Cyber Insurance For Industrial Companies - Its Complex

Uploaded on 2024-02-23 in FREE TO VIEW, BUSINESS-Services-Financial, BUSINESS-Production-Manufacturing

Determining if a company is insured against the consequences of a cyber attack isn't as straightforward as it seems. The rise in cyber attacks has led insurers to reduce coverage, leaving companies uncertain about their protection level - if they can get coverage at all. Understanding the complexity of cyber insurance therefore requires a quick look backwards. 

Until the mid-2010s, specific insurance against cyber attacks was uncommon. When companies were hacked, they would typically claim damages from insurers under their property insurance. This situation became known as "silent cyber, " since cyberattacks were neither mentioned in insurance policies nor explicitly excluded.

This ambiguity became untenable with the rise of ransomware and the 2017 Wannacry and Notpetya attacks.

Pharmaceutical giant Merck, heavily affected by Notpetya, filed $1.4 billion claims under its “all-risk” property insurance, which were initially denied. The case led insurance authorities to start raising concerns that insurers could be unknowingly exposed to massive claims. It wasn't until 2023 that Merck won the case in court.

Acts Of War

In response, insurers began explicitly excluding cyberattacks from property insurance contracts, with some offering specific cyber risk policies and others ceasing coverage.

This did not stop the cyber insurance market from rapidly growing, with global premiums ballooning from $2 billion in 2015 to $12 billion in 2022. They could reach $33 billion by 2027. Even then, the market seems woefully undersized to absorb the consequences of a systemic cyber-attack, which could lead to trillions in damages.
For companies, identifying which cyber-attacks are covered can prove difficult. With Russia-affiliated groups emerging as major cybercrime actors, insurers like Lloyd’s of London have indicated they could consider their exploits as state-sponsored attacks or acts of war, thereby denying coverage. Some court cases, like the one involving automotive distributor Inchcape, have also hinged on whether insurers should cover indirect costs that result from a cyber attack, such as hardware replacement, forensic analysis or PR.

Rising Premiums & Difficulty Getting Coverage

The rise in cyberattacks has also sent premiums skyrocketing: according to Marsh’s market index, prices doubled every year between 2019 and 2021.

These hikes reflect the fact that attacks have become so commonplace that pay-outs are a near certainty. According to Trend Micro, 89% of companies in the electricity, oil and gas and manufacturing sectors saw their operations impacted by a cyber attack in 2022.

To reduce risk, insurance companies often rely on a drastic selection process. Companies can expect to answer several hundred questions detailing their cybersecurity policies, the data they store and business continuity plans.

Insurers also consider past breaches and industry risks and use ratings from firms like BitSight or GuideWire to rate a company’s cyber hygiene. Such processes have left scores of companies excluded from the market: according to insurer Aviva, only 14% of SMEs in the UK - and 3% in Scotland - were insured against cyber attacks.

Industrial Companies Are At A Disadvantage

The uncertainty regarding coverage and premiums has led some companies to self-insure. In September 2022, seven major European groups including BASF, Airbus and Michelin, formed MRIS, a mutual insurance company. Their decision reflects the disadvantage industrial companies face in obtaining cyber insurance.

Insurers calculate premiums by asking companies to describe the cybersecurity measures that apply to their IT devices, such as laptops and servers, but also to their industrial equipment, such as industrial control systems or SCADA systems. Those often lack rudimentary security measures such as password encryption or multi-factor authentication. 

In addition, because modern industrial facilities run 24/7, companies have greater difficulties patching vulnerabilities. A recent survey by the European Cybersecurity Agency (ENISA) showed that two-thirds of companies in the energy sector, for example, needed more than a month to patch a critical vulnerability and one in ten more than six months.

Reducing Risks To Reduce Costs

This situation shows that, while insurance companies may be excessively risk-averse, companies also need to elevate their cybersecurity practices to reduce their exposure. In the past year, cyber attacks that specifically target Internet of Things (IoT) devices, for example, have increased by 400% according to Zscaler, a cybersecurity firm. This represents a significant concern as the mobility of malware can facilitate movement across different networks, potentially endangering critical OT infrastructure.

To obtain coverage and drive down prices, industrial firms can take several measures. They must first audit their IT systems and operations to identify vulnerabilities and priorities to make operations more resilient.

They should particularly focus on creating a detailed inventory of all endpoints and cross-referencing these with databases like NIST's National Vulnerability Database to assess risks in their operations and enhance resilience among other things.

Insurance questionnaires will also require detailed information on network segmentation, risk management, recovery plans, and third-party vendor relationships. Although perfecting and documenting these processes is labour-intensive, it is central to reducing insurance costs - as well as the impact of cyber-attacks.

Lastly, companies, whether insured or seeking coverage, should understand their policy's conditions and exclusions, particularly regarding what constitutes acts of war or state-sponsored attacks. All too often, these questions are only asked after a cyberattack has struck - sometimes in the courtroom.

Edgardo Moreno is Executive Industry Consultant at Hexagon Asset Lifecycle Intelligence 

Image: Poca Wander Stock

You Might Also Read:

The Need For OT-centric Cyber Security Strategies:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Cybersecurity, Volt Typhoon & The Grid
Defending Against These Common Types Of Cyber Attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CIO

CIO

CIO provides technology and business leaders with insight and analysis on information technology trends

DataLocker

DataLocker

DataLocker offers both hardware based external storage and software based cloud storage encryption solutions.

Yokogawa Electric

Yokogawa Electric

Yokogawa is an electrical engineering company providing measurement, control, and information technologies including industrial cyber security.

AEI Cybersecurity

AEI Cybersecurity

AEI brings together companies, Research Centres, Universities, and other organizations interested in promoting new cybersecurity technologies.

Robert Half Technology

Robert Half Technology

Robert Half Technology offers a full spectrum of technology staffing solutions to meet contract and full-time IT recruitment needs.

Sasa Software

Sasa Software

Sasa Software is a cybersecurity software developer specializing in the prevention of file-based network attacks.

Cybernetic Global Intelligence (CGI)

Cybernetic Global Intelligence (CGI)

CGI is a global IT Security firm that helps companies protect their data and minimize their vulnerability to cyber threats through a range of services such as Security Audits and Managed Services.

Clearswift

Clearswift

Clearswift is trusted by businesses, governments and defense organizations globally for its Adaptive Cyber Security and Data Loss Prevention solutions.

Applied Security (APSEC)

Applied Security (APSEC)

APSEC provides products and services in the areas of encryption, digital signature, authentication and data loss prevention.

FirstPoint

FirstPoint

FirstPoint has developed the market’s most advanced solution for securing cellular devices, including mobile phones and IoT products, by blocking malicious data leakage.

Innova

Innova

Innova is Turkey's leading IT solutions company, providing platform independent solutions to organizations in telecommunication, finance, production, public and service sectors.

Atakama

Atakama

With Atakama, data remains encrypted until the very moment it is used, and the ability to decrypt is based on zero trust architecture.

International Cyber Threat Task Force (ICTTF)

International Cyber Threat Task Force (ICTTF)

The International Cyber Threat Task Force is a not-for-profit initiative promoting the ecosystem of an International independent non-partisan cyber security community.

Department of Homeland Security (DHS)

Department of Homeland Security (DHS)

The Department of Homeland Security has a vital mission: to secure the nation from the many threats we face. Our duties are wide-ranging, but our goal is clear - keeping America safe.

Omdia

Omdia

Omdia is a technology research and advisory group. Our deep knowledge of tech markets combined with our actionable insights empower organizations to make smart growth decisions.

Fortress SRM

Fortress SRM

Fortress SRM protects companies from the financial, operational, and emotional trauma of cybercrime by improving the security performance of its people, processes, and technology.