IT-OT collaboration calls for reconceptualizing of cybersecurity insurance
The intersection of IT and OT technology is demanding the reevaluation of an organization’s cybersecurity insurance ransomware response policy, as cybersecurity incidents and ransomware attacks are rising.
Organizations are at an inflection point where the potential for cyber threats arising from the prolific use of digital systems to control physical processes brings IT and OT (operational technology) risks closer together. These risks were previously assessed as being unlikely to generate insured losses with cyber perils traditionally emerging in the form of non-physical losses. However, as bridges are being built between IT and OT environments, and there is increased automation and greater sophistication of threat hackers seeking new avenues to create disruption, incidents are increasingly likely.
Data released by the U.S. Government Accountability Office (GAO) in May showed that the growing frequency and severity of cyberattacks have led more insurance clients to opt for cyber coverage, rising from 26 percent in 2016 to 47 percent in 2020. Other key trends in cybersecurity insurance include lower coverage limits in high-risk sectors and rising premiums. Industry sources said higher prices have come from increased demand and higher insurer costs from more frequent and severe cyberattacks. In a recent survey of insurance brokers, more than half of respondents’ clients saw prices go up 10 to 30 percent in late 2020.
Another dicey trend revealed by Trend Micro in one of its recent reports was that “in the past two years, we’ve seen companies involved in ransomware attacks utilize cyber insurance to deal with the ransom payments.” Cybersecurity insurance is supposed to protect enterprises from the fallout of cyberattacks; however, critics of this system argue that cybersecurity insurance encourages ransomware victims to simply pay the ransom and collect insurance rather than invest in security to deter hackers.
Industrial Cyber spoke to experts in the cybersecurity insurance field to gather their insights, and ascertain how the industrial insurance sector has responded to the rising cybersecurity threat level.
“What we are hearing from our customers and insurance partners is that cyber insurance underwriters in general, non-specific to industrial insurance, have begun to respond to rising cybersecurity threat levels at an elevated pace over the last 12 months, at least hardening the market and maybe reducing capacity, and being much more selective with the risks that they are willing to underwrite,” Jose Seara, founder and CEO at DeNexus told Industrial Cyber.
“Currently, the worlds’ largest insurers, and (re)insurers, are investing significant resources into new forms of unit-risk and accumulation-risk modeling to improve their policy pricing, client selection, and capacity,” according to Seara. “But I think it is fair to say that the market is in flux right now. Furthermore, we are seeing some insurance providers emerge specifically to serve the cyber risk market, and eventually, new insurtech companies will be playing an increasing role in the space,” he added.
The reaction to the rising cybersecurity threat levels has largely been confined to losses suffered through ransomware events that have increased deductibles, pushed out waiting periods, and raised premiums, Rogan Dwyer, chairman of Observatory Holdings and CEO of Waters Insurance Network told Industrial Cyber. “Coverage has certainly not been enhanced. That being said, insufficient adjustments have been made by traditional property and casualty insurers who unquantified liabilities on their books from exposure to silent/non-affirmative cyber losses,” he added.
The insurance sector has acted and continues to act inappropriately by not understanding the market or to understand what ‘good’ cybersecurity actually looks like, Andrew Jenkinson, group chief executive officer at Cybersec Innovation Partners, told Industrial Cyber. “They rushed into the market on the promise of market share and their so-called experts would not know an SSL for a CVE or a Cyber Rated Index.”
“As Ciaran Martin the previous CEO of the NCSC said, cyber insurers paying against ransomware claims, were perversely fuelling the crime itself,” according to Jenkinson. “I would go further than this, if the ‘victim’, the claimant were making a claim against a cyberattack and it could be evidenced that they maintained suboptimal websites, servers and web application interfaces connected to the internet, I would refuse the claim and indeed cover,” he added.
Cyber insurance is now considered a must-have and a highly desirable option as part of the overall strategy for organizations who consider business interruption, disruption, system replacements, and lost revenues due to nefarious cyberattacks.
Evaluating basic reservations that insurance companies and underwriters seek at the time of renewal of contracts, in respect of the industrial enterprise’s cyber-readiness to cope with rising threat levels, Dwyer pointed out that basic underwriting is conducted with IT in mind almost exclusively.
“There is a preoccupation with data security and financial consequences of a breach which fails to address the more urgent threat to operational security and threat to life and limb,” according to Dwyer. “Underwriters have admitted they don’t have time to review all the data that they could require to prove cyber hygiene best practice, and they are still working on the old traditional model of actuarial analysis almost exclusively. In this day and age past experience is no indicator of future behavior and threat,” he added.
The reservations from insurance to cover cyber risk are many, Seara said. “From what risks are insurable to more exclusions, and certainly increasing premiums. They focus more (maybe only) in properly managed and previously mitigated risks, which comes down to organizations with mature cybersecurity and robust incident-response programs,” he pointed out.
“Cyber risk data is scarce and disparate, and the risk is highly dynamic. Unlike other perils like a natural catastrophe, from which insurers have decades of data to accurately predict risk events, cyber risk does not offer reliable datasets that allow insurers to accurately measure,” Seara added. To compound the challenge for insurers, asset owners and cybersecurity vendors offering intrusion and defense solutions for the ICS, IoT, and OT sectors are either unable or unwilling to share critical data to insurers required to more accurately assess cyber risk, he noted.
As ransom demands and pay-outs rocket from five-figure numbers into the millions, Jenkinson said that cyber insurance has increased in terms of cost, however not in ensuring security. “I believe rates have increased around 30-40% but still insurers do not require cyber security evidence. They take the subjective ‘tick box’ approach which is most unsatisfactory and leads to all sorts of challenges. The recent CNA and other insurers were infiltrated which led to a spate of their customers suffering a cyberattack. The criminals were now armed with intelligence of not only whom was insured, but to what level,” he added.
Having pointed out three years back that cyber insurance needs to mature and quick, Jenkinson said that he does “not think it has evolved at all in terms of driving security or behavioral change. Many organisations lean on the fact they have a policy and that is never brought into question when the inevitable occurs due to clients’ suboptimal websites and servers. Even worse, using insecure DNS, CDN, and Cloud providers exacerbating the security gaping holes,” he added.
For large industrial enterprises, the ransom is usually not the big-ticket item, according to Seara. “But is the signal of a deeper underlying problem or risk, that if covered by the insurance policy can drive losses or claims into the hundreds of millions, if not billions. So recent events are certainly hardening the market and we anticipate a complex renewal season,” he added.
Cyber insurance is still being seen by clients as the answer to their risk as opposed to the response to a loss they might have prevented, according to Dwyer. “In abrogating security responsibilities to insurers and expecting insurers to drive behavior and disciplines companies are failing to invest the time and effort required to take care of their own security, understand their own particular risks and take corresponding corrective action,” he added.
Cyber insurance coverage and capacity will contract if more is paid out in losses than is taken is as ‘premium.’ “There is a tremendous opportunity in the marketplace for security specialists across the IT, OT and Industrial sector to work with Boards of Directors and their departments to understand the nature of the risk they face, address it and in turn drive insurers coverage options,” Dwyer concluded.