollars.

In the UK, according to the Government’s most recent Cyber Security Breaches Survey (June 2020) the extent of cyber security threats has widened and become more frequent with almost half of businesses reporting cyber security breaches or attacks in the previous 12 months and yet only 32% reporting being insured against cyber risks and only 15% having reviewed the cyber security risks presented by suppliers. Here is how the THB UK Professional Risks team sees the top 10 cyber risks currently facing insureds in the transportation and logistics sector.

  1. If a firm’s clients or suppliers use external computer networks to operate their businesses, there is a risk of contingent system failure. Connected systems will only be as secure as the weakest link so if those external networks stop (or are prevented from) working, the firm may not be able to receive or fulfil orders, creating a business interruption loss not covered by a Property policy.
  2. Simply paying invoices leaves a firm vulnerable to a social engineering loss. Criminals do not even have to enter a firm’s computer network, they can craft what appears to be a legitimate email message from an authorised officer of the company directing the accounts payable department to transfer funds to a criminal’s account. The criminal may monitor social media to see when that authorised officer is out of the office on holiday and unable to verify or stop the fraudulent instructions.
  3. Then there’s the direct attack on the firm’s network. If it’s corrupted or altered, a transportation company may not be able to fulfil its professional service of moving perishable goods from point A to B. As a result, the company may be held financially responsible for spoilage, lost shipments and more. This is an area where Professional Liability and Cyber Liability may cross paths.
  4. Like other companies, transportation and logistics firms hold the private financial, personal and health information of their employees, as well as account numbers and other protected information of clients. A privacy risk exists even if these files are held in a paper format, and firms must ensure they have appropriate security measures in place to protect this personal data (this is the ‘integrity and confidentiality’ principle of the infamous General Data Protection Regulation or GDPR); this risk can be covered by a cyber policy. According to law firm Reynolds Porter Chamberlain, which has been tracking fines from the UK’s Information Commissioner’s Office (ICO) since 2016, the average amount of money taken from those penalised for violating the integrity and confidentiality of personal information has tripled from £73,645 to £216,200 with most of the increase resulting from implementation of the GDPR in 2018.
  5. In addition to GDPR, all but the smallest UK transportation firms are also subject to the EU NIS Directive (enacted in UK law as The Network and Information Systems Regulations 2018) – the first piece of EU-wide cyber security legislation aimed at achieving a high common level of network and information system security across the EU’s critical infrastructure. Transportation firms are considered Operators of Essential Services and if found to be non-compliant may be fined up to £17 million.
  6. While Brexit will not affect the requirement for firms to comply with GDPR and the NIS Directive (both will be retained in domestic law at the end of the transition period) Brexit could itself be an additional cyber risk for transportation/logistics firms. Logistics UK (formerly the Freight Transport Association) which represents UK members from the road, rail, sea and air industries, as well as the buyers of freight services such as retailers and manufacturers whose businesses depend on the efficient movement of goods, points out that the new UK-EU relationship will have important consequences for businesses across supply chains, whether they operate globally, at European level, or domestically, and indeed it’s easy to see there is a great deal for firms to consider. Already under additional pressure to keep supply chains moving during lockdown restrictions, budgets are squeezed, resources are stretched, and security is unlikely to be a top priority, plus firms are being bombarded with emails relating to their task of planning for the non-EU world post 31 December 2020, increasing the risk of falling foul of phishing attacks.
  7. Even without the additional pressures of Covid-19 and Brexit, few transportation firms have their own well-funded IT departments, instead this function is often outsourced. The outsourced experts may be highly qualified, but they can also make mistakes. An organisation will still be held accountable by regulators and customers even if the network security error was committed by a contracted IT supplier.
  8. It is not unusual to allow employees to use their own mobile devices in the workplace – to track locations, navigate, co-ordinate drop-offs and pick-ups, submit invoices and more – but this can also put a company at risk. These devices can be locked with ransomware or suffer some other sort of network failure that can impact business.
  9. In addition to a hacker deliberately entering a computer network, encrypting data and making extortion demands, authorised employees can make mistakes that destroy or corrupt data. Engaging external IT experts to restore or recreate lost data is an expensive undertaking that could be insured on a cyber policy with that type of coverage. A business interruption loss might also be incurred due to lost or corrupted data.
  10. For transportation and logistics firms who deal with assets in motion, a network intrusion could lead to numerous problems, including traffic accidents, loads exceeding weight limits, and hazardous materials being transported to an incorrect destination, all potentially leading to risk of bodily injury and property damage.

Coverages to address the cyber threats facing the Transportation and Logistics Industry

Threats targeting the transportation and logistics sector can come from:
• criminals
• terrorist groups
• hacktivists
• disgruntled or former employees
• nation states
• competitors
• traditional network operation mistakes

However, there is coverage to help with many of these threats. “Typical elements found in a Cyber Liability policy can potentially address many of these threats” says Sarah Brailey, “and crucially, this coverage is not included in other lines of business such as Property, General Liability or Commercial Combined”. Cyber Liability coverage varies by insurer, but these are some of the elements you should expect to see in a Cyber policy:

Cyber business interruption and data recovery To recover costs resulting from a network interruption, including lost revenue and data
Cyber extortion and ransomware To recover costs resulting from an extortion event, including paying a ransom demand and getting the network back online
Network security liability Network security liability To cover claims against the organisation when its own network is used to harm others or has been used by hackers to enter a trading partner’s network
Privacy liability To cover first-party expenses arising from a privacy breach such as services designed to reduce loss to the potential victims (e.g. notification expenses, credit monitoring, identity fraud resolution, call centres, breach coaches, IT and legal forensics) as well as public relations support to protect a firm’s reputation
Regulatory fines and penalties To cover the cost of defending against regulatory action arising from violations
Social engineering To cover the insured’s loss of funds if an employee is tricked by a cyber-criminal into wiring funds to the wrong account

 

Cyber Risk Management Tools

In addition to reactive insurance coverage, it’s also important to consider the various risk management tools available free or at a discount as part of some cyber liability policies, such as:
• Social Engineering spoof tests and training
• Network penetration testing
• Table-top exercises to practice preparedness
• Network traffic threat scoring
• Cyber threat information and template portals
• Free hotlines that allow network security professionals to ask configuration questions

Conclusion

Transportation and logistics firms have meaningful cyber risks that differ from those of other industries, so who can help them address these risks? “THB UK Risk Solutions has specialists in both cyber and transportation who work together frequently, so we’re well suited to placing these unique risks” suggests Sarah Brailey. “We have the largest specialist fleet team in the London market, and we have great relationships with cyber underwriters so for complex risks we can present the business personally and create a tailored solution. We’ve also been developing products in this area for some time so can also offer quick and cost-effective packages which we find are popular with smaller firms.”


Further useful references:
https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security Used by the majority of the FTSE350, the UK National Cyber Security Centre’s “10 steps to cyber security” breaks down the task of defending a firm’s networks, systems and information into its essential components, providing advice on how to achieve the best possible security in each of these areas.
https://www.ncsc.gov.uk/cyberessentials – Cyber Essentials is a simple but effective Government-backed scheme that helps businesses of all sizes to protect themselves against a whole range of the most common cyber attacks.


With thanks to David Lewison, Professional Lines Practice Leader for AmWINS Group, Inc. For more insights from AmWINS on emerging issues and industry trends, visit amwins.com/insights 

Views expressed here are for general guidance and do not constitute legal advice. Coverage afforded under any insurance policy issued is subject to individual policy terms and conditions.