Thursday, April 3, 2014
So you want Cybersecurity Insurance?
Many years ago I was taught that one can only do three things with risk — eliminate, mitigate or transfer it. With the increase in attacks on automation technologies by those intending to compromise industrial control systems (ICS), such as supervisory control and data acquisition (SCADA) systems, and distribution control and process control networks, the majority of our collective attention has been on the first two areas of risk. Now, with the insurance industry beginning to cover cybersecurity risk, companies will find they can consider the third area, and transfer risk, if their cybersecurity is appropriate to their risk posture.
Lloyd’s of London recognized recently the need to address the potential for property damage or production loss due to a cyberterrorism attack. In February 2014, BBC News reported that the insurance company is denying coverage to power companies because of inadequate cyberdefenses. This emerging option for addressing risk will certainly put the onus back on owners and operators of ICS networks to know their risks and to also know how effectively their cybersecurity controls are working.
If companies find that this emerging option to transfer monetary risk is an attractive and viable solution to navigating the ICS cybersecurity labyrinth, they should also be prepared to look closely at their operating technology (OT) environments. It’s clear that, as insurance options mature, insurance companies will emphasize risk assessment and control validation.
ICS security pundits argue both pro and con when it comes to the value of conducting detailed risk assessments on OT environments. After all, business value is what we are here to protect, along with personnel and community safety. However, the ability to secure at least a portion of corporate peace of mind by transferring monetary risk to insurance policies should greatly augment the pro side of this risk assessment argument.
If companies want to transfer part of their risk, insurance will help drive the need to prove that their controls are in the right place and working. A formal and repeatable risk-assessment and standards-compliance process, such as the ICS Cybersecurity Assessment program we have pioneered with our current clients, will enable companies to make that risk transfer feasible.