Cyber Insurance For Industrial Companies - Its Complex

Uploaded on 2024-02-23 in FREE TO VIEW, BUSINESS-Services-Financial, BUSINESS-Production-Manufacturing

Determining if a company is insured against the consequences of a cyber attack isn't as straightforward as it seems. The rise in cyber attacks has led insurers to reduce coverage, leaving companies uncertain about their protection level - if they can get coverage at all. Understanding the complexity of cyber insurance therefore requires a quick look backwards. 

Until the mid-2010s, specific insurance against cyber attacks was uncommon. When companies were hacked, they would typically claim damages from insurers under their property insurance. This situation became known as "silent cyber, " since cyberattacks were neither mentioned in insurance policies nor explicitly excluded.

This ambiguity became untenable with the rise of ransomware and the 2017 Wannacry and Notpetya attacks.

Pharmaceutical giant Merck, heavily affected by Notpetya, filed $1.4 billion claims under its “all-risk” property insurance, which were initially denied. The case led insurance authorities to start raising concerns that insurers could be unknowingly exposed to massive claims. It wasn't until 2023 that Merck won the case in court.

Acts Of War

In response, insurers began explicitly excluding cyberattacks from property insurance contracts, with some offering specific cyber risk policies and others ceasing coverage.

This did not stop the cyber insurance market from rapidly growing, with global premiums ballooning from $2 billion in 2015 to $12 billion in 2022. They could reach $33 billion by 2027. Even then, the market seems woefully undersized to absorb the consequences of a systemic cyber-attack, which could lead to trillions in damages.
For companies, identifying which cyber-attacks are covered can prove difficult. With Russia-affiliated groups emerging as major cybercrime actors, insurers like Lloyd’s of London have indicated they could consider their exploits as state-sponsored attacks or acts of war, thereby denying coverage. Some court cases, like the one involving automotive distributor Inchcape, have also hinged on whether insurers should cover indirect costs that result from a cyber attack, such as hardware replacement, forensic analysis or PR.

Rising Premiums & Difficulty Getting Coverage

The rise in cyberattacks has also sent premiums skyrocketing: according to Marsh’s market index, prices doubled every year between 2019 and 2021.

These hikes reflect the fact that attacks have become so commonplace that pay-outs are a near certainty. According to Trend Micro, 89% of companies in the electricity, oil and gas and manufacturing sectors saw their operations impacted by a cyber attack in 2022.

To reduce risk, insurance companies often rely on a drastic selection process. Companies can expect to answer several hundred questions detailing their cybersecurity policies, the data they store and business continuity plans.

Insurers also consider past breaches and industry risks and use ratings from firms like BitSight or GuideWire to rate a company’s cyber hygiene. Such processes have left scores of companies excluded from the market: according to insurer Aviva, only 14% of SMEs in the UK - and 3% in Scotland - were insured against cyber attacks.

Industrial Companies Are At A Disadvantage

The uncertainty regarding coverage and premiums has led some companies to self-insure. In September 2022, seven major European groups including BASF, Airbus and Michelin, formed MRIS, a mutual insurance company. Their decision reflects the disadvantage industrial companies face in obtaining cyber insurance.

Insurers calculate premiums by asking companies to describe the cybersecurity measures that apply to their IT devices, such as laptops and servers, but also to their industrial equipment, such as industrial control systems or SCADA systems. Those often lack rudimentary security measures such as password encryption or multi-factor authentication. 

In addition, because modern industrial facilities run 24/7, companies have greater difficulties patching vulnerabilities. A recent survey by the European Cybersecurity Agency (ENISA) showed that two-thirds of companies in the energy sector, for example, needed more than a month to patch a critical vulnerability and one in ten more than six months.

Reducing Risks To Reduce Costs

This situation shows that, while insurance companies may be excessively risk-averse, companies also need to elevate their cybersecurity practices to reduce their exposure. In the past year, cyber attacks that specifically target Internet of Things (IoT) devices, for example, have increased by 400% according to Zscaler, a cybersecurity firm. This represents a significant concern as the mobility of malware can facilitate movement across different networks, potentially endangering critical OT infrastructure.

To obtain coverage and drive down prices, industrial firms can take several measures. They must first audit their IT systems and operations to identify vulnerabilities and priorities to make operations more resilient.

They should particularly focus on creating a detailed inventory of all endpoints and cross-referencing these with databases like NIST's National Vulnerability Database to assess risks in their operations and enhance resilience among other things.

Insurance questionnaires will also require detailed information on network segmentation, risk management, recovery plans, and third-party vendor relationships. Although perfecting and documenting these processes is labour-intensive, it is central to reducing insurance costs - as well as the impact of cyber-attacks.

Lastly, companies, whether insured or seeking coverage, should understand their policy's conditions and exclusions, particularly regarding what constitutes acts of war or state-sponsored attacks. All too often, these questions are only asked after a cyberattack has struck - sometimes in the courtroom.

Edgardo Moreno is Executive Industry Consultant at Hexagon Asset Lifecycle Intelligence 

Image: Poca Wander Stock

You Might Also Read:

The Need For OT-centric Cyber Security Strategies:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Cybersecurity, Volt Typhoon & The Grid
Defending Against These Common Types Of Cyber Attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Engage Black

Engage Black

Engage Black provides solutions for securing and protecting cryptographic keys, data at rest, and data in motion.

NTOP

NTOP

NTOP develop high-quality network traffic analysis and DDoS protection software used by small individuals as well by large telecom operators.

Telecommunications Industry Association (TIA)

Telecommunications Industry Association (TIA)

TIA works to secure trust in networks by advocating public policy positions on the security of ICT equipment and services related to critical infrastructure, supply chain and information sharing.

Kratikal

Kratikal

Kratikal provides a complete suite of manual and automated security testing services.

High Security Center (HSC)

High Security Center (HSC)

High Security Center provide real-time threat protection. We protect your company from targeted and persistent attacks using technologies such as Machine Learning and Behavioral Analysis.

CybrHawk

CybrHawk

CybrHawk is a leading provider of information security-driven risk intelligence solutions focused solely on protecting clients from cyber-attacks.

Infinite Ranges

Infinite Ranges

Infinite Ranges delivers secure, comprehensive digital solutions by connecting experts with the best products and services for the digital age.

Cyber Security Services

Cyber Security Services

Cyber Security Services is a cyber security consulting firm and security operations center (SOC).

Stronghold Cyber Security

Stronghold Cyber Security

Stronghold Cyber Security is a consulting company that specializes in NIST 800, the Cybersecurity Framework and the Cybersecurity Maturity Model Certification.

WhizHack Technologies

WhizHack Technologies

WhizHack's mission is to not only create a pipeline of cyber security products but also to empower people to sustainable innovation in securing digital assets of tomorrow.

Zorus

Zorus

Zorus provides best-in-class cybersecurity products to MSP partners to help them grow their business and protect their clients.

Prime Technology Services

Prime Technology Services

Prime Tech are a group of Red Hat, Microsoft & Cisco Certified IT Professionals with an impressive track record of consistently delivering value to our corporate clients.

Apura Cybersecurity Intelligence

Apura Cybersecurity Intelligence

Apura is a Brazilian company that develops advanced products and provides specialized services in information security and cyber defense.

Redington

Redington

Redington offer products and services in solution areas including digital transformation, hybrid infrastructure and cybersecurity.

ZEUSS

ZEUSS

ZEUSS is a diversified data center, cybersecurity, and green energy company.

BlazeGuard

BlazeGuard

At BlazeGuard, we understand that navigating the complex world of cybersecurity can be challenging. That’s why we make it our mission to simplify the process for you.