Sensible use of cybersecurity insurance for OT protection
The risk of cyberattacks on digitalised systems is often underestimated.
The right OT (operational technology) cybersecurity solution is still the best protection against cyberattacks, reports cybersecurity company TXOne in a press release. Nevertheless, cybersecurity insurance is an essential part of OT cybersecurity risk management, as it is a challenge for risk managers in companies to recognise and combat all threats. If all defence measures fail, cybersecurity insurance can be used to cover losses and help companies to repair the damage.
These insurances are often seen as a risk transfer strategy, a trend towards risk minimisation that is also becoming increasingly prevalent in the information technology sector. Although the market for OT cybersecurity insurance is still relatively small, it is growing rapidly. OT cybersecurity provider TXOne Networks explains what to look out for in cybersecurity insurance and where its advantages and limitations lie.
In the past, IT cybersecurity focussed on the protection of third-party data and liability for data protection. However, cybercrime has evolved and recent attacks have shown a clear shift towards more direct threats, such as ransomware, business or reputational damage and even physical damage. Ransomware has become the weapon of choice for attacks on OT environments, and cyber attackers can now acquire plug-and-play ransomware kits on the dark web, contributing to increased incidents through so-called Ransomware-as-a-Service (RaaS). These targeted attacks could particularly affect vulnerable small and medium-sized businesses, which could face longer downtimes, higher business interruption costs, increased litigation and legal penalties.
Not all losses are covered by insurance
Although victims of ransomware receive some compensation through cyber insurance, it should be noted that not all losses are covered. Exclusions may be included in an insurance policy, such as exclusion clauses for war, terrorist threats, intellectual property infringement, bodily injury or property damage. There are still problems affecting the development of the cyber security insurance market. Clear standards must therefore be established to solve these problems and thus improve the accuracy of risk assessments and the reliability of cybersecurity insurance. This must be understood and taken into account when deciding on such insurance.
It is increasingly likely that companies with poor IT or OT cybersecurity will receive less favourable insurance prices and conditions or no insurance at all. For example, insurance companies examine whether organisations meet certain cybersecurity guidelines, security controls and certain basic requirements. When assessing the need for insurance, insurers typically focused on different information - for example, the amount and type of data processed by the applicant, OT infrastructure or IT/OT security budgets. They also took into account some more difficult to quantify information, such as whether the insured answered questions based on the current threat level and whether there were professionals involved in relevant cybersecurity work. For example, insurance companies assess companies' cyber security risks to decide whether to offer insurance and to set premiums.
The risk of cyber attacks is often underestimated
Both policyholders and insurance companies are often confronted with a challenge: The actual risk of cyber attacks on digitalised physical systems is often misunderstood or underestimated. In order to develop a better awareness of such risks, both parties need to better understand and recognise the actual risks of OT attacks.
Firstly, clear requirements for OT cyber security need to be defined. Established insurance providers have begun to require their customers to adhere to robust security practices in light of the rapid increase in claims. In the OT sector, however, these cybersecurity requirements are not clear. While there are specific OT frameworks and guidelines such as IEC62443, insurance companies and policyholders still need to adapt the foundation to meet the specific endpoints, processes and risks of OT systems.
Secondly, a proactive approach to the management of OT systems is needed. Currently, most OT environments are not adequately managed, especially those OT-based production systems running outdated operating systems. These systems are often not properly patched, have inconsistent backup practices and lack effective measures against supply chain attacks. To ensure continuous operations at production sites, factories need to seamlessly integrate endpoint detection and proactive defence solutions that cover both old and new OT devices. This integration should enable effective security analysis of each device and detect anomalous behaviour that could compromise operational reliability and stability.