Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Jump-Start the Cyber Insurance Market to Drive Better OT Security

Experts have been predicting for decades that the insurance industry would eventually help drive better private-sector cybersecurity practices by pricing premiums based on cybersecurity risk.

The idea is similar to the way insurance carriers encouraged businesses to adopt fire suppression technology and consumers to buy automobiles with safety features such as seatbelts and airbags.

Unfortunately, the cybersecurity insurance market is growing more slowly than many would like, and is unable to adequately provide the market incentives for better security hygiene that some envisioned. An article published last year in the IEEE Security & Privacy Journal concluded:

“Cyber insurance appears to be a weak form of governance at present. Insurers writing cyber insurance focus more on organizational procedures than technical controls, rarely include basic security procedures in contracts, and offer discounts that only offer a marginal incentive to invest in security.”

A Warning from Tomorrow

There is a lot to digest in the report, but one of the more interesting themes is the recognition that the cyber insurance market is not maturing fast enough to adequately drive better risk management decisions in the private sector.

This opinion is shared by many U.S. government policymakers, and is highlighted in a more recent report produced by the bipartisan Cyberspace Solarium Commission. The commission released a comprehensive report on the state of cybersecurity in IT and OT systems in March 2020.

The commission was established by the 2019 National Defense Authorization Act, and its members include cyber experts, private sector representatives, members of Congress, and senior government officials. The report, titled A Warning from Tomorrow, makes more than 75 recommendations for improving U.S. cybersecurity and infrastructure resilience.

The authors are clear in their concern regarding the vulnerability of U.S. critical infrastructure and note that a major cyberattack on that infrastructure would “create chaos and lasting damage exceeding that wreaked by fires in California, floods in the Midwest, and hurricanes in the Southeast.”

The report notes:

“A robust and functioning market for insurance products can have the same positive effect on the risk management behavior of firms as do regulatory interventions. Although the insurance industry plays an important role in enabling organizations to transfer a small portion of their cyber risk, it is falling short of achieving the public policy objective of driving better practices of risk management in the private sector more generally. The reasons for this failure are varied but largely come down to an inability on the part of the insurance industry to comprehensively understand and price risk…”

The report goes on to state: “For insurance to act as a de facto regulator of organizational behavior, the market for insurance must accurately price risk. Premiums and limits on insurance products must also drive firms that have bought insurance to invest in improving their cyber risk posture.”

The attractiveness of leveraging insurance carriers to regulate “organizational behavior” is a consequence of the fact that they can act economy-wide and take the place of government regulatory mandates that are often cumbersome to create, update, and enforce. Unfortunately, according to the report, there is currently little incentive to drive customers to better manage their risk.

“Currently, the estimated worldwide value of cyber insurance premiums sits at $7.5 billion. For context, in 2017 property and casualty insurance premiums were worth $275.5 billion in the United States alone. Because insurers can either assume their inherited cyber risk with little threat to their overall solvency or pass this risk along to reinsurers in the form of derivatives, they have little incentive to push the entities they insure to manage that risk.”

So how to fix this market disconnect? The report has several concrete recommendations.

Cyber Risk Modeling

The report calls for the creation of a public-private partnership on cyber risk modeling. The partnership would bring together insurance companies and cyber risk modeling companies to collaborate, share information, and develop more accurate cyber risk models.

This group would be tasked with identifying “areas of common interest so that these entities can benefit from one another’s risk modeling efforts, particularly with regard to dependency mapping and the consequences of cyber disruptions.”

Insurance Certifications

To address the lack of pricing tools to improve overall cyber risk management practices in the private sector, the report recommends that the U.S. Department of Homeland Security launch a federally-funded research and development center (FFRDC) to shepherd cooperation with state regulators in developing certifications for cybersecurity insurance products and to develop training for underwriters and claims adjusters.

In the U.S., individual states often set minimum standards that insurance products must meet in order to be offered in their state. These standards are typically legislated as consumer protection laws. The report recommends that “working with state insurance regulators and the public-private working group on pricing and modeling cyber risk, the FFRDC should develop cybersecurity product certifications based on a common lexicon and security standards.”

Underwriters certifications are currently available for numerous areas of coverage, including homeowners, flood, life, and health. The report recommends that the FFRDC work with insurers, state regulators, and cybersecurity risk management experts to develop training courses for cyber insurance underwriters with the goal of creating a cyber insurance underwriter certification. Similarly, it recommends that the FFRDC should lead a similar team to develop training and certification models for cyber claims adjusters.

Cyber Reinsurance

The report calls for the exploration of government-backed reinsurance to cover catastrophic cyber events. The federal government fills this role currently in some instances through the Treasury Department’s authority to designate cyber events that the trigger Terrorism Risk Insurance Act (TRIA) protections.

The Further Consolidated Appropriations Act, 202 directed the Government Accountability Office (GAO) to assess the current state of insurance for cyber-related incidents. The report supports that study, and suggests that GAO bring in other agencies of the federal government to inform that activity.

Protecting OT

All OT owners and operators should fully understand the degree that they are covered for cyber outages in traditional policies and cyber policies. Organizations with significant OT footprints should support the commission’s recommendations, and furthermore should consider actively collaborating on the cyber risk modeling initiative. Improving risk modeling should become a core component of industry information-sharing activities. Critical infrastructure providers are well-positioned to benefit from and contribute to a more rapid maturation of the cyber insurance markets, and should work proactively to achieve this goal.


A version of this post also appears on the Mission Secure blog. It is republished here with the permission of its author.

Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.

Mark Baggett, Mission Secure
Mark Baggett, Mission Secure
With 30 years of experience, Mark Baggett is an industry veteran and industrial control systems (ICS) expert. His expertise stems from the energy sector where Mark has designed, engineered, and implemented control systems for the industry’s most prominent players, including BP, Total, Shell, Exxon, and ConocoPhillips. Mark’s experience spans the globe with projects across Asia-Pacific, Europe, and North America. As VP of ICS at Mission Secure, Mark leverages his expertise to help operations assess current systems, providing guidance and recommendations to mitigate cyber risks and implement a secure cyber architecture. Mark’s managed cybersecurity projects for oil rigs, refineries, pipelines, manufacturing plants, and chemical facilities.

Routinely invited to speak on operational technology (OT) cybersecurity, Mark recently presented in and co-chaired the cybersecurity session at the American Institute of Chemical Engineers’ 2020 Spring Meeting and Global Congress on Process Safety. Previous engagements include the American Petroleum Institute’s Annual Cybersecurity Conference for the Oil & Natural Gas Industry, a U.S. Homeland Security/FBI joint taskforce meeting, and the fall U.S. ICS Joint Working Group (ICSJWG), among others. Mark holds a bachelor’s degree in Secondary Education and frequently teaches control system training courses at San Jacinto College located in Pasadena and Houston, Texas.

Related Posts

What Does the Future of Zero Trust in OT Look Like?

Zero trust principles have established themselves in the mindshare of cybersecurity practitioners worldwi...
Jacob Chapman Dec 20, 2024 7:00:00 AM

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM

Securing PLCs Through the Backplane: Balancing Performance and Simplicity

With the increasing convergence of operational technology (OT) and information technology (IT), the need ...
Ashraf Sainudeen Dec 6, 2024 7:00:00 AM