Cyber Insurance For Industrial Companies - Its Complex

Uploaded on 2024-02-23 in FREE TO VIEW, BUSINESS-Services-Financial, BUSINESS-Production-Manufacturing

Determining if a company is insured against the consequences of a cyber attack isn't as straightforward as it seems. The rise in cyber attacks has led insurers to reduce coverage, leaving companies uncertain about their protection level - if they can get coverage at all. Understanding the complexity of cyber insurance therefore requires a quick look backwards. 

Until the mid-2010s, specific insurance against cyber attacks was uncommon. When companies were hacked, they would typically claim damages from insurers under their property insurance. This situation became known as "silent cyber, " since cyberattacks were neither mentioned in insurance policies nor explicitly excluded.

This ambiguity became untenable with the rise of ransomware and the 2017 Wannacry and Notpetya attacks.

Pharmaceutical giant Merck, heavily affected by Notpetya, filed $1.4 billion claims under its “all-risk” property insurance, which were initially denied. The case led insurance authorities to start raising concerns that insurers could be unknowingly exposed to massive claims. It wasn't until 2023 that Merck won the case in court.

Acts Of War

In response, insurers began explicitly excluding cyberattacks from property insurance contracts, with some offering specific cyber risk policies and others ceasing coverage.

This did not stop the cyber insurance market from rapidly growing, with global premiums ballooning from $2 billion in 2015 to $12 billion in 2022. They could reach $33 billion by 2027. Even then, the market seems woefully undersized to absorb the consequences of a systemic cyber-attack, which could lead to trillions in damages.
For companies, identifying which cyber-attacks are covered can prove difficult. With Russia-affiliated groups emerging as major cybercrime actors, insurers like Lloyd’s of London have indicated they could consider their exploits as state-sponsored attacks or acts of war, thereby denying coverage. Some court cases, like the one involving automotive distributor Inchcape, have also hinged on whether insurers should cover indirect costs that result from a cyber attack, such as hardware replacement, forensic analysis or PR.

Rising Premiums & Difficulty Getting Coverage

The rise in cyberattacks has also sent premiums skyrocketing: according to Marsh’s market index, prices doubled every year between 2019 and 2021.

These hikes reflect the fact that attacks have become so commonplace that pay-outs are a near certainty. According to Trend Micro, 89% of companies in the electricity, oil and gas and manufacturing sectors saw their operations impacted by a cyber attack in 2022.

To reduce risk, insurance companies often rely on a drastic selection process. Companies can expect to answer several hundred questions detailing their cybersecurity policies, the data they store and business continuity plans.

Insurers also consider past breaches and industry risks and use ratings from firms like BitSight or GuideWire to rate a company’s cyber hygiene. Such processes have left scores of companies excluded from the market: according to insurer Aviva, only 14% of SMEs in the UK - and 3% in Scotland - were insured against cyber attacks.

Industrial Companies Are At A Disadvantage

The uncertainty regarding coverage and premiums has led some companies to self-insure. In September 2022, seven major European groups including BASF, Airbus and Michelin, formed MRIS, a mutual insurance company. Their decision reflects the disadvantage industrial companies face in obtaining cyber insurance.

Insurers calculate premiums by asking companies to describe the cybersecurity measures that apply to their IT devices, such as laptops and servers, but also to their industrial equipment, such as industrial control systems or SCADA systems. Those often lack rudimentary security measures such as password encryption or multi-factor authentication. 

In addition, because modern industrial facilities run 24/7, companies have greater difficulties patching vulnerabilities. A recent survey by the European Cybersecurity Agency (ENISA) showed that two-thirds of companies in the energy sector, for example, needed more than a month to patch a critical vulnerability and one in ten more than six months.

Reducing Risks To Reduce Costs

This situation shows that, while insurance companies may be excessively risk-averse, companies also need to elevate their cybersecurity practices to reduce their exposure. In the past year, cyber attacks that specifically target Internet of Things (IoT) devices, for example, have increased by 400% according to Zscaler, a cybersecurity firm. This represents a significant concern as the mobility of malware can facilitate movement across different networks, potentially endangering critical OT infrastructure.

To obtain coverage and drive down prices, industrial firms can take several measures. They must first audit their IT systems and operations to identify vulnerabilities and priorities to make operations more resilient.

They should particularly focus on creating a detailed inventory of all endpoints and cross-referencing these with databases like NIST's National Vulnerability Database to assess risks in their operations and enhance resilience among other things.

Insurance questionnaires will also require detailed information on network segmentation, risk management, recovery plans, and third-party vendor relationships. Although perfecting and documenting these processes is labour-intensive, it is central to reducing insurance costs - as well as the impact of cyber-attacks.

Lastly, companies, whether insured or seeking coverage, should understand their policy's conditions and exclusions, particularly regarding what constitutes acts of war or state-sponsored attacks. All too often, these questions are only asked after a cyberattack has struck - sometimes in the courtroom.

Edgardo Moreno is Executive Industry Consultant at Hexagon Asset Lifecycle Intelligence 

Image: Poca Wander Stock

You Might Also Read:

The Need For OT-centric Cyber Security Strategies:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Cybersecurity, Volt Typhoon & The Grid
Defending Against These Common Types Of Cyber Attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IASME Consortium

IASME Consortium

IASME is one of five companies appointed as Accreditation Bodies for assessing and certifying against the UK Government's Cyber Essentials Scheme.

Optimum Insurance

Optimum Insurance

Optimum's Cyber Risk & Data Protection Insurance policies are designed to protect against cyber exposures that arise when a company’s data and customer information is breached or stolen.

Critical Infrastructures for Information and Cybersecurity (ICIC)

Critical Infrastructures for Information and Cybersecurity (ICIC)

ICIC addresses the demand for cybersecurity for National Public Sector organizations and civil and private sector organizations in Argentina.

Cipher Tooth

Cipher Tooth

CipherTooth is a superior system for delivering secure content over the Internet.

Komodo Consulting (KomodoSec)

Komodo Consulting (KomodoSec)

Komodo Consulting specializes in Penetration Testing and Red-Team Excercises, Cyber Threat Intelligence, Incident Response and Application Security.

Parsons

Parsons

Parsons has developed a converged security offering that combines cybersecurity, integrated network solutions, and critical infrastructure protection.

NetKnights

NetKnights

NetKnights is an independent IT security company which offers services and products for strong authentication, identity management and encryption.

Harel Mallac Technologies

Harel Mallac Technologies

Harel Mallac Technologies is a Mauritian organisation that has developed a strong network of ICT specialists with nodes across the African continent.

Sponge

Sponge

Sponge is a world-renowned digital learning provider on a mission to make learning unforgettable.

TAG Cyber

TAG Cyber

TAG Cyber's mission is to provide world-class cyber security research, advisory, and consulting services to enterprise security teams around the world.

Scybers

Scybers

Scybers are a global cybersecurity advisory and managed services company. With our deep expertise, we help our clients reduce their cyber risks with confidence.

RSK Cyber Security

RSK Cyber Security

RSK Cyber Security are a leading cyber security services company that uses services, consulting, and product knowledge to lower security risk across the board.

Minorities in Cybersecurity (MiC)

Minorities in Cybersecurity (MiC)

MiC was developed out of a unique passion to help fill the gap that exists in the support and development of women and minority leaders in the cybersecurity field.

FTI Consulting

FTI Consulting

FTI Consulting is a global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes.

SIGLA Group

SIGLA Group

SIGLA Group specialize in the design and development of IT and OT solutions, from analysis to design, from implementation to commissioning, as well as consultancy, training and assistance.

Ebryx

Ebryx

At Ebryx, we are at the forefront of cybersecurity innovation, leveraging over a decade of expertise to protect and empower organizations worldwide.