The digitalisation of the mining sector is underway, and the industry is primed to transform itself utilising the industrial internet of things, integrated robotics and artificial intelligence. Advances such as 300 tonne driverless haulage trucks, remote control drilling and predictive analytics for ore deposits are leading the sector to improvements in productivity, efficiency and safety.
But this change does not come without risk. Cyber risk is the new “kid on the block” that risk managers and executives must address in their risk management and insurance strategies. Changing Cyber risk solutions The challenge here is that for insurance buyers, insurance solutions to cyber risk are also changing; for instance, traditional markets such as Property do not yet understand the full potential of this risk on their portfolio. A large-scale incident affecting several facilities across borders and continents was simply not contemplated for perils such as Fire and Natural Catastrophe; they were, for the most part, isolated from each other. Now, through a Cyber-incident, this has become possible.
Underwriters therefore have moved to either constrain or remove Cyber cover. But they achieve this utilising a plethora of differently worded - and therefore differently interpreted - Cyber exclusions, while the same dynamic is now occurring in Casualty markets. In parallel, a specialist Cyber market has developed, historically to cover non-traditional risks such as non-damage Cyber Business Interruption, but more recently to close the gap on those exposures now being excluded from the traditional markets such as Property. It is within this context that this article explores:
The fundamental challenge involved in the digitalisation of any system is that that security will always lag behind technology. Back when early operational technology systems were developed, security was not considered important; it was an afterthought. This is changing, but with so many different ways for a Cyber incident to occur, both internally and externally motivated, it is simply too volatile an issue to go unaddressed within an organisation. Simply securing systems - assuming systems are secure - cannot be considered enough for a company in today’s digital environment; the strategy at the end of the article will elaborate more on this point.
Several of the key challenges, each worthy of its own article, associated with addressing Cyber risk are illustrated in Figure 1 to the right. Popular misconceptions Let’s focus for a moment on the misconceptions surrounding Cyber risk. Most general Cyber concerns across all industries have been focused on the enterprise information technology (IT). For the mining industry this would not have been a significant issue in the past, being historically more reliant on operational technology (OT). But even now this has been shown to be a worrying exposure for the industry; IT has always been the medium whereby highly sensitive corporate communications may be intercepted, employee databases breached/leaked, and malware may spread across an enterprise computer network. And even this factor has become more of a concern during the last few months of COVID-19 lockdown, as large numbers of staff work from home, accessing private company networks though virtual private networks.
Integration of OT and IT For the mining industry, the general position has been that the critical OT networks are isolated from the internet, but from now on this cannot be relied on due to the convergence and interconnectivity of OT and IT. These operational systems, whilst not sensitive data-rich, are open to malware and ransomware. However, of more recent concern is the implications of a serious advanced form of Cyber event, whereby a Cyber actor takes active control of OT with malicious intent. This issue is being driven by the Internet of Things (IoT) and growth in the interconnectivity of systems as the physical has become coupled with the digital. Now robotic drills and diggers can operate remotely at the rock face; autonomous haulage trucks can travel both above and below ground without driver input; and crushing and smelting processes are now controlled with limited human input. The problem is that these connections and processes can fail or be infiltrated.
Just as Cyber risk exists across many different parts of a business, it also an exposure that exists, often unintentionally, in many different lines of insurance such as Property, Casualty, Marine and Terrorism; this is a significant concern for insurers, since these covers were not designed with such risks in mind.
Coverage clarifications In recent years, Lloyd’s of London and company market insurance companies have taken a cautious approach to this issue. Firstly, the industry itself has sought to clarify the intent of cover and allocate adequate reserve capacity should a large-scale Cyber event occur. And recently this has been accelerated due to concern from regulators and governments. For example, in the first half of 2019 the Prudential Regulation Authority (PRA) directed that UK-based insurers, including those operating though Lloyd’s of London, begin formulating clear manageable and measurable action plans to address the Cyber exposure in their portfolios1. Both the insurance markets and buyers are now seeing much of the effects of this taking hold as we move further into 2020.
Silent Cyber Following on from the PRA directive, Lloyd’s of London released a market-wide bulletin focused on the issue of silent Cyber. Silent Cyber is non-affirmative Cyber, i.e. where a policy neither expressly provides nor expressly excludes cover and is simply silent as to its existence. The bulletin laid out a timeline for this to take effect; Property policies incepting on or after January 1 2020 should either clearly affirm cover or exclude Cyber exposure, while for Liability policies the requirements are to come into effect in two phases during 2020/2021.
The difficulty here is that while organisations will obtain clarity over whether an insurance policy covers the peril or not, Lloyd’s of London has not been prescriptive as to which approach they should take and whether they should cover the risk or not; they have left that decision to individual syndicates in the market. Mind the gap: the clause dilemma As a result of the movement away from silent Cyber, insurance buyers may now find that Cyber risk where previously covered - or not expressly excluded in their existing polices - is now being excluded, creating a gap in cover.
This complexity is then compounded by the wide variety of clauses available in the market that insurers may apply, either to the entire risk or in a patchwork manner, depending on the numbers of insurers on a programme. The easiest approach for insurers is that they would seek to exclude Cyber in the first instance and then allow “carve back” to covers, subject to a better understanding of the risk. However, this creates a complex minefield for both insureds and their brokers to build a consistent and harmonised insurance programme, whilst also potentially opening gaps depending on the clause(s) being used. Out with the old, in with the new.. Towards the end of 2019 it was made known in the market that the ever-present CL380 Cyber Attack and NMA Electronic Data 2914/15 Cyber exclusions clauses (that many have become accustomed to) do not, by Lloyd’s of London standards, go far enough in addressing the issue of silent Cyber and so are therefore deemed not satisfactory in respect of their requirements on this issue.
As a result, in November 2019 the Lloyd’s Market Association (LMA) published a set of new model clauses for Property and Marine risks2, which come in the form of an outright exclusion and a clause with provisions for buy-backs such as Fire and Explosion, but only from a non-malicious Cyber-attack. The Casualty sector has also seen several different clauses being used in this market. While Lloyd’s provided their clauses recently, the International Underwriters Association (IUA) were one step ahead and released their own London Market model clauses in the summer of 2019. In similar fashion, the intention was to address the issue of non-affirmative silent cover3. As stated by the IUA, these come in the form of a “Cyber Loss Absolute Exclusion Clause” which provides market participants with an option to exclude, in the broadest possible manner, any loss arising from the use of a computer system, network or data – each of which is clearly defined. Meanwhile, a Cyber Loss Limited Exclusion Clause enables only the exclusion of losses directly caused by Cyber events, rather than ‘directly or indirectly’”. The nomenclature of these clauses differs slightly from that of the Lloyd’s clauses, adding to the difficulty. Exclusion the easiest option for the market Insurers will have to make a decision on which clause to use; for a risk that they themselves don’t fully understand, the easy option is to apply the broadest exclusion possible. Whether they will allow for carve backs, restrict cover for certain Cyber events or exposure or even change their stance entirely and cover Cyber completely, their stance is likely to face challenges and insurers rarely will concede ground, especially in a harder market environment.
For brokers, discussions must be had with insurers during which underwriters will be looking to apply certain clauses, while brokers will be drilling down into why insurers are taking a certain stance and whether the wording achieves what the broker had intended. As a tightening of approaches in the traditional markets is now apparent and perils are becoming excluded, mining companies are increasingly seeking specialist support from their broker and the Cyber market.
The Cyber market has historically originated from a consumer focus on data-related risk, whereby organizations obtain cover for loss of data and liabilities resulting from breaches of personal data. For a mining company, personal data will not be a primary focus; they do not hold large amounts of personal data (bar that of perhaps their own employees), although they do hold operational data which may be affected. However, the focus should be on ensuring operational resilience and reliability.
New solution categories The solutions in the market can address the categories noted in Figure 2 to the right on a clear affirmative basis from a malicious Cyber-attack. Affirmative being the operative word here - it actually provides certainty. A solution from this market will avoid any of the issues and disputes that have been seen on traditional policies whereby cover interacted with War and Terrorism exclusions. However, the market is currently not offering Physical Damage and ensuing Business Interruption cover for human mistakes (i.e. a negligent employee) and/or technology failure.
There are several important considerations to highlight from a Cyber insurance perspective. Property must be considered as two elements; the tangible and the intangible. The former comprises the tangible assets such as the hauler trucks, drills, and general infrastructure; the latter, the non-physical intangibles (as they are known) encompassing the software and data. Both can be impacted by Cyber-attacks. This First Party data loss is an area which the traditional Property market generally has no intention of covering, unless the loss of this data comes from a physical peril that would generally be covered, i.e. Fire or Explosion; however, even now some of the newer clauses are beginning to exclude this altogether. The loss of intangible, without the physical element, is only generally offered in the specialist market. Non-damage Business Interruption cover is the loss of gross profit resulting from a Cyber incident across both IT and operational technology where no physical damage is experienced. A common scenario which this cover could respond for is the dreaded ransomware strike, whereby operations are brought to a standstill. Third-party covers in the market are primarily focused on the potential liabilities surrounding the loss of third-party data or sharing of malware downstream which causes financial loss. Third Party Liability cover for bodily injury and property damage is less readily offered by the market at this time. Finally, the incident response type solutions being offered allow cover for the event responders and their external experts, who come in to mitigate loss and to get companies back up and operating. It is important that this is matrixed-in with the company’s existing incident response and claim protocols.
Insurance capacity in the cyber markets It is no secret that the capacity available in the Cyber market is not even close in quantum to that provided by traditional Property & Casualty (P&C) insurers and that Cyber “towers” are modest in comparison to what can be created in those markets. The current estimate for cover in the Cyber market is around US$600 million; this top capacity level is only possible for the areas that are personal data risk, such as financial services and retail where Cyber insurers have a relatively strong understanding. In general, the Cyber market has grown in a pragmatic yet cautious manner and there has not been an explosion of available capacity. Indeed, just as capacity withdraws and prices rise in the P&C markets, the Cyber market is experiencing its own degree of hardening. The question is often posed as to how much capacity is available for the mining sector in the market but there are too many different variables to consider. So perhaps this conversation should move instead towards truly quantifying, although a complex endeavour, the key exposures – specifically what a Cyber-triggered Estimated Maximum Loss or Maximum Possible Loss may look like, and how best to approach both the traditional and specialist markets. For insurance buyers considering purchasing cyber cover, it is important to note that the furnishing of high-quality Cyber security and risk information is crucial to the risk transfer process. For the purchaser, this requires a complex Cyber information-gathering exercise for a risk management and insurance function which historically has not collected this type of information. Broker support for this process is therefore invaluable.
Simply put, any metals and mining company risk manager should have a clear understanding of:
Bearing this in mind, we would recommend adopting the following four-stage process:
Your risk has gone digital.. Cyber risk poses a significant challenge to any risk manager. The market has shifted in its approach to the risk; where once cover may have been provided, gaps are appearing. However, specialist markets and experts have evolved to bridge this gap with new and novel solutions; the risk of not exploring your options in today’s age cannot be overestimated. Make sure you troubleshoot your current cover; it’s not a question of if you get hit, but when.
Myles Milner MEng, ACII, AMIMechE is an Account Director, Renewables GB, Willis Towers Watson London. Myles.Milner@WillisTowersWatson.com
1 https://www.bankofengland.co.uk/prudential-regulation/letter/2019/cyber-underwriting-risk-follow-up-survey-results 2 https://www.lmalloyds.com/LMA/News/LMA_bulletins/ LMA_Bulletins/LMA19-031-PD.aspx 3 http://www.iua.co.uk/IUA_Member/Press/Press_Releases _2019/IUA_publishes_cyber_exclusion_clauses.aspx
