Head Of Training, The Healthy Work Company

March 22, 2017

Get the SHP newsletter

Daily health and safety news, job alerts and resources

Cyber risk and the impact on health and safety


By Colin Moore and Hans Allnutt

The HSE’s business plan for 2016/17 identifies “an increased cyber threat” as one of the emerging risks they are monitoring. What is the link between cyber risk and health and safety and how should companies address the issues which arise?

As almost every modern company either relies on its own or a third party’s electronic systems and networks, it follows that they could be exposed to cyber risk.

It can be useful to consider cyber risk within three categories:

  • Operational – the disruption of business operations caused by the loss or interruption of electronic systems and networks.
  • Informational – the loss, unauthorised access to, destruction, or other unintended use of electronic information and data.
  • Physical – physical damage or unexpected physical events caused by actions in the cyber domain.

Operational Risk

Cyber-attacks that cripple key operational functions can also directly affect health and safety. The denial of access to documents, data or communication and control systems, however short-lived, can make it impossible to control risks to employees and non-employees.

For example, control measures for lone working could include electronic reporting-in systems. If they are disrupted it may be impossible to monitor the safety of employees, leaving them unsupported in hazardous working conditions.

Disrupting immediate access to electronically-held health and safety documents, such as Safe Systems of Work, may make it impossible to carry out hazardous tasks safely.

Informational risk can be indirectly linked to health and safety. Employers are likely to hold sensitive personal data on employees, including records on their health and finances. Concerns about the security of a company’s sensitive personal data may exacerbate a worker’s anxiety that their data will be leaked or disseminated without their permission.

Physical risk could include security breaches affecting electronic control systems in mechanised processes, or arise more generally from viruses and malware, accessed via the internet.

The aims of a cyber-attack may be financial gain, intentional disruption of business activities or to damage industrial materials and equipment. However, there may be secondary consequences for health and safety.

In 2014, a cyber-attack on a steel mill in Germany caused physical damage when interference in control systems prevented blast furnaces from shutting down properly. While the aim of the attack may have been industrial sabotage, production equipment was also damaged which could have become a safety critical event, given the hazardous nature of the processes and materials involved.

What causes cyber risk?

In addition to financial motives, either directly (in the case of ransomware/denial of service) as a form of extortion, or indirectly as a form of industrial sabotage, attacks may have a purely malicious origin: disgruntled employees or criminals simply seeking to harm or embarrass an organisation.

However, cyber risk can also arise through omission or even negligence, without third party involvement. If you consider software as work equipment, it has just the same requirement for maintenance and renewal as an item of “hard” industrial infrastructure.

If software is not properly compatible or updates not installed, operating systems controlling processes and equipment can become insecure or even stop working. We have represented clients whose mechanised production systems failed causing serious injury, all because a new section of plant was incompatible with existing operating software.

The software problem not only caused the hazard, but prevented safety interlocks from protecting employees when they sought to investigate it.

Prevention is better than cure

New sentencing guidelines for health and safety offences can result in massive costs for companies that fail to address cyber risk. The HSE will also consider whether there is scope for enforcement action. Failure to take reasonably practicable steps to protect employees put at harm from cyber risk could amount to an offence.

For employers with a turnover exceeding £50 million whose breaches expose employees and non-employees to the risk of serious harm, fines can amount to millions of pounds. Moreover, health and safety offences and fines are based on the risk of harm; no actual harm needs to occur.

Developing and maintaining an effective cyber risk strategy will be increasingly vital for employers and should include the following:

  • Responsibility – a parliamentary enquiry set up after the TalkTalk breach concluded that the CEO should be responsible for an ‘organisation’s cyber risk, although day-to-day responsibility may be delegated. This recognises that cyber risk is not just an IT risk but a risk faced by the entire organisation.
  • Build and sustain cyber risk expertise and awareness, and understand what risks may affect your organisation and its systems.
  • Maintain a resilient and defended cyber infrastructure, including security basics like anti-virus software and firewalls, but also key maintenance to ensure systems are properly updated and internally compatible.
  • Ensure the security, integrity and lawfulness of information and data – this includes protecting your data and any third party data you store from external threats and also from inadvertent or negligent leaks.
  • Ensure the resilience of your organisation’s physical domain – the best security software is worthless if your systems’ physical security can be compromised by an intruder.
  • Continue to manage risk – keeping systems and procedures up to date, which is so vital for cyber risk because new threats can develop quickly.
  • Consider appropriate insurance with your broker – your existing insurance arrangements may not respond to losses arising out of cyber-attacks and it is vital to understand what potential losses could arise and what coverage exists. Multiple policies may respond to losses, including Employers’ Liability and Public Liability, and some policies may carry cyber-attack exclusions. Dedicated cyber insurance policies, with some focussing on industrial and manufacturing risks, are now becoming more widely available and affordable.

The extent of the interplay between cyber risk and health and safety remains an emerging issue. Clearly, organisations that are already protecting themselves from cyber risks will be better placed to address health and safety risks.

Hans Allnutt   ( Minster Court , London )

Hans Allnutt 

Colin Moore

Colin Moore

Colin Moore is an Associate in the national Safety, Health & Environment team, and Hans Allnutt is a Partner and Head of Cyber & Data Risk, at international law firm DAC Beachcroft.

Related Topics

Notify of

Inline Feedbacks
View all comments