At the end of January, FBI Director Christopher Wray testified at the House Select Committee on the Chinese Communist Party. Among other things, he stated that
“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities. If or when China decides the time has come to strike, they’re not focused solely on political or military targets…”
In recent years, we’ve seen high-profile instances of hackers taking over industrial operations, including Colonial Pipeline (the largest pipeline system for refined oil products in the U.S.) and disabling operations at meatpacker JBS. I wrote about the nexus between environmental and cyber risk back in 2021, but given Wray’s new warning, it seemed worth revisiting. With the almost single-minded focus on climate, other environmental exposures may have been forgotten. At least four facets of this risk should be evaluated:
Human health risk. Depending on the type of manufacturing operation and equipment, the risk to employees on-site and the community at large can be significant in the event of process failure. Chemical emissions, fires and explosions are deadly and they can have a wide area of impact. Facilities subject to OSHA’s Process Safety Management or EPA’s Risk Management Plan regulations are required to perform off-site consequence analyses that are helpful in assessing the risk, but they are limited to only specifically covered chemicals/processes. Gas-fired boilers and dams/dikes are not covered. When evaluating human health risks associated with your operations, it would be prudent to take a wide view of what may impact employees and the community.
Environmental impact. Similar to human health risk, operational failures or breaches can cause environmental contamination and loss of water bodiess, natural resources, ecosystems/habitat, endangered species and long-tail cleanup liabilities.
Consequential impacts. Catastrophic events at a single location can also start a domino effect of “downstream” consequential impacts. For instance, chemical contamination of food crops, water supplies and residential areas, energy outages at hospitals and critical infrastructure, flooding of other manufacturing facilities or utilities, drinking water safety and loss of public use areas. There is even a possibility of disturbing previously closed environmental disposal sites – Hurricane Katrina flooded a closed municipal landfill, causing not only environmental damage, but also structural instability of the reclaimed land.
Financial exposure. Insurance usually provides a useful financial backstop for unplanned, sudden and accidental losses. However, your coverage likely has significant – or even absolute – exclusions or limitations for terrorist acts, cyber risk, pollution and consequential liabilities. It is advisable to review your insurance policy language in detail to identify and assess any relevant exclusions/limitations and make an informed decision about what to do from there.
Environmental catastrophes are not the first thing that pops into people’s head when the topic of cybersecurity arises, but the potential for these events should be included in corporate risk assessments, cyber security assessments and in ESG materiality determinations. If you haven’t recently evaluated the status of environmental risk and mitigation measures in connection with your cyber risk assessment, now would be a good time to do so – including making sure insurance coverage is appropriate.
If you aren’t already subscribed to our complimentary ESG blog, sign up here: https://practicalesg.com/subscribe/ for daily updates delivered right to you.