The cyber threat is moving from data breaches to global critical infrastructure, an insurance industry commissioned study shows.
The study, conducted by BAE Systems, covers the evolution of cyber risk in the energy sector and its impact on critical infrastructure businesses in the UK, Europe, US and Canada.
Researchers found that state-sponsored cyber attacks are a serious and evolving threat to power and utility companies.
A survey of energy and utility companies showed that most respondents believe a cyber attack of major significance and impact on critical operational infrastructure is highly likely.
The study revealed that power companies are better prepared to deal with cyber threats to their operational technology than many recent media reports have indicated.
State-sponsored cyber attacks are a serious and evolving threat to power and utility companies
The researchers said these organisations have a good understanding of the cyber threats they face, and one of the biggest challenges energy companies and utilities face are constraints outside their control. These include things like a lack of adequate and mature technology systems.
In response to the findings, Aegis London has introduced a new breed of cyber insurance for operational technology and critical infrastructure, in addition to cover for data protection and privacy issues.
The company’s CyberResilience product is designed to cover critical operational technology and assets, before and after a cyber attack.
The product combines liability, business interruption and terrorism coverage with a service-based offering that consists of cyber underwriting assessment, risk management consultancy, loss control, threat analysis, incident response and vulnerability management.
This combination of cover and services is important in the light of recent concerns that critical infrastructure suppliers are looking for insurance without taking adequate steps to protect data.
Some representatives of the security industry have accused utility companies of making security trade-offs due to a lack of security expertise and/or inadequate resources to address security.
“Cyber attacks are no longer focused solely on IT environments,” said Alan Maguire, chairman of Aegis London. “Cyber terrorists have turned their attention to operational technologies and the critical infrastructure they support, so we have expanded our coverage accordingly.”
More on cyber insurance
- Security Think Tank: Cyber insurance – buyers beware
- Cyber insurance: Understanding the legal language
- An introduction to cyber liability insurance cover
- Security Think Tank: Cyber insurance no substitute good security practices
- Is it time for cyber liability insurance?
- Security Think Tank: When cyber insurance is right and when it is not
- Security Think Tank: Cyber insurance is a two-way street
- Cyber liability insurance: MSPAlliance revamps group coverage
The insurance cover is offered in conjunction with specialised pre- and post-attack services provided by cyber security partners who focus on the critical infrastructure industry.
“Now, for the first time, businesses can obtain secure and reliable cyber insurance cover and service-based offerings for both operational and information technology,” said Maguire.
David Croom-Johnson, active underwriter at Aegis London, said: “We believe that vulnerabilities in and threats to operational technology have the potential to lead to business interruption or significant loss of operating capability and availability.
“These represent some of the most acute organisational risks currently facing critical infrastructure, which is why we developed CyberResilience. However, this is only our first step in evolving a complete suite of products and services around global critical infrastructure cyber security,” he said.
Rick Welsh, head of cyber insurance at Aegis London, said cyber risks are one of the biggest challenges the insurance industry faces today.
“Improving the security posture of critical infrastructure industries such as the energy sector is paramount,” he said.
According to Welsh, the insurance product acknowledges the need to understand and underwrite the relationship between industrial control systems and enterprise networks without disregarding the impact of data security and privacy liability.