Cyber Insurance For Industrial Companies - Its Complex

Determining if a company is insured against the consequences of a cyber attack isn't as straightforward as it seems. The rise in cyber attacks has led insurers to reduce coverage, leaving companies uncertain about their protection level - if they can get coverage at all. Understanding the complexity of cyber insurance therefore requires a quick look backwards. 

Until the mid-2010s, specific insurance against cyber attacks was uncommon. When companies were hacked, they would typically claim damages from insurers under their property insurance. This situation became known as "silent cyber, " since cyberattacks were neither mentioned in insurance policies nor explicitly excluded.

This ambiguity became untenable with the rise of ransomware and the 2017 Wannacry and Notpetya attacks.

Pharmaceutical giant Merck, heavily affected by Notpetya, filed $1.4 billion claims under its “all-risk” property insurance, which were initially denied. The case led insurance authorities to start raising concerns that insurers could be unknowingly exposed to massive claims. It wasn't until 2023 that Merck won the case in court.

Acts Of War

In response, insurers began explicitly excluding cyberattacks from property insurance contracts, with some offering specific cyber risk policies and others ceasing coverage.

This did not stop the cyber insurance market from rapidly growing, with global premiums ballooning from $2 billion in 2015 to $12 billion in 2022. They could reach $33 billion by 2027. Even then, the market seems woefully undersized to absorb the consequences of a systemic cyber-attack, which could lead to trillions in damages.
For companies, identifying which cyber-attacks are covered can prove difficult. With Russia-affiliated groups emerging as major cybercrime actors, insurers like Lloyd’s of London have indicated they could consider their exploits as state-sponsored attacks or acts of war, thereby denying coverage. Some court cases, like the one involving automotive distributor Inchcape, have also hinged on whether insurers should cover indirect costs that result from a cyber attack, such as hardware replacement, forensic analysis or PR.

Rising Premiums & Difficulty Getting Coverage

The rise in cyberattacks has also sent premiums skyrocketing: according to Marsh’s market index, prices doubled every year between 2019 and 2021.

These hikes reflect the fact that attacks have become so commonplace that pay-outs are a near certainty. According to Trend Micro, 89% of companies in the electricity, oil and gas and manufacturing sectors saw their operations impacted by a cyber attack in 2022.

To reduce risk, insurance companies often rely on a drastic selection process. Companies can expect to answer several hundred questions detailing their cybersecurity policies, the data they store and business continuity plans.

Insurers also consider past breaches and industry risks and use ratings from firms like BitSight or GuideWire to rate a company’s cyber hygiene. Such processes have left scores of companies excluded from the market: according to insurer Aviva, only 14% of SMEs in the UK - and 3% in Scotland - were insured against cyber attacks.

Industrial Companies Are At A Disadvantage

The uncertainty regarding coverage and premiums has led some companies to self-insure. In September 2022, seven major European groups including BASF, Airbus and Michelin, formed MRIS, a mutual insurance company. Their decision reflects the disadvantage industrial companies face in obtaining cyber insurance.

Insurers calculate premiums by asking companies to describe the cybersecurity measures that apply to their IT devices, such as laptops and servers, but also to their industrial equipment, such as industrial control systems or SCADA systems. Those often lack rudimentary security measures such as password encryption or multi-factor authentication. 

In addition, because modern industrial facilities run 24/7, companies have greater difficulties patching vulnerabilities. A recent survey by the European Cybersecurity Agency (ENISA) showed that two-thirds of companies in the energy sector, for example, needed more than a month to patch a critical vulnerability and one in ten more than six months.

Reducing Risks To Reduce Costs

This situation shows that, while insurance companies may be excessively risk-averse, companies also need to elevate their cybersecurity practices to reduce their exposure. In the past year, cyber attacks that specifically target Internet of Things (IoT) devices, for example, have increased by 400% according to Zscaler, a cybersecurity firm. This represents a significant concern as the mobility of malware can facilitate movement across different networks, potentially endangering critical OT infrastructure.

To obtain coverage and drive down prices, industrial firms can take several measures. They must first audit their IT systems and operations to identify vulnerabilities and priorities to make operations more resilient.

They should particularly focus on creating a detailed inventory of all endpoints and cross-referencing these with databases like NIST's National Vulnerability Database to assess risks in their operations and enhance resilience among other things.

Insurance questionnaires will also require detailed information on network segmentation, risk management, recovery plans, and third-party vendor relationships. Although perfecting and documenting these processes is labour-intensive, it is central to reducing insurance costs - as well as the impact of cyber-attacks.

Lastly, companies, whether insured or seeking coverage, should understand their policy's conditions and exclusions, particularly regarding what constitutes acts of war or state-sponsored attacks. All too often, these questions are only asked after a cyberattack has struck - sometimes in the courtroom.

Edgardo Moreno is Executive Industry Consultant at Hexagon Asset Lifecycle Intelligence 

Image: Poca Wander Stock

You Might Also Read:

The Need For OT-centric Cyber Security Strategies:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Cybersecurity, Volt Typhoon & The Grid
Defending Against These Common Types Of Cyber Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

iLand

iLand

iland is a global cloud service provider of secure and compliant hosting for infrastructure (IaaS), disaster recovery (DRaaS), and backup as a service (BaaS).

Internet Storm Center (ISC)

Internet Storm Center (ISC)

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with ISPs to fight back against the most malicious attackers.

National Cyber Security Centre (NCSC) - Switzerland

National Cyber Security Centre (NCSC) - Switzerland

The National Cyber Security Centre is Swizerland's competence centre for cybersecurity and the first contact point for businesses, public administrations, and the public for cyber issues.

Qatar Computing Research Institute (QCRI)

Qatar Computing Research Institute (QCRI)

QCRI perform cutting-edge research in such areas as Arabic language technologies, social computing, data analytics, distributed systems, cyber security and computational science and engineering.

California Cybersecurity Institute (CCI) - Cal poly

California Cybersecurity Institute (CCI) - Cal poly

The CCI provides a hands-on research and learning environment to explore new cyber technologies and train and test tactics alongside law enforcement and cyberforensics experts.

Kobil Systems

Kobil Systems

Kobil is a pioneer in the fields of smart card, one-time password, authentication and cryptography.

TitanHQ

TitanHQ

TitanHQ offers ultimate protection from internet based threats and powerful Web filtering functionalities to SMBs, Service Providers and Education sectors around the World.

LUCY Security

LUCY Security

LUCY is the answer when you want to increase your IT security, maintain your cyber security awareness, or test your IT defenses.

Gytpol

Gytpol

Gytpol is a leader in Endpoint Configuration Security (ECS) solutions, providing validation, remediation & securing of IT Policies and IT Infrastructure on-premise and in the cloud.

Cyber Polygon

Cyber Polygon

Cyber Polygon is an annual online exercise which connects various global organisations to train their competencies and exchange best practices.

Delfigo Security

Delfigo Security

Delfigo Security, a pioneer in intelligent authentication, provides a strong, multi-factor authentication solution to prevent identity theft and reduce fraud.

Foretrace

Foretrace

Foretrace aims to prevent, assess, and contain the exposure of customer accounts, domains, and systems to malicious actors.

InfoSecTrain

InfoSecTrain

InfoSecTrain are a leading training and consulting organization dedicated to providing top-tier IT security training and information security services to organizations and individuals across the globe

Securitybricks

Securitybricks

Securitybricks specialize in cloud security and compliance. Our mission is to automate regulatory compliance backed by human validation.

National Critical Information Infrastructure Protection Centre (NCIIPC) - India

National Critical Information Infrastructure Protection Centre (NCIIPC) - India

NCIIPC's mission is to protect the Critical Information Infrastructure of India, from unauthorized access, modification, use, disclosure, disruption, incapacitation or destruction.

Nexsan

Nexsan

Nexsan offers versatile and robust data storage solutions tailored to adapt seamlessly across a diverse range of sectors, ensuring reliable performance for critical data management.