Managing the costs of OT cyber insurance

Cybersecurity insurance is a major aspect of risk management for many companies as attacks against operational technology increase. Four safeguards against ransomware are highlighted.

By John Livingston August 22, 2021

Cybersecurity insurance is an increasingly important weapon in the risk management arsenal of today’s enterprises. Unknown just a decade ago, these popular policies now offer organizations a crucial hedge against risks that defy routine assessment, planning and mitigation tactics.

Even the most diligent of risk registers typically lack accounting for devastating events like the recent exploitation of Microsoft Exchange on-premises products, or the sweeping compromise of 18,000 SolarWinds customers. The explosive growth of ransomware, along with sophisticated, well-funded attacks leveraging critical zero-day exploits has made insurance a must-have element of any mature cyber risk management strategy.

The oft-forgotten element in such cybersecurity coverage, however, is operational technology (OT). Even as threats to critical controls systems grow exponentially, cyber insurance underwriters have been slow to update rating tables to incorporate growing cyber-physical risks. Organizations, likewise, often fail to adequately account for OT and industrial control system (ICS) risks and basic controls in their overall assessment strategies.

As the world becomes an increasingly more dangerous place, particularly for organizations with a mix of IT and OT/ICS environments to protect, cyber insurance premiums are spiking and the qualifications for comprehensive policies are getting more rigorous at a time when enterprises need quality coverage more than ever.

Cyber insurance coverage costs on the rise

For the past decade, the cyber security insurance market matured slowly. Costs remained low thanks to a growing pool of buyers and limited historical claims data. Over the past three years, however, premiums rose significantly in lock step with the number of claims being filed and the magnitude of the losses. A report from advisory firm Marsh McLellan estimates 2021 rates for cybersecurity insurance will increase up to 50%; the market for cyber insurance could double over the next three to four years.

Claims, particularly those due to ransomware and related business interruption costs, are driving the spike in premiums. Insurers now limit coverage specifically for ransomware to control their losses which total more than $20 billion in ransomware claims to date. Overall, Marsh McLellan estimates cybercrime costs will top $10.5 trillion by 2025.

In a report from the Institute for Security and Technology, Coalition, a cyber insurance firm, said ransomware attacks now account for most cybersecurity insurance claims. In the first half of 2020, Coalition saw a 260% increase in ransomware attacks among its policyholders, with the average ransom demand rising 47% to an average of $338,669. Elsewhere in the report, ransomware incident response specialist Coveware reported average downtime due to ransomware now tops 21 days.

OT attacks highlight cyber-physical risks

This growth in ransomware is a real threat to OT systems. The 2017 Wannacry/NotPetya event that impacted Merck, Mondelez, Maersk and others was an expensive warning shot across the bow that cost companies like Merck almost $1 billion and racked up insured losses of some $3.6 billion on both affirmative and non-affirmative (silent) covers globally.

Manufacturing is now the second most targeted industry behind financial firms, increasing from eighth in 2019. Attackers have discovered the profit potential derived from locking up manufacturing systems. Examples of recent attacks demonstrate in stark relief the industry’s plant-days lost to the scourge of ransomware.

With the risk in attacks come severe downtime for plants due to the targeted shutdowns. Courtesy: Verve Industrial[/caption]

Ransomware attacks are even more costly in industrial control systems where the price of not paying means lost production as well as additional expenses for building or acquiring new systems if the ransom is not paid — or as is often the case, the recovery post-payment is not 100% effective.  The increasing ransomware costs during 2020 correlate with the increased number of cyberattacks on manufacturing and industrial systems.

The insurance risks from OT cyberattacks don’t stop with ransomware. Cyber-physical systems carry the unique added risks of damage to the physical plant and threats to personnel safety.

“The potential for physical perils represents a major turning point for the broader cyber (re)insurance ecosystem,” a recent Lloyd’s insurance report on OT threats warns. “This risk has previously been considered unlikely to generate insured losses with cyber perils traditionally emerging in the form of non-physical losses. However, as bridges are being built between IT and OT and there is increased automation and greater sophistication of threat actors seeking new avenues to create disruption, incidents are increasingly likely.”

Lloyd’s lists a set of potential additional risks for different classes of insurance:

Lloyd’s Class of Business Potential Scalability to Core Classes
Accident & Health Potential impacts to A&H, Medical Expenses, and PA for any locations that suffer property damage and fires or explosions.

Product Recall could be a significantly exposed class, particularly if a defective component is the point of failure.

Aviation Limited, in the context of the scenarios explored.
Casualty Treaty Significant potential impacts, particularly around contributing classes such as Employer’s Liability and Product Liability.
FinPro Casualty Significant potential exposure to Cyber, D&O, and Professional Indemnity.
Other Casualty Some possible exposure for other classes such as General Liability.
Energy Depending on the target industries, Energy Property and Liability could be significantly impacted by such a scenario.
Marine Limited, in the context of the scenarios explored.
Other Specialty Engineering could be significantly exposed. Other bespoke products that could conceivably be triggered include Extended Warranty, Legal Expenses, and Terrorism.
Property (D&F) Significant potential exposure to large risks, with conceivable impacts to binder business with proximity to those impacted sites.
Property Treaty Significant potential exposure to large risks, with conceivable impacts to binder business with proximity to those impacted sites.

The growing recognition of the combined risks from ransomware and cyber-physical impacts is driving increased rates for operators of industrial control systems. And the risks and threats are only increasing.

Four safeguards against ransomware

Cyber insurance providers and their policy holders must work together to ensure continued cost-effective coverage for cyber-physical systems and the attendant risks. Key action items include:

1. Determining potential threats from OT cyber risks. Policy holders generally miscalculate potential impacts from cyber threats to their cyber-physical systems. Insurers may have provided “silent risk” coverage without understanding their real exposure. Both sides need to better understand risks from an OT attack. This requires an assessment of the security maturity of the environment as well as the potential threat vectors and impacts from different scenarios.  Such an assessment requires a deep view of assets, networks, policies and, procedures —then mapping those vulnerabilities to impacts both financial and physical.

2. Developing and monitoring clear OT cybersecurity baseline requirements. Baseline requirements are becoming standard for IT security. In the past, some cybersecurity insurers viewed a lack of security baseline requirements as a selling point. However, the rapid rise in claims is causing a shake-out of those providers. More mature insurance providers typically require clients to adhere to strong baseline security practices, which can significantly reduce the disruption caused by a ransomware attack. However, in OT, these cyber baselines are much less clear. While guidance such as or more specific OT frameworks like IEC62443 do exist, insurers and insureds will need to adjust the baselines to address the unique devices, process, and risks posed by OT systems.

3. Taking a more proactive approach to OT systems management (OTSM). Most OT networks are not “managed” today. They run legacy operating systems, patches are often not deployed, and backups may or may not be effective. Formal OTSM is necessary to maintain baseline requirements for an efficient cybersecurity insurance market. Broad adoption of OTSM requires a fundamental shift in the mindset of IT-OT leadership, however. New tools, skills, and procedures will all be necessary.

4. Gathering key data into an OT cybersecurity platform. A comprehensive security platform aggregates the reporting on baseline requirements in a way that provides visibility into ongoing risks. It’s insufficient to simply monitor network anomalies or have plant-level information stuck in local databases. Centralizing OT data into a platform that provides management visibility into risk profiles is a game changer. This management console enables insureds to make the right trade-offs for insurance coverage. Similarly, it provides insurers a way of pricing risk effectively. Certain insurers may even offer discounts for more mature security environments that can be confirmed via such platforms.

“As part of a risk mitigation strategy, syndicates need to monitor the correlation potential for risks stemming from attacks bridging the IT/OT gap,” the Lloyd’s report states. “In practice, syndicates can improve awareness by building a technology inventory for their insureds. This might include identifying leading programmable logic controller (PLC) components and investigating the use of common industrial OT and IoT assets. It is very important for syndicates to focus on procedures as well as components. This should encompass the extent of air-gapping between IT and OT systems, the nature of risk management protocols such as automated patch updates, and the presence of known industrial component vulnerabilities.”

This story originally appeared on Verve Industrial’s websiteVerve Industrial is a CFE Media content partner. Edited by Chris Vavra, web content manager, CFE Media and Technology, cvavra@cfemedia.com.

Original content can be found at verveindustrial.com.


Author Bio: John Livingston leads Verve Industrial's mission to protect the world’s infrastructure. He brings 20+ years of experience from McKinsey & Co., advising large companies in strategy and operations. Recognizing the challenges of greater industrial connectivity, John joined Verve Industrial to help companies find the lowest cost and simplest solutions to their controls, data and ICS security challenges.