Analysis
Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
Risk & Compliance
Technology & Solutions
Threat Landscape
Vulnerabilities

Cyber insurers are essential in improving cyber resilience through collaboration, improvement, monitoring

June 16, 2022
Cyber insurers are essential in improving cyber resilience through collaboration, improvement, monitoring

SecurityScorecard said in a post for the World Economic Forum (WEF) that the cyber insurance industry has an important role in improving and ensuring a global ecosystem of cyber resilience. However, cyber insurers and insured organizations lack a standardized framework to measure their cyber resilience. Instead, they rely on industry benchmarks for resource allocation and antiquated techniques for quantifying cyber risk. 

As cyber incidents continue to spike in frequency and intensify in their disruptive impacts, it is clear that higher cybersecurity spending does not necessarily drive better cyber maturity, Mike Wilkes and Anna Sarnek, executives at security rating company SecurityScorecard, wrote in a WEF post. “Insurers have intimately experienced the effects of immature risk assessment methods when insuring organizations over the past two years, as the top 20 cyber insurers have recently posted record high loss ratios,” they added.

With the increased demand for cyber insurance, insurers are now positioned (and financially motivated) to influence the implementation of cyber resilience standards as part of an improved risk assessment methodology, the WEF post added.

Addressing whether this post is shifting focus from cyber protection to building cyber resilience, Gerry Kennedy, CEO at Observatory Strategic Management, told Industrial Cyber that shifting focus from cyber protection to building cyber resilience starts with building a mindset of IT & OT ‘civil defense’ which starts on ‘Main Street’ globally. The OT (operational technology) sector covers the backbone of industrial automation systems that control a nation’s power electricity grid, water and wastewater, pharmaceuticals, oil and natural gas, transportation, chemical, pulp and paper, discrete manufacturing, and so on.

Gerry Kennedy, CEO at Observatory Strategic Management
Gerry Kennedy, CEO at Observatory Strategic Management

“They need to educate that these issues are two distinct things and stop using the term ‘cyber,’ according to Kennedy. “They need to help various industries help propagate the narrative.  This is what we have been doing in the insurance sector,” he added.

Calculating how feasible is it for the critical infrastructure sector to build cyber resilience, Kennedy said that they must first build the ‘Rosetta Stone’ to educate IT & OT professionals to ‘speak the same language.’  

“We have seen IT people being thrust into OT environments which is difficult at best, because of the breakdown of communications,” according to Kennedy.  Providing a perfect example in a manufacturing situation, “an IT person hears a loud bang in a manufacturing plant…the IT person utters ‘What was that?’  Now in the same scenario, an OT person hears a loud bang in a manufacturing plant…The OT person says  ‘Oh wow I know what that is!’ This is mitigation of IT & OT functional illiteracy and it is a big problem,” he added.

IT & OT resilience starts with inventorying the liabilities and mapping out the basics of ‘What does this thing do? Kennedy called this a Pre-Loss Strategy. “The identification of what we call possible maximum losses is critical. The reaction time to an OT event is critical to prevent further loss and the inventory of the liabilities and those persons accountable for its management will afford a level of early warning and definitive post-loss assessment,” he added.

Throwing light on the mechanism used by cyber insurers to apply continuous monitoring practices and tools that ensures enhanced cyber posture through metrics like security ratings in the industrial environment, Kennedy said that due to the ubiquity of the problem,  all insurers are IT and OT exposed to data infiltration and exfiltration liabilities not just cyber insurers. 

“Get all carriers and reinsurers in the room with the underwriters who are on the front lines and leave the ‘Mahogany Row’ types in the hallway, while the tough questions get asked,” Kennedy said. “Assemble a panel of IT & OT professionals with the underwriters and let them just talk.  What will transpire is – the tech stack, the IT & OT people know so well, will intersect with the legal stack and that is where the policyholders gain the most they ever got from an insurance policy…real-time results,” he added.

Kennedy also said that the monitoring will come from the ‘unfettered’ reporting of incidents by policyholders…not claims to avoid the negative connotations. “It is the reporting where the formation of the DNA of this problem will be deciphered. As for security rating/indexes, they will inherently coalesce just by doing all of the aforementioned,” he added.

The SecurityScorecard executives ​​want cyber insurers to collaborate with governments, regulators, and organizations to continuously improve and prioritize actions based on current exposures to attacks It also suggests cyber insurers encourage organizations to follow the order of operations by suggesting improvement plans and applying continuous monitoring practices and tools to ensure enhanced cyber posture through metrics like security ratings. 

Additionally, the agency recommended that cyber insurers can use and share the intelligence with ecosystem players and law enforcement during an incident to speed reaction and reduce recovery times, thereby minimizing risk.

The authors also said that increased demand for cyber insurance means insurers are positioned and incentivized to influence the implementation of cyber resilience standards as part of an improved risk assessment methodology. Cyber insurers play an important role in improving cyber resilience through collaboration, improvement, monitoring, quality, and intelligence.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems