Attacks and Vulnerabilities
Critical infrastructure
Features
Malware, Phishing & Ransomware
Management & Strategy
Regulation, Standards and Compliance
Risk & Compliance
Threat Landscape
Vulnerabilities

Rising industrial cyber insurance premiums forced to deal with geopolitical turmoil, cybersecurity challenges

March 20, 2022
Rising industrial cyber insurance premiums forced to deal with geopolitical turmoil, cybersecurity challenges

Mounting cybersecurity attacks have directly impacted escalating cyber insurance premiums, as industrial and manufacturing cope with increasingly diverse problems, including business interruption, severe and long-lasting operational issues, and reputational damage. Moreover, cybersecurity threats emerging from the current geopolitical situation have further added to the cybersecurity challenges brought about to these environments as industrial cyber insurance premiums continue to rocket.

The Council of Insurance Agents & Brokers reported this month an average premium increase of 34.3 percent for cyber, marking the first time the line has seen an increase of this magnitude since 9/11. Cyber continued to raise alarm bells across the industry as the rise in premiums for cyber continued unabated in the fourth quarter of last year while the frequency and severity of cyber claims continued to climb. It added that the industry must take steps to confront this unique, constantly evolving risk.

Most common cyber claims have been identified as ransomware attacks, ransomware as a service (RaaS), double and triple extortion methods, business email compromise, social engineering, and hacking and malware attacks that lead to general data breaches. Another identifiable pattern is the formation of highly-organized ‘cyber cartels,’ wherein cybercriminals collaborate on leveraging specialized attack tactics to maximize ransom payouts. 

Industrial Cyber reached out to experts in the industrial cyber insurance sector to estimate the effect of geopolitical turbulence and further escalation of cybersecurity challenges on cyber insurance premiums of operators across the industrial and critical infrastructure sectors.

“Clearly, there is a heightened anxiety about the potential increase in cyber-related attacks upon critical national infrastructure either from motivated state actors not directly involved in the conflict in Ukraine taking advantage of the noise that conflict creates as well as from the protagonists of the conflict,” Jose Seara, founder and CEO at DeNexus, told Industrial Cyber. “However, the trends were already well set: in insurance and capital context; restricted cyber risk capital capacity-driven partly by losses from ransomware and lack of availability of retrocession covers to offset those leaving reinsurers unwilling to make big bets on the cyber class,” he added.  

Jose Seara, founder and CEO at DeNexus
Jose Seara, founder and CEO at DeNexus

Seara also points at the same time to greater demand for covers and rising premium prices see a flight to better quality risks for the limited capacity that is available. “All meaning that organizations who can demonstrate meaningful understanding of their cyber risk through quantification of their values at risk and management of those exposures are more likely to attract cyber covers at reasonable prices than those who can’t,” he added.  

From a technical context, “an increasing focus upon industrial technology attacks and greater levels of cloud adoption in pursuit of benefits from digital enablement increase tremendously, the prospect of failures of automation in the management of cloud containers, code libraries and cryptography libraries, all critical to effective cloud operations are definite trends that have direct impact upon the sector,” Seara said. “These factors along with the hard insurance market conditions already well-entrenched serve to cement the trend that cyber risk capital will remain hard to obtain and will be expensive when it can be secured and the sole preserve of better quality risk owners,” he added.

“The effects, as you have pointed out, go far beyond just ‘Cyber Insurance Premiums,’” Gerry Kennedy, CEO at Observatory Strategic Management, told Industrial Cyber. “Cyber insurance is but a small part of the insurance industry as a whole. All lines of insurance are affected by the ubiquity of cyber liabilities,” he added.

Gerry Kennedy, CEO at Observatory Strategic Management
Gerry Kennedy, CEO at Observatory Strategic Management

Kennedy illustrated with an example that if the insurance industry sets their rates by defining a Possible Maximum Loss (PML) for exposure of, say, ‘Property Insurance,’ then the OT and ICS exposures have never been inventoried by the property insurance underwriters. “This is actually standard procedure to gain what is known as a ‘Statement of Values’ for Building, Contents and Business income. This begs the question, ‘what about everything else? Where is the Statement of PML’s for the OT devices and the associated IC Software that controls it? What do each and every one of these OT devices do to affect the operations of the business? You cannot know where you are going unless you know where you are,” he added.

“This geopolitical turbulence you ask about can go kinetic and your cyber insurance policy will not address these coverage issues,” Kennedy pointed out. “Just look to the 1984 Bhopal, India, Union Carbide event. That was an OT loss pre-IoT. Cyber Insurance, as you have come to know, is changing markedly and Indemnity for losses as BOD’s have come to cherish will look nothing like it was since the 1990’s,” he added.

“Cyber attacks perpetrated by threat actors provide a means to exact both a political and more importantly an economic toll against another nation-state from a distance, without the expense and atrocities of war,” Rick Toland, executive vice president at Waters Insurance Network, told Industrial Cyber. “These attacks can have devastating consequences on the infrastructure and finances of the affected nation-state,” he added.

Rick Toland, Executive vice president at Waters Insurance Network
Rick Toland, Executive vice president at Waters Insurance Network

“With respect to insurance, these attacks are not just affecting Cyber Liability policies. They are affecting many, if not all policies that are carried by a company,” according to Toland. “Further, it is difficult to quantify where the cyber loss begins, and the property, automobile, GL, pollution or other policy begins and how the financial responsibility of each insurer will be allocated to pay the resulting loss,” he added.

Premiums for cyber liability insurance continue to increase dramatically, while capacity from individual insurers in this space has either been reduced or is being carefully guarded for accounts with risk profiles that fit within the respective insurer’s underwriting appetite, Toland said. “Underwriters for other policies such as Directors & Officers Liability, Errors & Omissions Liability, and others now are adding amendatory exclusions for Cyber Liability, which addresses the ‘Silent, Non-Affirmative’ ambiguities. These exposures will not be mitigated until they are litigated,” he added.

Estimating what has been the typical rise in cyber insurance premiums observed since the Colonial Pipeline ransomware incident, and how much has that altered with the recent geopolitical situation, Seara said that “Year on Year premium increase 2020-2021 was of the order of 32% with no softening of prices evident in the shadow of recent events. As suggested above, the geopolitical tensions serve to cement the trending conditions rather than exacerbate them,” he added.

“The rise in cyber premiums is caused by the fact we must look at the overall true exposures,” Kennedy said. “New exposures require new premiums. The fact that systemic risk is now actually a reality has changed the insurance landscape,” he added.

“I can’t say there is really a typical number or magic range in terms of a rise in cyber premiums since Colonial,” Toland said. Aside from the insurance buyer having a claim, premium increases normally occur when underwriters notice failures at a company to manage or shut down the main threat vectors such as email, web applications, network, accessible endpoints like IoT, etc., where hackers gain entry to a company’s network and do their damage, he added.

“An underlying area where problems manifest themselves is through a disconnect or lack of communication between the Board of Directors, the Tech (CISO, CTO, CIO, etc.) staff and any contracted third-party vendors,” according to Toland. “If all these parties are not working with one another and sharing vital network information in a manner that the board members can understand, you’ll likely end up with not only a Cyber Liability claim but a Directors & Officers Liability claim and possibly personal liability as well for failing to take preventative action to protect the assets and treasury of your company,” he added.

Given the rising cost of cyber insurance premiums brought about by the deteriorating cybersecurity threat landscape and geopolitical turbulence, the impact of smaller industrial and critical infrastructure vendors can be further demanding.

“Some are not coping in that they are struggling to understand and articulate the scale of their exposures and the prioritization of the risk interventions they are implementing,” Seara said. “For these enterprises, its a bleak prospect: increasing threat landscape, poorly prioritized risk interventions and hence less than effective improvements in cyber defense posture and much lower likelihood of securing risk transfer,” he added.  

Conversely, for those enterprises that have embraced the need to quantify their values at risk and prioritize their risk interventions based upon reduction of these values at risk, not only are they managing their cyber risk interventions in a more considered manner raising their cyber defense posture, they are also most likely to secure cyber covers on favorable terms, Seara added.

“We have spoken to the smaller industrial and critical infrastructure vendors. They do not have the resources or the time to address these issues,” Kennedy said. “It is exactly here where the insurance industry must step up to reinforce a Civil Defense style mentality for a massively threatened class of business owners. They consist of 28.8 million businesses or 99.7% of all businesses. This represents 56.8 million jobs or 48% of the employed,” he added.

The insurance industry has not developed any robust plan to assist small infrastructure or critical supply chain businesses, Kennedy said. “All you have to do is look at the most recent hack of a Toyota supplier, and that event shut down assembly plants to see why this is so important,” he added.

“The point is ‘Cyber Protection’ that you ask about must leave the realm of what the world has come to know as ‘cyber insurance,’ it is much more,” according to Kennedy. “We pay for coverages within our policies, and the question arises, ‘Are we getting what we pay for?’ So, we must ask our insurance carriers to engage in solutions, not price increases. We must demand coverage without ambiguities that only end up in court and solve nothing,” he added.

With the increase of cybersecurity threats being perpetrated by nation-state actors, smaller industrial and infrastructural companies are finding it extremely difficult to know how and where to allocate the necessary funds to prevent these attacks, Toland said. This can hamper their ability to take on new projects or clients until their threat vectors have been inventoried and steps have been taken to minimize infiltration, he added.

“It appears that too often, companies with limited financial resources come to rely very heavily on their cyber Insurers for answers or to gain access to a suite of third-party professionals that can provide some form of guidance to them,” according to Toland. “However, couldn’t these insurers potentially be considered complicit if the advice from one of the companies within the consultative suite turns out to be problematic? It seems to me that we have multiple parties within the Cyber Insurance Ecosystem that are relying heavily upon other parties for advice and direction, which seems counterproductive to me,” he added.

Toland believes one answer for companies facing this predicament would be to find an experienced and well-known managed services solutions company, who can engage and counsel these enterprises on both a pre-loss strategy basis and post-loss remediation basis under one banner, rather than having to communicate with two or more companies that provide advice on a singular aspect of threat vector reduction or post breach consultation.

NATO has had a requirement of 2% GDP spending on defense, and some other EU non-NATO countries are also falling in line with this now. Looking into whether industrial enterprises should be making a similar sort of budgetary commitment for equipment and cybersecurity gradation, Seara said that budgets clearly are important and generally, cyber defense spending invariably has been seen as a cost rather than a business enabler. 

“This is flawed thinking: budgets do need to increase but not without proper understanding behind such increases,” according to Seara. “This means the effectiveness of budgetary allocation for cyber risk needs to be executed on the same basis as for every other category of critical enterprise risk. That is, quantify the value at risk and then, within the context of risk appetite and tolerance, make informed choices about the most effective deployment of risk capital: this is how Boards operate for all other critical risks and management of cyber risk needs to be normalized in the same manner,” he added.  

Seara said that this can only be done by quantifying the cyber exposures then prioritizing those risk interventions that have the most significant effect upon reduction of residual risks. “This may mean technology or governance, spend, but it could equally mean allocation of capital responses, like using the captive for example or of course risk transfer,” he added.

“Emphatically yes. This is exactly where tax credits for cyber solutions must come into play,” Kennedy said. “We have given tax credits for putting forth wind and solar ‘Green Solutions’ as a form of mitigation to climate change. This logic must carry forward into cyber resilience, which equates to national security. This is linear to us at Observatory. Ironically, insurance costs on any business falls between 1% to 3% in the chart of accounts of the overall budget. So, 2% tracks nicely to the NATO figures,” he added.

“The short answer to this question is a resounding ‘Yes.’ However, what is more important than an allocation of funds to combat these cybersecurity events is looking beyond an insurance policy that was purchased to provide protection against a loss of this nature,” Toland said. “I believe it is of significant importance to get the Boards of Directors and the Tech staffs at industrial and critical infrastructure companies working together and rowing in the same direction regarding their respective threat vectors,” he added. 

Finding common ground and affirmatively addressing these threat issues head-on will contribute to the preservation of economic viability not only of these companies but of the nation-state and its people that they serve, Toland concluded.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities