Cyber security insurance is an increasingly important weapon in the risk management arsenal of today’s enterprises. Unknown just a decade ago, these popular policies now offer organizations a crucial hedge against risks that defy routine assessment, planning and mitigation tactics.

Even the most diligent of risk registers typically lack accounting for devastating events like the recent exploitation of Microsoft Exchange on-premises products, or the sweeping compromise of 18,000 SolarWinds customers. The explosive growth of ransomware, along with sophisticated, well-funded attacks leveraging critical zero-day exploits has made insurance a must-have element of any mature cyber risk management strategy.

The oft-forgotten element in such cyber security coverage, however, is OT (operational technology). Even as threats to critical controls systems grow exponentially, cyber insurance underwriters have been slow to update rating tables to incorporate growing cyber-physical risks. Organizations, likewise, often fail to adequately account for OT/ICS risks and basic controls in their overall assessment strategies.

As the world becomes an increasingly more dangerous place, particularly for organizations with a mix of IT and OT/ICS environments to protect, cyber insurance premiums are spiking and the qualifications for comprehensive policies are getting more rigorous at a time when enterprises need quality coverage more than ever.

Cyber insurance coverage costs on the rise

For the past decade, the cyber security insurance market matured slowly. Costs remained low thanks to a growing pool of buyers and limited historical claims data. Over the past three years, however, premiums rose significantly in lock step with the number of claims being filed and the magnitude of the losses. According to the Council of Insurance Agents & Brokers, cyber security insurance rates are increasing 25%+ per quarter in each of the last quarters, and the coverage has decreased from $10M to about $5M in 2021.

Claims, particularly those due to ransomware and related business interruption costs, are driving the spike in premiums. Insurers now limit coverage specifically for ransomware to control their losses which total more than $20 billion in ransomware claims to date. Overall, Marsh McLellan estimates cybercrime costs will top $10.5 trillion by 2025.

In a recent report from the Institute for Security and Technology, Coalition, a cyber insurance firm, said ransomware attacks now account for most cyber security insurance claims.  In the first half of 2020, Coalition saw a 260% increase in ransomware attacks among its policyholders, with the average ransom demand rising 47% to an average of $338,669. Elsewhere in the report, ransomware incident response specialist Coveware reported average downtime due to ransomware now tops 21 days.

Attacks on OT highlight cyber-physical risks

This growth in ransomware is a real threat to OT systems. The 2017 Wannacry/NotPetya event that impacted Merck, Mondelez, Maersk and others was an expensive warning shot across the bow that cost companies like Merck almost $1 billion and racked up insured losses of some $3.6 billion on both affirmative and non-affirmative (silent) covers globally.

In 2021, manufacturing became the number on targeted industry, increasing from second in 2020 and eighth in 2019. Attackers have discovered the profit potential derived from locking up manufacturing systems. Examples of recent attacks demonstrate in stark relief the industry’s plant-days lost to the scourge of ransomware.

 

Domain202120202019
Manufacturing128
Finance & Insurance211
Professional Services355
Energy439
Retail542
Healthcare6710
Transportation793
Government866
Education8107

 

Ransomware attacks are even more costly in industrial control systems where the price of not paying means lost production as well as additional expenses for building or acquiring new systems if the ransom is not paid — or as is often the case, the recovery post-payment is not 100% effective.  The increasing ransomware costs during 2020 correlate with the increased number of cyberattacks on manufacturing and industrial systems.

financial impact of ransomware on manufacturing organizations

But the financial impact doesn’t just affect the company. In the case of Colonial Pipeline, not only did they lose $4M to a ransomware payment, but the economic impact also cost $2-3B. Another question that arises is: What if Colonial Pipeline was a vendor of yours… Would you be covered?

 

Average cyber attack ransom in USD

The insurance risks from OT cyberattacks don’t stop with ransomware. Cyber-physical systems carry the unique added risks of damage to the physical plant and threats to personnel safety.

“The potential for physical perils represents a major turning point for the broader cyber (re)insurance ecosystem,” a recent Lloyd’s insurance report on OT threats warns. “This risk has previously been considered unlikely to generate insured losses with cyber perils traditionally emerging in the form of non-physical losses. However, as bridges are being built between IT and OT and there is increased automation and greater sophistication of threat actors seeking new avenues to create disruption, incidents are increasingly likely.”

Lloyd’s lists a set of potential additional risks for different classes of insurance:

Lloyd’s Class of BusinessPotential Scalability to Core Classes
Accident & HealthPotential impacts to A&H, Medical Expenses, and PA for any locations that suffer property damage and fires or explosions.

Product Recall could be a significantly exposed class, particularly if a defective component is the point of failure.

AviationLimited, in the context of the scenarios explored.
Casualty TreatySignificant potential impacts, particularly around contributing classes such as Employer’s Liability and Product Liability.
FinPro CasualtySignificant potential exposure to Cyber, D&O, and Professional Indemnity.
Other CasualtySome possible exposure for other classes such as General Liability.
EnergyDepending on the target industries, Energy Property and Liability could be significantly impacted by such a scenario.
MarineLimited, in the context of the scenarios explored.
Other SpecialtyEngineering could be significantly exposed. Other bespoke products that could conceivably be triggered include Extended Warranty, Legal Expenses, and Terrorism.
Property (D&F)Significant potential exposure to large risks, with conceivable impacts to binder business with proximity to those impacted sites.
Property TreatySignificant potential exposure to large risks, with conceivable impacts to binder business with proximity to those impacted sites.

 

The growing recognition of the combined risks from ransomware and cyber-physical impacts is driving increased rates for operators of industrial control systems. And as discussed in our recent 2021 ICS vulnerability report, the risks and threats are only increasing.

Safeguards against ransomware

Cyber insurance providers and their policy holders must work together to ensure continued cost-effective coverage for cyber-physical systems and the attendant risks. Key action items include:

Determining potential threats from OT cyber risks

Policy holders generally miscalculate potential impacts from cyber threats to their cyber-physical systems. Insurers may have provided “silent risk” coverage without understanding their real exposure. Both sides need to better understand risks from an OT attack. This requires an assessment of the security maturity of the environment as well as the potential threat vectors and impacts from different scenarios.  Such an assessment requires a deep view of assets, networks, policies and, procedures —then mapping those vulnerabilities to impacts both financial and physical.

Developing and monitoring clear OT cyber security baseline requirements

Baseline requirements are becoming standard for IT security. In the past, some cyber security insurers viewed a lack of security baseline requirements as a selling point.  However, the rapid rise in claims is causing a shake-out of those providers. More mature insurance providers typically require clients to adhere to strong baseline security practices, which can significantly reduce the disruption caused by a ransomware attack.

However, in OT, these cyber baselines are much less clear. While guidance such as or more specific OT frameworks like IEC62443 do exist, insurers and insureds will need to adjust the baselines to address the unique devices, process, and risks posed by OT systems.

Taking a more proactive approach to OT systems management (OTSM)

Most OT networks are not “managed” today. They run legacy operating systems, patches are often not deployed, and backups may or may not be effective. Formal OTSM is necessary to maintain baseline requirements for an efficient cyber security insurance market. Broad adoption of OTSM requires a fundamental shift in the mindset of IT-OT leadership, however. New tools, skills, and procedures will all be necessary.

Gathering key data into an OT cyber security platform

A comprehensive security platform aggregates the reporting on baseline requirements in a way that provides visibility into ongoing risks. It’s insufficient to simply monitor network anomalies or have plant-level information stuck in local databases. Centralizing OT data into a platform that provides management visibility into risk profiles is a game changer. This management console enables insureds to make the right trade-offs for insurance coverage. Similarly, it provides insurers a way of pricing risk effectively. Certain insurers may even offer discounts for more mature security environments that can be confirmed via such platforms.

“As part of a risk mitigation strategy, syndicates need to monitor the correlation potential for risks stemming from attacks bridging the IT/OT gap,” The Lloyd’s report states. “In practice, syndicates can improve awareness by building a technology inventory for their insureds. This might include identifying leading PLC components and investigating the use of common industrial OT and IoT assets.

“It is very important for syndicates to focus on procedures as well as components,” the report adds. “This should encompass the extent of air-gapping between IT and OT systems, the nature of risk management protocols such as automated patch updates, and the presence of known industrial component vulnerabilities.”

 

Insurance as part of your OT cyber security strategy

As we think about protecting our OT environments, there are many layers of protection we can put in place to stop threats (training, detection, disaster recovery, etc.). But as prepared as we can be, cyber security insurance covers financial losses should we fail to stop cyber-related events.

Insurance spending by industrial organizations is expected to increase significantly. In the industrial segments, it’s about a million-dollar industry and expected to grow annually by 16% in the next decade (according to Guidehouse).

But with increasing coverage comes many challenges/limitations with policies:

  • Silent cyber – Is cyber covered in traditional property and loss insurance? Some policies exclude cyber as it was not initially intended to be covered.
  • OT excluded – As seen with recent attacks on Colonial Pipeline, Maersk and Merck, awareness has raised the risks of industrial environments, and insurers are requiring control systems to be covered separately.
  • Acts of war – Limits liability arising from any state-backed cyber attacks (i.e. Mondelez), but who/what determines what is qualified as an “act of war”?
  • Physical damage – Is the cyber security insurance responsible for a physical event (i.e. plant explodes, wind turbine is destroyed)?
  • Lost profits from outages
  • Impact of third-party supply chain incident

While the cost of insurance is rising and the challenges for obtaining complete OT insurance coverage are increasing, it would benefit industrial organizations to find ways to improve security controls in the protection of their OT environments. Many cyber security standards now include insurance as part of their required safeguards. So what requirements do we need to achieve to ensure coverage?

Examples of OT supplementary insurance application elements:

  • Do you maintain a complete and up-to-date, centrally-held asset inventory of all OT assets and their software/firmware?
  • Do you have a defined process for identifying OT devices with critical cyber security vulnerabilities and patching or updating those devices? Do you have devices that the OEM considers “end of life” in your environment? For those that can’t be patched, please describe the other compensating controls in place.
  • Is OT segmented from the Internet AND is OT segmented inside the perimeter? If so, how?
  • Do you permit A) employees or B) third parties to remotely access your OT systems? And if so, what security controls are in place? (MFA, monitoring, separate accounts)
  • How do you assess and monitor security in your OT environment? Describe all that apply: A) risk assessments, B) penetration testing, C) IDPS, D) endpoint protection and response or endpoint protection on specific assets
  • Do you conduct backups on a monthly basis (at minimum)? Do those backups include: A) non-Windows configurations, B) offline copies, C) at least annual recovery testing, D) disaster recovery plans?
  • Do you employe individuals dedicated to OT security, and is there a specific budget for OT security?
  • In the last two years, have you conducted OT cyber security tabletop exercises, and did they include ransomware?
  • Do you maintain OT-specific cyber security policies and procedures?

The good news — none of this is “new” as a lot of these requirements look very similar to what cyber security practitioners already see in standards such as NIST CSF or Top CIS Controls. Given the new insurance requirements, Verve recommends a proactive OT systems management approach to address these needs by bringing your OT cyber security program and data into a common platform to demonstrate the answers to these common questions/requirements. Verve has been applying these practices for over 15 years to manage OT security in a similar fashion to IT security.

 

Watch the full webinar recording here.

 

 

Leveraging Insurance in Your Security Strategy

Watch the full session to learn current insurance trends, what controls are and will be required to acquire and maintain coverage on OT systems, and how OT cyber security leaders can work with finance colleagues to ensure proper coverage for OT incidents.

Leveraging Insurance as part of your OT Cybersecurity Strategy

Related Resources

Blog

How to Prevent Ransomware in 2023

Learn how to prevent ransomware in OT/ICS industrial environments with 5 key steps to reduce the risk of an attack.

Learn More
Blog

Defend Against Ransomware with a 360-Degree OT Vulnerability Management Program

What is OT/ICS vulnerability management, why is it critical in cyber security, and what role does it play in ransomware defense and protection?

Learn More
Blog

Colonial Pipeline Attack: Lessons Learned for Ransomware Protection

How to leverage lessons learned from the Colonial Pipeline ransomware attack to prepare for cyber-related threats in oil & gas.

Learn More

Contact Us

Contact us to speak with an OT cyber security specialist.

Contact Us