The world's most capable, rugged and secure
industrial control system...
Introducing Bedrock OSA® Remote
- Intrinsically-secure PLC and RTU control
- 10 or 20 channels of universal I/O
- Free IEC 61131-3 engineering software
- -40ºC to +80ºC temperature range
- Rugged, all-metal case 5.4 in x 8.9 in x 2.3 in
Insurance Providers Demanding Cyber Security Assurance – Who’s Got Your Back?
July 26, 2021 | Robert Bergman
In his recent hearing before the U.S. Senate, Colonial Pipeline CEO Joseph Blount reported that he had filed a $4 million claim against his cyber security insurance policy and expects it to be successful. Colonial Pipeline is one of a growing number of companies that have purchased cyber security insurance over the past decade or so, but, thanks to the prevalence and effectiveness of ransomware, future buyers may find insurers charging higher premiums and demanding more assurance that customers have taken adequate preventative and resilience measures.
The CISA welcomes cybersecurity insurance as a way to help companies mitigate losses from cyber incidents such as data breaches, business interruption, and network damage. They believe it can potentially incent companies to implement best practices to get lower rates. They say, however, that many companies forego available coverage because of the perceived high cost, confusion about what they cover, and uncertainty as to whether their organizations would ever suffer a cyberattack, despite the data showing this likelihood increasing every year.
A market in flux
The prevalence of ransomware attacks has complicated the situation. According to recent a Washington Post article, ransom payments from companies increased 341 percent to a total of $412 million during 2020 and that the claims have gone up 300 percent. The size of a ransom payment has quadrupled from about $12,000 at the end of 2019 to $54,000 at the beginning of this year. Hackers also have started stealing and dumping sensitive files from their victims if they aren’t paid promptly.
This is pushing rates up as much as 50 percent and causing underwriters to base rates on cyber security controls a company may have implemented. Complicating matters, industry consultant James Turgal told the Post that he has encountered ransomware hacks in which attackers have targeted companies specifically because they have insurance.
Tech Crunch reports that the U.S. cyber insurance market has grown from about 10 insurers to 50 that provide stand-alone cyber insurance policies. And some provide risk management and post-breach services, including loss-prevention measures and remediation tools, but as Tech Crunch reports also, quantifying an organization’s posture and risks is a challenge for underwriters because they have little credible historical data or visibility into a prospective client’s history or preventive practices. Such uncertainty is resulting in higher premiums and limited coverage. Some companies are requiring clients to prove their cyber security protection capabilities before writing a policy.
Further, Tech Crunch reports insecurity among buyers about how much insurance they need. Where policies have typically been in the one hundred to two hundred thousand dollar coverage range, some companies have reported damages in the billions of dollars.
Insurers as prevention partners
The market dynamics are driving at least some of the innovation for which the CISA is hoping. Late last year Microsoft’s M12 venture fund, for example, joined Qumra Capital and five other venture groups in investing At-Bay, a start-up insurer that differs from other insurers by monitoring the perimeter of its customers’ networks and alerting them to security risks or vulnerabilities. This intends to reduce risk by preventing network intrusions and data breaches before they happen, avoiding losses for the company while reducing insurance payouts.
At-Bay monitors clients throughout the lifetime of their policy. Its Security Team reviews prospective clients during the underwriting process, which they augment by their own security scanning technology and risk models. With access to a prospect’s deep security insights then, At-Bay can underwrite more confidently, providing better coverage at lower costs.
Any insurer looking for guidance in evaluating the cyber resilience of companies dependent on industrial control systems, (ICSs), should download our white paper Securing ICS. It provides the most comprehensive ICS evaluation guide ever made available publicly. It includes 90 evaluation criteria in the areas of engineering, installation, commissioning, maintenance, cyber security and system design, along with a methodology for weighting them. This is a unique tool for anyone involved in specifying — or insuring — a DCS, PLC, PAC, RTU, or ICS. An actuary’s dream!