ENISA report explores challenges faced by OESs in EU, when seeking to acquire cyber insurance

ENISA report explores challenges faced by OESs in EU, when seeking to acquire cyber insurance

As the European Union (EU) gets rolling with its initial piece of region-wide cyber security legislation, the revised regulation aims to achieve a high common level of network and information system security across critical infrastructure installations. It extends the list of sectors within the scope of the regulation and provides more information on the entities that must be subject to the cybersecurity requirements, and will now be applicable to OESs (operators of essential services) and digital service providers. 

According to the NIS Directive, these operators must implement appropriate security measures and report incidents that have a significant impact on the continuity of the services they provide. In addition, digital service providers must notify authorities of incidents that have a significant impact on the availability of their services.

The NIS 2 Directive came into force on Jan. 16, and EU member states have 21 months to incorporate the new provisions into their national legislation.

Marianthi Theocharidou, cybersecurity expert at ENISA
Marianthi Theocharidou, cybersecurity expert at ENISA

Marianthi Theocharidou, a cybersecurity expert at European Union Agency for Cybersecurity (ENISA), recently explained to Industrial Cyber that the NIS2 Directive will increase the common level of cybersecurity in Europe and to this end expand its scope to new sectors. “One way to achieve this is by setting out the baseline for cybersecurity risk management measures across the sectors that fall within its scope (Article 21).”

She did highlight that the mechanisms and practical procedures still remain to be established. “National authorities will consult each other and ENISA, together with its stakeholders will provide support and guidance,” Theocharidou added.

The agency has in recent weeks released a couple of documents that focus on cybersecurity legislation, as it is intended to further develop cybersecurity across the EU. ENISA has been working to that end together with Member States to identify best EU practices in line with the provisions of the NIS1 Directive and share them among its stakeholders. 

On Thursday, the ENISA released a new report that explores the potential challenges faced by OESs in the EU when seeking to acquire cyber insurance. The analysis performed also explores aspects of cyber insurance from a policy development perspective, and suggests recommendations to policymakers and the community of OESs. The analysis discloses that a big proportion of OESs consider cyber insurance less attractive due to increasing prices and decreasing coverage.

The report dives into the ‘demand side’ of the cyber insurance market, applicable to the particular case of OESs. The analysis and results have been conducted from a methodological approach that integrates desk research, online surveys, phone interviews, data analysis, and recommendations for policymakers. To this purpose, the analysis aims at addressing different segments of the cyber insurance contracting process, namely risk management practices, cyber insurance coverage, claims processes, and opinions from the respondents in key areas such as skills. 

A large chunk of OESs considers cyber insurance less attractive due to increasing prices and decreasing coverage, which is highly noted especially in small entities in a moment in which ransomware incidents are on the rise. Furthermore, with the current trend of increasing cyber incidents also affecting OESs to a large extent, a majority of them perceive cyber insurance as a service they cannot afford given the outstanding premiums and disadvantageous coverage. 

Recently, ENISA and the CERT of the EU institutions, bodies and agencies (CERT-EU) jointly published a report to alert on sustained activity by particular APT (advanced persistent threat) hacker groups, known as APT27, APT30, APT31, Ke3chang, GALLIUM, and Mustang Panda. These threat groups have been recently conducting malicious cyber activities against businesses and governments in the Union.

According to data gathered through a survey targeting 262 OESs across the EU, three in four do not currently have cyber insurance coverage, the latest ENISA document said. The survey also reveals that other risk mitigation strategies are often considered more favorable by OESs. 

Data from both the survey and the semi-structured interviews support these findings. Other key findings of the analysis were that third-party liabilities are the preferred additional coverage that companies would like to have added to their cyber insurance coverage; Also, cyber risk is being highly addressed on a qualitative basis. For 77 percent of operators of essential services, there is a formalized process to identify cyber risk, while the remaining 23 percent do not have any such process in place. 

On the other hand, 64 percent of OESs do not quantify cyber-risks. Additional risk mitigation strategies were often mentioned as more favorable than risk transfer due to coverage and costs. 

The document also added that motivators behind the decision to contract insurance coverage include coverage in case of a loss as a result of a cyber incident for 46 percent, the requirement by law for 19 percent, and pre-incident or post-incident expert knowledge from insurance companies. Also, 56 percent of respondents declared they considered other risk mitigation tools more effective than cyber insurance.

From a territorial point of view, ENISA identified regional differences in cyber coverage. In western and northern Europe the cyber coverage appears to be the highest at 45 percent, followed by southern Europe at 39 percent, and lastly eastern Europe, with the lowest adoption of cyber insurance at 12 percent. 

For policymakers, the ENISA document recommended implementing guidance mechanisms aiming at improving the maturity of risk management practices of OESs. Specific areas where guidance would be more helpful include the identification of assets, monitoring key metrics, frameworks for risk assessment and quantification, security controls identification, and quantification of risks. 

It also sought to promote the creation of frameworks oriented to identifying and exchanging good practices among OESs, particularly those related to the identification, mitigation, and quantification of risk exposure. Also, facilitate the exchange of experiences among OESs related to contracting and implementing cyber insurance in different contexts.

Given the heterogeneity of OESs in terms of size, economic sector, and strategic function, the ENISA document warned that the formulation of policy action should be coherent with the specific needs and challenges of OESs as a whole, without losing sight of differences among them. The study shows that OESs tend to prefer self-investment to risk transfer if the prices of cyber insurance are high. 

ENISA called upon policymakers to address the feasibility of more economically sustainable cyber insurance policies by working closer to brokers. It also addresses the link between cyber insurance and cybersecurity by making sure that procurement of products, services, and processes certified in the EU – or that have obtained a label associated with those schemes – obtain a higher score in the intake assessment performed by the insurance companies. 

Furthermore, the agency suggested fostering initiatives, including standardization and guidance development, to provide elements and assessment methodologies on the quantification of cyber risks, and circumstances that would also improve the awareness and decision-making on specific areas in which cyber insurance would be the optimal mitigation tool. 

The ENISA document also called for steering multi-stakeholder dialogues oriented to improving clarity, understandability, and comparability of policies by fostering the development of terminology of reference (taxonomy) for cyber insurance. It also worked on developing collaborative frameworks with public and private partners to enable skills frameworks and programs for cyber insurance, particularly in areas such as risk assessment, legal aspects, information management, and cyber insurance market dynamics. 

When it comes to OESs, the ENISA document suggests improving the maturity of risk management practices. The risk management practices related to the identification, mitigation, and quantification of risk exposure would contribute to clarifying cyber insurance needs. It also calls for consideration to allocate or increase budgetary provisions to implementing processes related to the identification of assets, monitoring key metrics, conducting periodic risk assessments, security controls identification, and quantification of risks based on industry best practices.

The document upon OESs to improve knowledge transfer and sharing with other OESs allows them to learn from other good practices when contracting and implementing cyber insurance to the benefit of these operators. Also, improve incident data sharing among sectors. Additionally, it also works on improving coverage all over digital supply chains, specifically covering third-party liability-managed service providers. As supply chains are digitally connected, coverage for only a participant in the entire chain might not reduce risks sufficiently.

Last week, the ENISA also published a report that explores how to develop harmonized national vulnerability programs and initiatives in the EU. Apart from insights on industry expectations, the findings feed into the guidelines ENISA and the NIS Cooperation Group intend to prepare to help EU member states establish their national CVD (Coordinated Vulnerability Disclosure) policies. These guidelines would primarily focus on vulnerability management, dedicated processes, and related responsibilities.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related