December 04, 2020

INTERMODAL IN AN AGE OF CYBER INSECURITY

Cyber threats pose indiscriminate risks across all industries, and the intermodal industry is no stranger. The top four ocean carriers have been subject to attacks in the last four years - two in the last seven months.

We also know that as other parts of the intermodal industry become more technologically advanced, the more likely they are to become targets for security threats. This has been amplified with the COVID-19 pandemic as organizations have pushed for technological advances in not only their frontline operating model, but also their back-office operations.

Based on our recent webcast conversation around “Understanding Cyber Vulnerabilities,” which you can view here, we’ve pulled together action items the intermodal industry can take to help mitigate a cyber attack threat.

1) Cyber events are not a question of ‘if’ but ‘when’. Assign roles and responsibilities and run the simulation now, so your company is ready when it happens.

2) Employees are a transportation company’s weakest link. Hire an outside firm, which can be done economically, to review basic firewall and password policies.

3) Create a culture of cyber safety, just as we do in other areas of our business. This doesn’t need to be a major investment, and software is now available to make this process, e.g. phishing simulations, affordable.

4) Be prepared and stress your system in controlled environment. Spend less time focusing on the Formal (overt) Aspects – the way we say we get things done vs. Informal (covert) Aspects – the way we really get things done.

5) Beware of your company’s insurance particulars. Business interruption insurance may not cover cyber, and cyber insurance may not include acts of war (which can be how a cyber event is categorized). It is critical to do the research and know what the insurance you are purchasing specifically covers.

6) Outside assistance can help identifying weaknesses and validating the risk for internal decision-makers. Find help that’s right for your company and a vendor who understands your company’s business, is not just trying to sell a tool.

7) With that in mind, educate yourself on the right questions to ask. Ask for references. Check with your insurance company for in-network recommendations and ask peers of your size for theirs.

There is no ‘silver bullet’ when it comes to cybersecurity, there are only behaviors that reduce the likelihood. In that light, the lessons learned from COVID are broadly applicable: ask questions and make a playbook. What would someone want to do to your firm, and how should you respond regardless of the method? How does that response differ for your board /executive team /management? What are the playbook requirements, e.g. legal liability, delegated authority, emergency contacts, management of uncertainty, etc.?

Regulatory compliance is a new, additional risk to consider, on top of business interruption. The Treasury Department, through its Office of Foreign Assets Control, has imposed economic sanctions on several cyber criminals and cyber crime groups, making it a crime to transact with them. See the 10/1/20 advisory here. By paying a ransom, your company exposes itself to up to $20 million fines. Additionally, even if sanctions are not at issue, the federal government encourages companies who are cyber victims to contact relevant enforcement agencies.

Concluding thoughts: your company can never 100% eliminate the risk of a successful cyber event. You can prepare for an event. No threat facing America has grown as fast, or in a manner as difficult to understand, as the danger from cyberattacks. PRACTICE, PRACTICE, PRACTICE your response and prepare your board, management and staff.