Our Platform

    Protect and safeguard your OT network and operations with the industry's most advanced, most capable cybersecurity platform.

    Learn More

      icon for visibility

      Asset and Network Visibility

      Discover and visualize every asset and every network connection in your OT environment.

      icon for policy enforcement

      Policy Enforcement

      Segment your network and enforce granular policies for true Zero Trust cybersecurity.

        icon-alert

        Anomaly and Threat Detection

        Identify unexpected or unauthorized activity, from Level 0 signals to cloud connections.

        icon for signal integrity

        Signal Integrity Validation

        Monitor physical process signals to detect threats and prevent system damage.

          Mission Secure Platform Overview

          Learn More

            Industries

            Keep your organization secure against cyber threats and take control of your OT network.

            View All Industries

              A Comprehensive Guide to Maritime Cybersecurity

              Learn More

                Resources

                Find helpful OT and ICS cybersecurity resources, guides, and downloads.

                View All Resources

                  eBook: A Comprehensive Guide to OT Cybersecurity

                  Read More

                    About Us

                    Our team of world-class OT, IT, and cybersecurity experts are setting the standard in OT cyber-protection.

                    Learn More

                      Cyber Risk: From a Hacker's Point of View

                      Listen Now
                        4 Min Read

                        How to Jump-Start the Cyber Insurance Market to Drive Better OT Security

                        Written by Mark Baggett

                        Jump-Start the Cyber Insurance Market to Drive Better OT Security featured image

                        Experts have been predicting for decades that the insurance industry would eventually help drive better private sector cybersecurity practices by pricing premiums based on cyber risk.

                        The idea is similar to the way insurance carriers encouraged businesses to adopt fire suppression technology and consumers to buy automobiles with safety features such as seatbelts and airbags.

                        Unfortunately, the cyber security insurance market is growing more slowly than many would like and is unable to adequately provide the market incentives for better security hygiene that some envisioned. An article published last year in the IEEE Security & Privacy Journal concluded:

                        “Cyber insurance appears to be a weak form of governance at present. Insurers writing cyber insurance focus more on organizational procedures than technical controls, rarely include basic security procedures in contracts, and offer discounts that only offer a marginal incentive to invest in security.”


                        Learn about OT cyber security in our A Comprehensive Guide to Operational Technology (OT) Cybersecurity.


                        Cyber security risk management: A warning from tomorrow

                        There is a lot to digest in the report, but one of the more interesting themes is the recognition that the cyber insurance market is not maturing fast enough to adequately drive better risk management decisions in the private sector.

                        This opinion is shared by many U.S. government policymakers and is highlighted in a more recent report produced by the bipartisan Cyberspace Solarium Commission. The commission released a comprehensive report on the state of cybersecurity in IT and OT systems in March 2020.

                        The commission was established by the 2019 National Defense Authorization Act, and its members include cyber experts, private sector representatives, members of Congress, and senior government officials. The report, titled A Warning from Tomorrow, makes more than 75 recommendations for improving U.S. cybersecurity and infrastructure resilience.

                        The authors are clear in their concern regarding the vulnerability of U.S. critical infrastructure and note that a major cyber-attack on that infrastructure would “create chaos and lasting damage exceeding that wreaked by fires in California, floods in the Midwest, and hurricanes in the Southeast.”

                        There is a lot to digest in the report, but one of the more interesting themes is the recognition that the cyber insurance market is not maturing fast enough to adequately drive better cyber risk management decisions in the private sector. The report notes:

                        “A robust and functioning market for insurance products can have the same positive effect on the risk management behavior of firms as do regulatory interventions. Although the insurance industry plays an important role in enabling organizations to transfer a small portion of their cyber risk, it is falling short of achieving the public policy objective of driving better practices of risk management in the private sector more generally. The reasons for this failure are varied but largely come down to an inability on the part of the insurance industry to comprehensively understand and price risk…”

                        The report goes on to state: “For insurance to act as a de facto regulator of organizational behavior, the market for insurance must accurately price risk. Premiums and limits on insurance products must also drive firms that have bought insurance to invest in improving their cyber risk posture.”

                        The attractiveness of leveraging insurance carriers to regulate “organizational behavior” is a consequence of the fact that they can act economy-wide and take the place of government regulatory mandates that are often cumbersome to create, update, and enforce. Unfortunately, according to the report, currently, there is little incentive to drive customers to better manage their cybersecurity risk.

                        “Currently, the estimated worldwide value of cyber insurance premiums sits at $7.5 billion. For context, in 2017 property and casualty insurance premiums were worth $275.5 billion in the United States alone. Because insurers can either assume their inherited cyber risk with little threat to their overall solvency or pass this risk along to reinsurers in the form of derivatives, they have little incentive to push the entities they insure to manage that risk.”

                        So how to fix this market disconnect? The report has several concrete recommendations.

                        Cyber risk modeling

                        The report calls for the creation of a public-private partnership on cyber risk modeling. The partnership would bring together insurance companies and cyber risk modeling companies to collaborate, share information, and develop more accurate cyber risk models.

                        This group would be tasked with identifying “areas of common interest so that these entities can benefit from one another’s risk modeling efforts, particularly with regard to dependency mapping and the consequences of cyber disruptions.”

                        Insurance Certifications

                        To address the lack of pricing tools to improve overall cyber risk management practices in the private sector, the report recommends that the Department of Homeland Security launch a federally-funded research and development center (FFRDC) to shepherd cooperation with state regulators in developing certifications for cybersecurity insurance products and to develop training for underwriters and claims adjusters.

                        In the U.S., individual states often set minimum standards that insurance products must meet in order to be offered in their state. These standards are typically legislated as consumer protection laws. The report recommends that “working with state insurance regulators and the public-private working group on pricing and modeling cyber risk, the FFRDC should develop cybersecurity product certifications based on a common lexicon and security standards.”

                        Underwriters certifications are currently available for numerous areas of coverage, including homeowners, flood, life, and health. The report recommends that the FFRDC work with insurers, state regulators, and cybersecurity risk management experts to develop training courses for cyber insurance underwriters with the goal of creating a cyber insurance underwriter certification. Similarly, it recommends that the FFRDC should lead a similar team to develop training and certification models for cyber claims adjusters.

                        Cyber Reinsurance

                        The report calls for the exploration of government-backed reinsurance to cover catastrophic cyber events. The federal government fills this role currently in some instances through the Treasury Department’s authority to designate cyber events that trigger the Terrorism Risk Insurance Act (TRIA) protections.

                        The Further Consolidated Appropriations Act, 202 directed the Government Accountability Office (GAO) to assess the current state of insurance for cyber-related incidents. The report supports that study and suggests that GAO bring in other agencies of the federal government to inform that activity.

                        Protecting OT: Cyber liability insurance

                        All OT owners and operators should fully understand the degree that they are covered for cyber outages in traditional policies and cyber policies. Organizations with significant OT footprints should support the commission’s recommendations, and furthermore should consider actively collaborating on the cyber risk modeling initiative. Improving risk modeling should become a core component of industry information-sharing activities. Critical infrastructure providers are well-positioned to benefit from and contribute to a more rapid maturation of the cyber insurance markets and should work proactively to achieve this goal.

                        Topics:

                        Interested in learning more? Send us a message.