Knowledge

Cyber risks: Are fuel distributors vulnerable?

Most people would be aware of the ever-increasing threat that cyber breaches pose to businesses in the UK, but here Karl Jones, of industry insurance specialist OAMPS, considers our community of fuel distributors – are you especially vulnerable?

Cyber security

As part of the UK’s critical national infrastructure, the reality is that in addition to criminal activity and disaffected individuals, the sector could also be targeted by:

  • Environmental activists
  • State-sponsored attacks against UK PLC
  • As with any system of protection, the integrity of that protection is only as strong as the weakest link, and there are a number of potential issues with:
  • Weak password management
  • Use of work systems for personal email access
  • Allowing employees to use personal devices to log into your network (their phones on your Wi-Fi)
  • Limited use of password protections to control access to sensitive parts of your system
  • Employee awareness of Cyber security
  • Your physical assets and software also represent potential threats if your internet-enabled IT assets (including CCTV cameras, leak detection/safety systems and Point of Sale devices) use:
  • Unsupported software/firmware
  • The original password provided by the supplier/manufacturer
  • Not updating operating systems or software as soon as the patches are released also means your system protection is out of date and could be breached by recently created malware.

What could this cost?

The average cost of a breach is £10,830 in the UK which is a lot smaller than some of the headlines you might have seen, as this doesn’t include compensation costs if data is compromised.

GDPR data breach compensation costs start at around £1,000 per person where their name, address, date of birth and email address are part of a data breach, and this can multiply quickly if financial information is involved (anywhere between £3,000 and £8,000 per person on average)

But we outsource all of our IT to a third party and they protect us

Unfortunately, you’re not in possession of a “get out of jail free card” if you outsource the operation and management of your IT systems to a third party – if you check your contracts issued for the Software As A Service (SAAS) you use, it will almost certainly limit the indemnity that the provider will give you to the charges you pay them, but only in respect of property damage.

The agreement will often also exclude any consequential losses resulting from a Cyber breach, which could include:

  • Loss of customers and revenue (especially if you can’t trade at your busiest times)
  • Possible environmental damage
  • Potential damage to your hard-earnt reputation

Even if you don’t hold the information yourselves, these agreements often place data controller responsibilities on you. 

The ICO states that the controller is primarily responsible for its own compliance and ensuring the compliance of its processors. This means that, regardless of the terms of the contract with a processor, the controller may be subject to any of the corrective measures and sanctions set out in the UK GDPR. These include orders to bring processing into compliance, claims for compensation from a data subject and administrative fines.

So the loss or breach of 1,000 customer records could cost you upwards of £1,000,000!

What can you do?

There are a number of things:

  • Use a robust password management system
  • Control or exclude the access of personal email accounts on your systems
  • Don’t allow employees to connect personal devices to your systems
  • Use passwords to protect sensitive areas of your system
  • Train your employees on the importance of cyber vigilance
  • Change passwords on internet-enabled devices
  • Allow automatic software updates
  • Limit or exclude the use of any unsupported hardware/firmware

The National Cyber Security Centre (NCSC) Cyber Essentials scheme is a useful starting point, and whilst getting certified does attract a charge, there is a useful toolkit at https://getreadyforcyberessentials.iasme.co.uk/questions/ which would help you prepare for certification and would identify areas that you should focus on.

Cyber insurance is also a valuable tool to consider in your Cyber strategy; many policies can be tailored to provide cover for the areas that most businesses are concerned about – social engineering, phishing, and ransomware.  Some of the policies can also provide access to specialist support in the event of a system breach, help identify why and how the breach occurred, as well as advise on preventing further breaches.

The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Pen Underwriting trading as OAMPS Hazardous Industries accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.

Image credit: Dreamstime