Critical Infrastructure Security , Leadership & Executive Communication , Training & Security Leadership

Chemical Firms Boost Cybersecurity Ahead of New Regulations

New Report Finds Chemical Firms Are Investing in Cyber, Raising CISO Visibility
Chemical Firms Boost Cybersecurity Ahead of New Regulations
Image: Shutterstock

Chemical companies have significantly improved their cyber preparedness while ramping up security investments in response to rising threats and new regulations looming, according to a new report.

See Also: Securing Industry 4.0: Insights From New Research

Leading global credit rating agency Moody's Ratings published a report Monday that says basic cyber defense practices have become "near universal" across the industry as E.U. and U.S. regulators increasingly focus on mission-critical sectors of the economy.

New cybersecurity rules are set to take effect for chemical firms in the E.U. in October under an updated version of the Network and Information Security Directive, dubbed NIS 2.0. The U.S. is finalizing incident reporting and ransomware regulations as part of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which could potentially become effective in early 2026.

The Moody's report comes after the Department of Homeland Security warned in April that the U.S. suffers from limitations in its current biological and chemical security regulations that "could increase the likelihood of both intentional and unintentional dangerous research outcomes that pose a risk to public health, economic security, or national security" (see: DHS: AI-Enhanced Nuclear and Chemical Threats Are Risk to US).

Experts also recently told Information Security Media Group that threat actors will likely increasingly leverage artificial intelligence to carry out chemical, biological, radiological or even nuclear attacks.

The ransomware and hacking groups that have targeted the chemical sector in recent years include LockBit 3.0, which CISA said focused on operational technology and industrial control systems when launching attacks against chemical firms. The Lazarus advanced persistent threat group also likely targeted the chemical sector using fake job postings for defense contractors, according to the agency.

The Moody's survey found that 88% of corporate cybersecurity chiefs report directly to a C-suite executive and that the rate is even higher in the chemical sector at 95%. The data point indicates "a strong governance structure supporting cybersecurity threats awareness among top-tier executives." The report also says that chemical firms have increasingly tied leadership compensation to cyber risk performance - 38% of respondents said their CEO's pay is linked to cyber objectives.

CISA has proposed a 72-hour cyber incident reporting rule for entities covered under CIRCIA. The agency has called on DHS to establish an intergovernmental Cyber Incident Reporting Council to better coordinate federal incident reporting requirements, which could potentially apply to more than 300,000 organizations across the country (see: CISA Seeks Public Input on Cyber Incident Reporting Rules).

While third-party software continues to pose a significant risk for corporations, the Moody's survey found that 88% of chemical industry respondents across the Americas carry some form of stand-alone cyber insurance. Small and midsized firms have boosted their average overall cyber spending to around 10% of their information technology budgets, which Moody's said "likely represents a catch-up from historical underinvestment."

"Chemical issuers exhibit a high degree of sophistication in their cyber defense strategies, using a mix of basic and advanced methods," the report says. It also says most chemical firms have implemented basic cyber defenses, including incident response plans, weekly data backups and multifactor authentication.

Moody's surveyed more than 1,900 respondents for its report on the chemical sector. The report predicted that CIRCIA and NIS 2.0 regulations will result in "increased reporting, both internally (to boards of directors) and for external stakeholders like regulators and customers."


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ransomware.databreachtoday.com, you agree to our use of cookies.