For U.S. critical infrastructure businesses, such as utilities, telecommunications and water suppliers, the threat of cyberattack is a growing and persistent concern. According to the Ponemon Institute, cyberespionage attacks have risen 38% since 2010. For cyberinsurance providers seeking to accurately assess risk for U.S. critical assets, it is becoming increasingly clear that a comprehensive, holistic approach is required.
Impact of market forces on risk
Critical infrastructure companies fulfill an important role in facilitating business. Unlike the private industry, these firms are both physically and virtually exposed by the very nature of the services they provide. As market forces evolve, so too does the risk of exposure for these companies.
Operating distributed and complex infrastructures requires energy companies to pursue long-term, cost and technology-efficient investments in equipment. Those investments in efficiency, both legacy and current, have created more dynamic vulnerabilities that closely match the security trends of traditional IT networks. With the range of risks increasing, from disgruntled employees to hacktivists, and the public policy pressures growing, energy companies must seek an improved method of addressing these exposures while reducing and transferring risk appropriately.
Additionally, operational risks stemming from reliance on outsourced services and complex supply chains continue to complicate strategic risk management. These business relationships often exacerbate privacy liability and extend external dependencies, thereby increasing vulnerability. These exposures compound security risks and create opportunity for increased liability–a tangled web for infrastructure companies that delicately balance serving public needs with security.
The changing face of cyber-threats
When thinking about cyber-threats, most people think about a virus developed by a lone hacker trying to access financial information for personal gain. While that scenario is realistic, today's cyber threat has become far more complex and more challenging to identify. Consider that hackers gained entry to Target's customer data via an unsuspecting HVAC supplier.
For infrastructure companies, the danger of a cyberattack is also far more threatening. Imagine the potential damage and loss that could result from a malicious attack targeting water management, energy or gas production facilities. In such circumstances, insurance generally covers equipment damage resulting from the cyber event, but there is a host of other financial consequences following an attack.
It's these potential catastrophic scenarios that are forcing infrastructure businesses to take a closer look at their security profiles in order to make informed risk-management decisions.
This is where cybersecurity insurance can help infrastructure companies identify and reduce their risk exposure, while reducing their own potential for financial burden. In the course of policy development, underwriters must assess a potential insured's risk. Traditionally, this process is limited to a questionnaire completed over the phone. The data gathered is not validated, nor is there any third-party evaluation. This process is simply insufficient to properly assess a company's risk profile.
When assessing cyber-risk, insurers must consider every possible avenue of exposure. Security is neither a single act, nor a vendor sensor; it is a collection of activities that harmonizes corporate investments in people, technology and process. This perspective guides the holistic assessment methodology, as well as the domains that must be evaluated for risk: insider threat, data security, mobility and physical security, and internal and external business processes. The maturity of existing security policy, procedure and governance is assessed, and organizational resources are prioritized based on the severity of vulnerabilities identified across the multiple threat vectors.
The value of holistic enterprise risk assessment
Leveraging enterprise security risk assessment methods, cybersecurity insurers can gain a realistic understanding of a potential insured's holistic risk posture. For critical infrastructure companies, this offers a two-fold benefit by highlighting necessary business investments made in the public interest, while also generating information about high value security investments that are aligned with real business decisions. Herein lies actionable intelligence that supports infrastructure companies' needs to balance their investments to both meet market demands and also reduce risk.
These benefits extend to existing policy holders, as well. For example, enterprises can use an annual policy stipend toward holistic security assessments that provide actionable intelligence to assist in the enhancement of their security awareness and preparation. Further, the insured can benefit from improved decision-making on resource allocation against high-risk areas, thereby maximizing the value of existing security investments and reducing risk exposure. Combined, this can reduce the probability of future loss and ensure that the policy holder's value is preserved.
For critical infrastructure companies, holistic assessments illustrate the capabilities and limits of their security mechanisms, facilitate their selection of appropriate insurance coverage relative to their customized risk profiles, and recommend investments in additional controls where the return on investment is warranted, such as transitioning from a lower maturity level to a higher one in a priority area.
With Executive Order 13636, it has become incumbent on all public and private organizations to proactively share and defend U.S. critical infrastructure from potential cyber-threats. In this vein, insurance providers are in a unique position to play a role in helping to protect critical assets by engaging in holistic risk assessments that enable risk-informed decisions by their clients with regard to their risk tolerance.
As the patchwork of traditional insurance coverage is transitioning to exclude "cyber" from existing property & casualty, errors & omissions, professional and privacy liability policies, presenting a holistic security assessment is central to establishing stronger proportional links between insurance premiums and customers' validated security profiles.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.