OT Cybersecurity Insurance: Present Landscape and Future Outlook

Cybersecurity insurance is an essential part of OT cybersecurity risk management

From a cybersecurity perspective, there are only two types of companies: those that have been hacked and those that will be hacked. As for corporate risk managers, apprehending and addressing all the threats leveled at targets may pose a challenge. In the worst-case scenario, if all defenses fail, cybersecurity insurance can be used to cover losses, as it also aids organizations in disaster recovery. Cybersecurity insurance is often viewed as a risk transfer strategy, a trend of mitigation that is steadily being adopted in the OT field. Data from the cybersecurity insurance market corroborates our observation that companies are now recognizing the strategic importance of OT cybersecurity insurance.

Traditionally, IT cybersecurity concerns centered around safeguarding third-party data and privacy liabilities. However, the landscape has evolved, with recent cybersecurity incidents indicating a significant shift towards first-party threats such as ransom demands, business disruptions, harm to reputation, and even physical harm. Ransomware has become the weapon of choice for attacking OT environments, and threat actors can now purchase plug-and-play ransomware kits available on the “dark web,” contributing to the proliferation of incidents through what is known as Ransomware-as-a-Service (RaaS). This surge in ransomware could result in more targeted attacks against businesses, particularly vulnerable small and medium-sized enterprises. Should these businesses holding sensitive data be attacked, they would face longer downtime, higher business interruption costs, increased litigation, and regulatory penalties.

According to a report by Guidehouse Insights, electric utilities in 2022 saw a 25-30% increase in premiums for cyber insurance. In contrast, other types of energy companies in the commercial insurance sector experienced more than a doubling of their premiums. Furthermore, Guidehouse predicts that by 2030, the global cyber insurance market for energy will grow from $102 million in 2021 to $442 million, boasting a compound annual growth rate (CAGR) of 17.7%. The firm also warned that power plants might encounter the most significant hikes in premium rates. Beyond utilities, we believe that the surging demand for OT insurance could extend to other industries, including transportation, critical manufacturing, chemicals, aerospace, and more. While the OT cybersecurity insurance market remains relatively small, its rapid growth means many managers are beginning to recognize its value in their OT cybersecurity strategy.

Understanding Cyber Insurance Policies

Although sometimes victims of ransomware can get some compensation from insurance, it should be noted that not all losses are covered by insurance. Many studies are discussing how to determine which risks can be insured. In the next section, we will explain that there are some issues hindering the development of the cybersecurity insurance market, so clear standards need to be established to resolve these issues. If we can establish standards for risks, then predicting risks will be more accurate. This also means that cybersecurity insurance will be more reliable.

As is common knowledge, cybersecurity insurance is a contract between the client and the insurance company. This contract will specify which risks are covered and which are not. These insurance policies may include exclusions such as war exclusion clauses, terrorism threats, intellectual property infringement, physical injury, or property damage.

On the other hand, the cost paid by the insured to the insurance company is called a premium. There are roughly two types of insurance: first-party and third-party; while paying the premium, one must pay attention to the type of insurance coverage needed. First-party insurance primarily covers your organization’s losses, and third-party insurance covers the damages that the organization might cause to other organizations.

Table 1: Types of Coverage Provided by Insurance Policies

Source: International Journal of Information Security (2023) 22:737–748

OT Cybersecurity Insurance Preparation and Underwriting Process

To determine whether to accept insurable risks and establish corresponding policies, insurance companies typically employ a process called underwriting. The underwriting process usually includes obtaining information on the insured’s cybersecurity practices, performing risk assessment and quantification, questioning the underwriting company, interviewing, evaluating the insurer’s business risks to determine the insurability of the insured, and deciding whether to accept the risk and determine appropriate risk premiums.

Firstly, the insured organization needs to provide the insurance company with information that can assist in risk quantification, including:

• Business overview and mission statement
• Key stakeholders (information about customers and suppliers)
• Type of data being processed
• Detailed information on IT/OT systems and any outsourcing agreements
• Details of the IT/OT security management system
• List of existing IT/OT countermeasures
• Past cyber event records
• Reports related to IT/OT security management, such as audit reports
• IT/OT security budget and expenditure
• Information on past and current insurance coverage
• Financial records and so on

According to the EU ENISA report, the methods commonly used by insurance companies include questionnaires, site visits, and document-based data, with third-party assessments added in a minority of cases, with the most common method being questionnaires. As mentioned in previous sections, we see more and more cases where OT is listed as an exclusion clause, or considered to be independent insurance. This means that if an organization wants to insure OT assets, the organization needs to submit an additional OT supplement application, even if all cybersecurity work has been completed in the IT environment. Below are examples of evaluation questions:

• Do you have an OT security policy that includes cybersecurity?
• Do you maintain a complete and up-to-date, centrally held inventory of your OT assets?
• Do you employ individuals whose primary responsibility is OT cybersecurity?
• Is your OT environment segmented from your Information Technology (IT) environment(s)?
• Is your OT environment segmented from the Internet? If yes, how is the segmentation implemented?
• Do you permit employees remote access to your OT environment? If yes, do you enforce multi-factor authentication (MFA) for employee remote access to your OT environment?
• Do you permit third-party remote access to your OT environment? If yes, do you enforce MFA for third-party remote access to your OT environment?
• Do you have a defined process for identifying OT devices with critical cybersecurity vulnerabilities and patching or updating those devices?
• Do you have any OT assets exposed directly to the Internet?
• How do you assess and monitor security in your OT environment?
• Does your OT security monitoring feed into a Security Operations Center?
• Do you include non-Windows projects, such as network devices and embedded devices?
• Do you have a vulnerability and patch management process? If you cannot apply patches, can you describe what compensatory control measures you have?
• Is your antivirus software updated?
• Do you maintain backups – at least monthly or when significant process changes are made – of your OT environment?
• In the past year, have you successfully tested the ability to recover your OT environment from backups?

The examples above are not new; whether you use NIST CSF, ISO 27001, or IEC 62443, there will be similar requirements, such as asset inventories, network topology maps, tabletop drills, patching vulnerabilities, vulnerability management, access control, network segment separation and other protective measures. There will also be evaluations of detection methods like OT monitoring, being able to respond to OT cybersecurity events through policies and procedures, and recovery through backups, ensuring that those backups are up-to-date. The point is that the evaluation items of the additional OT application will not appear out of thin air; they usually come from internationally recognized best practice frameworks. As we consider how to meet these requirements, we can rely on these best practice frameworks. Many organizations have at least started using these frameworks in the IT area in the past and are now beginning to adopt them in the OT area.

The Claims Process for OT Cybersecurity Insurance

Finally, there’s the cybersecurity insurance claims process. This process might differ from company to company, but the typical steps include:

• Policyholders pinpointing a cyber event that falls within their policy’s coverage
• Reaching out to their insurance provider
• Seeking guidance from legal advisors who, in tandem with the insurer, will direct the technical experts like forensic analysts; or the policyholders may liaise with a firm specializing in incident response that merges legal, forensic, and additional services
• The forensic experts delving into the details of the incident
• The communications team managing both internal and external messages to curtail reputational harm and meet necessary notifications
• The recovery team striving to revert systems to their regular status
• Collaboration between the policyholder and the insurer to activate the coverage

Navigating claims has its challenges. For one, it’s not always easy to detect breaches or violations – some may only become apparent much later. This complicates the claims procedure. Furthermore, a detailed forensic probe is imperative, both to lodge and validate a claim. This adds to the responsibilities of the insured and necessitates liaisons with multiple parties. On occasion, this could lead to the incident becoming public knowledge, which could tarnish a company’s image. If there’s ambiguity about what the insurance covers, a policyholder might mull over these factors before submitting a claim. The complexity of sharing sensitive details hinges on the engagement of the stakeholders. For instance, if a lawyer oversees the investigation, the attorney-client privilege might safeguard its confidentiality. As such, the results may not be put down in writing and could just be shared orally.

Evolving Trends and Future Perspectives of OT Cybersecurity Insurance

According to WTW research, OT technology and cybersecurity risks have long been widely accepted by the property insurance market. However, at the time, the insurance market was classified by physical and non-physical properties and established different products for the risks of non-physical properties (such as data loss and intellectual property loss), thus establishing cybersecurity liability insurance clauses. However, since 2017, the ransomware and supply chain attacks on OT assets have surged, for instance: WannaCry and Petya/NotPetya, which caused direct physical asset loss (including IT and OT assets not functioning).

The four major cybersecurity events occurring after 2020 are:

1. The security vulnerability of SolarWinds’s Orion software

2. The Microsoft Exchange incident

3. The attack on Florida’s water treatment facility

4. The ransomware attack on a well-known pipeline company

These game-changing events undoubtedly accelerated the transformation of the cybersecurity insurance market. OT cybersecurity incidents usually involve high investigation costs, long-term business interruption, significant ransom demands, hefty recovery costs, and challenges in asset replacement. Therefore, insurance companies are intensifying their attention on OT cybersecurity risks and implementing exclusions and limitations on many policies. Current (re) insurance companies are rapidly responding to the ever-changing risk landscape, allocating insurance capacity more cautiously and raising insurance prices. We also note that governments (such as the United States) are actively helping market growth, increasing insurance risk pools and capacity, promoting market competition, and ultimately lowering prices.

Accelerating IT/OT Cybersecurity Risk Modeling

According to an analysis report by the U.S. Cyberspace Solarium Commission (CSC), the soundness and operation of insurance products have a positive impact on the risk management behavior of private sector enterprises, similar to regulatory intervention. However, the insurance industry has been unable to fully understand and price OT risks in the past. This is mainly due to the lack of standards and frameworks for cybersecurity risk pricing. This puts companies in an obfuscated environment when purchasing insurance, while also weakening the effectiveness of insurance as a driver for improving cybersecurity behavior. In order for the insurance industry to become a de facto regulator of organizational behavior, the insurance market must accurately price risks. The premiums and limits of insurance products must drive insured enterprises to invest in improving their IT/OT cyber risk status. Although many insurance companies currently lack high-quality data sets and models to understand, price, and mitigate cybersecurity risks, some have begun to collaborate with cybersecurity risk modeling companies under the guidance of government task forces, compiling and utilizing available statistical data to drive innovation in cybersecurity risk modeling and develop more accurate cybersecurity risk models.

Differentiating Insurance Operations

It is now increasingly likely that companies considered to have poor IT or OT cybersecurity hygiene will be offered less favorable insurance prices and terms, or no insurance at all. As insurance companies are responding to rapid changes in risk development, supply capacity (non-price) is becoming more precious. However, insurance companies have also begun to research if organizations meet specific cybersecurity frameworks, security controls, and certain basic elements (such as the NIST cybersecurity framework, IEC 62443 standard family, etc.) When assessing insurance needs, insurance companies usually focus on different information. Many companies mainly look at the amount and type of data handled by the applicant, and pay more attention to factors such as OT infrastructure, stakeholders, and IT/OT security budgets. They also consider some harder to quantify information, such as the insured’s view on cybersecurity management, as they want to know whether the insured is answering questions based on the latest threat situation, and whether there are experts involved in relevant cybersecurity work. Insurance companies assess the cybersecurity risks of companies to help decide whether to provide insurance and set premiums. They will check the level of risk exposure and existing security controls, aiming to get lower premiums in insurance pricing or better coverage, eventually getting insurance at a reasonable price and making insurance comply with the overall OT cybersecurity strategy.

Insurance Underwriters, Claim Handlers, and Product Certification

Despite the important role the insurance industry plays in helping organizations transfer risk, traditional property and cybersecurity insurance policies seek to implement new wording to eliminate the widespread underwriting risk of “silent cyber” (i.e., the policy does not specifically state the compensation scope of a cybersecurity incident), and significantly increase exclusions. Therefore, any “exclusion” or “change” language added to an OT cybersecurity insurance plan must be carefully analyzed to ensure maximum coverage for key OT cybersecurity risks.

To overcome this barrier, the gap in talented cybersecurity underwriters and claim handlers needs to be addressed. Currently, insurer certification applies to many insurance underwriting areas, including: home insurance, fire/flood insurance, life insurance, and health insurance. The field of cybersecurity insurance should be treated the same way. Therefore, the U.S. CSC analysis report suggests that FFRDC collaborate with insurance companies, national regulatory agencies, and cybersecurity risk management experts to develop training courses for cybersecurity insurance underwriters and claim handlers.

At the same time, providing product certification for cybersecurity insurance, i.e., developing cybersecurity insurance product certification based on common vocabulary and security standards, so that insurance products that meet the minimum standards can be sold in the market, helps protect consumers.

Strengthening Cybersecurity Reinsurance to Respond to Catastrophic Cybersecurity Incidents

One of the biggest controversies of past OT cybersecurity insurance was how to respond to catastrophic cybersecurity incidents, such as the event involving a well-known pipeline company, which paid a ransom of four million dollars but had an economic impact of two to three billion dollars. These types of events often involve terrorism or war exemptions, which is one of the biggest challenges for OT cybersecurity insurance. Therefore, organizations must clearly understand the insurance issues in the OT environment and specifically think about what the company is insuring and what is excluded in this policy. The U.S. CSC’s analysis report also calls for government-supported reinsurance to handle catastrophic cybersecurity events.

Simply put, reinsurance provides insurance for other insurance companies and is a method used by insurance companies to transfer part of the risk they undertake to reinsurance companies. Specific measures include: clarifying that cybersecurity incidents may trigger the protection clause of the Terrorism Risk Insurance Act (TRIA), and do more to define which types of cybersecurity incidents fall within the scope of TRIA protection, and which types should be borne by insurance companies themselves. Strengthening reinsurance helps insurance companies diversify risk, increase the stability of insurance companies, and allow insurance companies to continue providing large-scale OT cybersecurity insurance.

Conclusion

Both policyholders and insurance companies are commonly faced with a challenge: the actual risk of cyber-attacks on cyber-physical systems is often misunderstood or underestimated. This includes policyholders miscalculating the potential impact of cyber threats on their systems, and insurance companies inadvertently taking on “silent risks” without fully understanding the true risks. To have a deeper understanding of such risks, both parties need to further understand and recognize the actual risks of OT attacks.

Firstly, we need to establish and monitor clear baseline requirements for OT cybersecurity. Although in the past, the lack of baseline security requirements was seen as a selling point by some cyber security insurance companies, with the rapid increase in claims, more mature insurance providers have started requiring their clients to adhere to robust baseline security practices. However, in the OT field, these cybersecurity baselines are not clear. While there are specific OT frameworks such as IEC62443, insurance companies and insured parties still need to adjust the baseline to cope with the unique equipment, processes, and risks of OT systems.

Secondly, we need to adopt a more proactive approach to managing OT systems. At present, most OT environments are not adequately managed, especially those OT assets running outdated operating systems. These assets often lack appropriate patch deployments, have inconsistent backup practices, and are deficient in effective measures against supply chain attacks. To ensure continuous operation at production sites, factories must seamlessly integrate endpoint detection and proactive defense solutions that cover both old and new OT devices. This integration should effectively analyze and establish security baselines for each device, revealing any anomalous behaviors that might threaten operational reliability and stability. As such, TXOne Networks’ Cyber-Physical System Detection and Response (CPSDR) solution can assist businesses in effectively preventing unforeseen changes, offering alerts, and conducting comprehensive analyses, especially in addressing unexpected system changes before they impact OT operations. This is crucial for maintaining the baseline requirements of an efficient OT cybersecurity insurance market. However, IT-OT leaders must undergo a paradigm shift in their approach. We believe organizations should harness the unique context and behavior inherent to each OT environment. By doing so, they can proactively offer high-precision early warnings for system anomalies before any threat manifests. Achieving this necessitates the adoption of cutting-edge cybersecurity tools, expertise, and methodologies that genuinely address the intricacies of the OT landscape. For example:

a) Security Inspection: Portable Inspector uses a removable approach to provide effective malware scanning with independent computer and physical isolation. It can detect and remove malicious software by being inserted into the USB port of any Windows and Linux device without the need for software installation or rebooting the target system. In addition, Portable Inspector can collect asset information to generate an inventory list to increase IT/OT visibility and eliminate shadow IT/OT. With its use of an AES 256 hardware encryption engine and scanning of all files before storing data, it ensures that data is free from malware before being securely placed in storage.

b) Endpoint Protection: Stellar employs the Cyber-Physical System Detection and Response (CPSDR) to prevent unexpected system changes before they can impact operations. By analyzing fingerprints at the device-agent level, Stellar prevents any unforeseen alterations to the device, including malware, unauthorized access, accidental configuration changes, and malicious process modifications. Furthermore, uncontrolled peripheral devices can compromise stability and lead to data loss. To address this concern, Stellar provides simple-to-configure controls that mitigate the threat of physical access without complicating daily operations.

c) Network Defense: Edge series employs auto-rule learning technology to assist organizations in automatically generating a network trust list, and allows organizations to create and edit L2-L3 network policies strictly based on which assets need to communicate in order to do their work, highlighting all suspicious or potentially harmful activity. The Edge series also supports a wide range of industrial protocols and deeply analyzes network packets, enabling organizations to effectively block malicious behavior and errors without affecting production line operations. To protect legacy devices and production systems that are vulnerable to attack due to unpatched vulnerabilities, Edge series uses industry-leading signature-based virtual patching technology. In addition, Edge series minimizes the time required to configure and manage devices and can be easily deployed in an organization’s existing OT environment.

We also need to aggregate key data onto the OT cybersecurity platform. Merely monitoring network anomalies or storing factory-level information in local databases is not enough. Consolidating OT data on the same platform allows management to see the overall risk situation and make the right insurance choices. Moreover, it can provide insurance companies with a more accurate way of pricing risk, and some insurance companies may even offer discounts to policyholders who can prove through this platform that their security environment is more mature. For example:

a) EdgeOne enables centralized management of cyber defense provided by Edge series nodes, even when nodes are distributed across multiple work sites.

b) StellarOne offers a centralized management console for streamlined administration and policy control, empowering smooth management throughout the asset lifecycle from a single pane of glass.

c) ElementOne simplifies security updates for the Portable Inspector device and provides a holistic view for risk assessment during routine scans. This enables the verification of vulnerability status, inventory information, and the generation of malware-free reports.

In conclusion, to improve the accuracy of our insurance choices and reduce “silent risks,” we need to have a deeper understanding of the risks of OT attacks, and formulate and implement effective management strategies and technical solutions accordingly. In this process, clear OT cybersecurity baselines, proactive OT system management methods, and data consolidation strategies will all play important roles.