The BBC reported yesterday that energy companies "are being refused insurance cover for cyber-attacks because their defenses are perceived as weak." Before cover is offered, applicants must undergo a security audit by the insurance companies, but "the majority of applicants were turned away because their cyber-defenses were lacking."
This is a worrying state of affairs. Over the last few years governments have warned that critical infrastructures are increasingly likely to be attacked by organized crime and even foreign nations – and there is little more critical than a nation's power supplies and nuclear power stations.
"In the last year or so we have seen a huge increase in demand from energy and utility companies," Laila Khudari, an underwriter at the Kiln Syndicate, which offers cover via Lloyd's of London, told the BBC. "They are all worried about their reliance on computer systems and how they can offset that with insurance." What was not clear, she said, was why firms were suddenly seeking cover in large numbers.
It does, however, coincide with three recent developments. Firstly, there is a move within industry to tackle cybersecurity with risk management principles. Two classic risk management options are to mitigate risk (in this instance to improve cybersecurity), and to transfer risk (in this instance by transferring the financial risk to insurers). Clearly, Lloyd's believes that the power industry needs to do more in mitigation before it can rely on transference.
Secondly, cyberthreats are rising. The sheer number of major breaches in companies with systems designed for the internet shows how systems never designed to be connected to the internet are fundamentally vulnerable.
Thirdly, there is a growing understanding of how the Shodan search can be, and is, used to locate vulnerable SCADA systems attached to the internet.
The solution is to concentrate on mitigation before seeking to transfer the remaining risk. "This is a wake-up call for utility firms seeking out insurance against cyber-attacks and increasingly being refused," comments Andy Philpott, an SVP Sales at Websense. "There needs to be a mental shift refocusing from insuring against the aftermath of an attack to preventing it entering the network in the first place. Recent research we’ve conducted shows that over 70% of security professionals don’t trust their current security program."
It could be, however, evidence that the insurance companies are learning lessons faster than the energy companies. "We've said previously," John Yeo, professional services director at Trustwave toldInfosecurity, "that insurers that don't adapt their underwriting practices to better evaluate cyber risk, particularly in the pre-loss context, are likely in for a shock to their loss ratios as organizations will inevitably improve their ability to detect breaches over time. We know that breaches are currently both under-detected and under-reported." As the 2013 Trustwave Global Security Report reveals, on average it took businesses 210 days to detect an intrusion.
"Utility companies effectively operate critical national infrastructure and also happen to be the biggest custodians of PII," he added. "Consider the potential for 3rd party losses if 10s of 1000s of customers were without a utility for a period of time (claims for damages, goodwill restoration costs etc etc)."
“Everyone is well aware of the increasing cyber threat and it is therefore no surprise that more and more organizations are requesting insurance for the eventuality that they will be [a] target," said Ross Brewer, VP and MD for international markets at LogRhythm. "What is a concern, however, is the fact that so many businesses are seeing this as a substitute and are clearly failing to adequately protect themselves as a first port of call – particularly those that manage our national infrastructure."