Cyber Insurance For Industrial Companies - Its Complex

Uploaded on 2024-02-23 in FREE TO VIEW, BUSINESS-Services-Financial, BUSINESS-Production-Manufacturing

Determining if a company is insured against the consequences of a cyber attack isn't as straightforward as it seems. The rise in cyber attacks has led insurers to reduce coverage, leaving companies uncertain about their protection level - if they can get coverage at all. Understanding the complexity of cyber insurance therefore requires a quick look backwards. 

Until the mid-2010s, specific insurance against cyber attacks was uncommon. When companies were hacked, they would typically claim damages from insurers under their property insurance. This situation became known as "silent cyber, " since cyberattacks were neither mentioned in insurance policies nor explicitly excluded.

This ambiguity became untenable with the rise of ransomware and the 2017 Wannacry and Notpetya attacks.

Pharmaceutical giant Merck, heavily affected by Notpetya, filed $1.4 billion claims under its “all-risk” property insurance, which were initially denied. The case led insurance authorities to start raising concerns that insurers could be unknowingly exposed to massive claims. It wasn't until 2023 that Merck won the case in court.

Acts Of War

In response, insurers began explicitly excluding cyberattacks from property insurance contracts, with some offering specific cyber risk policies and others ceasing coverage.

This did not stop the cyber insurance market from rapidly growing, with global premiums ballooning from $2 billion in 2015 to $12 billion in 2022. They could reach $33 billion by 2027. Even then, the market seems woefully undersized to absorb the consequences of a systemic cyber-attack, which could lead to trillions in damages.
For companies, identifying which cyber-attacks are covered can prove difficult. With Russia-affiliated groups emerging as major cybercrime actors, insurers like Lloyd’s of London have indicated they could consider their exploits as state-sponsored attacks or acts of war, thereby denying coverage. Some court cases, like the one involving automotive distributor Inchcape, have also hinged on whether insurers should cover indirect costs that result from a cyber attack, such as hardware replacement, forensic analysis or PR.

Rising Premiums & Difficulty Getting Coverage

The rise in cyberattacks has also sent premiums skyrocketing: according to Marsh’s market index, prices doubled every year between 2019 and 2021.

These hikes reflect the fact that attacks have become so commonplace that pay-outs are a near certainty. According to Trend Micro, 89% of companies in the electricity, oil and gas and manufacturing sectors saw their operations impacted by a cyber attack in 2022.

To reduce risk, insurance companies often rely on a drastic selection process. Companies can expect to answer several hundred questions detailing their cybersecurity policies, the data they store and business continuity plans.

Insurers also consider past breaches and industry risks and use ratings from firms like BitSight or GuideWire to rate a company’s cyber hygiene. Such processes have left scores of companies excluded from the market: according to insurer Aviva, only 14% of SMEs in the UK - and 3% in Scotland - were insured against cyber attacks.

Industrial Companies Are At A Disadvantage

The uncertainty regarding coverage and premiums has led some companies to self-insure. In September 2022, seven major European groups including BASF, Airbus and Michelin, formed MRIS, a mutual insurance company. Their decision reflects the disadvantage industrial companies face in obtaining cyber insurance.

Insurers calculate premiums by asking companies to describe the cybersecurity measures that apply to their IT devices, such as laptops and servers, but also to their industrial equipment, such as industrial control systems or SCADA systems. Those often lack rudimentary security measures such as password encryption or multi-factor authentication. 

In addition, because modern industrial facilities run 24/7, companies have greater difficulties patching vulnerabilities. A recent survey by the European Cybersecurity Agency (ENISA) showed that two-thirds of companies in the energy sector, for example, needed more than a month to patch a critical vulnerability and one in ten more than six months.

Reducing Risks To Reduce Costs

This situation shows that, while insurance companies may be excessively risk-averse, companies also need to elevate their cybersecurity practices to reduce their exposure. In the past year, cyber attacks that specifically target Internet of Things (IoT) devices, for example, have increased by 400% according to Zscaler, a cybersecurity firm. This represents a significant concern as the mobility of malware can facilitate movement across different networks, potentially endangering critical OT infrastructure.

To obtain coverage and drive down prices, industrial firms can take several measures. They must first audit their IT systems and operations to identify vulnerabilities and priorities to make operations more resilient.

They should particularly focus on creating a detailed inventory of all endpoints and cross-referencing these with databases like NIST's National Vulnerability Database to assess risks in their operations and enhance resilience among other things.

Insurance questionnaires will also require detailed information on network segmentation, risk management, recovery plans, and third-party vendor relationships. Although perfecting and documenting these processes is labour-intensive, it is central to reducing insurance costs - as well as the impact of cyber-attacks.

Lastly, companies, whether insured or seeking coverage, should understand their policy's conditions and exclusions, particularly regarding what constitutes acts of war or state-sponsored attacks. All too often, these questions are only asked after a cyberattack has struck - sometimes in the courtroom.

Edgardo Moreno is Executive Industry Consultant at Hexagon Asset Lifecycle Intelligence 

Image: Poca Wander Stock

You Might Also Read:

The Need For OT-centric Cyber Security Strategies:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Cybersecurity, Volt Typhoon & The Grid
Defending Against These Common Types Of Cyber Attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Acumin Recruitment

Acumin Recruitment

Acumin is an internationally established Cyber Security recruitment specialist.

Kent Interdisciplinary Research Centre in Cyber Security (KirCCS) - University of Kent

Kent Interdisciplinary Research Centre in Cyber Security (KirCCS) - University of Kent

KirCCS harnesses expertise across Kent University to address current and potential cyber security challenges.

Mitol PerfectBackup

Mitol PerfectBackup

Mitol PerfectBackup provide Enterprise Online Backup, Disaster Recovery and Cloud Computing Services.

Schneider Electric

Schneider Electric

Schneider Electric develops connected technologies and solutions to manage energy and process in ways that are safe, reliable and sustainable.

Regulus Cyber

Regulus Cyber

Regulus enables drones, robots and autonomous vehicles to operate safely, without malicious or accidental interference to the operation of their mission.

Cyber Defense Initiative Conference (CDIC)

Cyber Defense Initiative Conference (CDIC)

Cyber Defense Initiative Conference (CDIC) is one of the most distinguished Cybersecurity, Privacy and Information Security Conference in Thailand and Southeast Asia.

CI-CERT

CI-CERT

CI-CERT is the national Computer Incident Response Team for Cote d'Ivoire.

Axence

Axence

Axence provides professional solutions for the comprehensive management of IT infrastructure for companies and institutions all over the world.

Alsid

Alsid

Alsid helps corporates to anticipate attacks by detecting breaches before hackers can exploit them.

Findcourses.com

Findcourses.com

Findcourses is a dedicated education search engine designed to make it easy for our learners to search and find exactly what they need from our community of trusted training providers.

Billington CyberSecurity

Billington CyberSecurity

Billington CyberSecurity is a leading, independent education company with an exclusive focus on cybersecurity.

Voxility

Voxility

Voxility provides Infrastructure-as-a-Service in the biggest Internet hubs in the world.

PPC Protect

PPC Protect

PPC Protect is an entirely automated click fraud prevention solution.

UncommonX

UncommonX

UncommonX offers enterprise-class cybersecurity protection for mid-size organizations by combining adaptive threat and intelligence software with 24/7 industry experts.

Perygee

Perygee

Perygee is a fully integrated platform for operational security. Companies depend on Perygee to identify and streamline the most important security practices for their operations.

Breathe Technology

Breathe Technology

Breathe Technology has been providing Managed IT Support/ Service Desk, Cloud Services, Cyber Security & Communications to businesses and schools since 2003.