A story emerged last week which claimed that power companies were being refused insurance cover for cyber attacks.
Specifically because their defences were perceived to be weak, this also came about when underwriters at Lloyd’s of London said that they had seen a “huge increase” in demand for cover from energy firms.
According to the BBC story, any company that applies for cover has to let underwriters and third parties look over their systems to see if they are doing enough to keep intruders out. These assessors look at the steps firms have taken to keep attackers away, deem how software is kept up to date and oversee how networks of hardware can span regions or entire countries.
This seems like a backwards step for the insurance industry. Firstly any business is going to look for growth opportunity and while I am not an underwriter, I would assume that companies will pay big bucks for such insurance and it would make sense for a company to offer it, or maybe I am not really understanding of it.
Also, with stories such as the breaches at Target, Neiman Marcus and Kickstarter all facing different levels of attack, the question has to be asked if cyber security is something that should be considered. After all you get insurance for your car, home and even pets, so shouldn’t protection against a modern method of attack be considered.
In the past if you were attacked and someone knocked your door down and stole a filing cabinet full of customer data, you’d probably consider calling your insurance provider to file a claim to cover the cost of repairs. But if that attack was digital, broke down simple defences and stole a database, then that is a different matter.
Andy Philpott, senior vice president of sales for EMEA at Websense, called this a wake-up call for utility firms seeking out insurance against cyber attacks who were increasingly being refused. “There needs to be a mental shift refocusing from insuring against the aftermath of an attack to preventing it entering the network in the first place,” he said.
“So many companies are still using security technology that is not fit for purpose in today’s threat landscape. Not all security solutions are equal and I would urge companies to do their due diligence. Security defences need to be effective across all stages of an attack, using layered defences to cut across the threat kill chain.”
Ross Brewer, vice president and managing director for international markets at LogRhythm, said that while insuring against cyber attacks may be a sensible route to take now, it should simply be viewed as a precaution, not an alternative to boosting traditional cyber defences.
The concern seemed to be around old protective technology being used to defend IP, and that is hard to assess as companies have different levels of security, unlike the strength of a burglar alarm or door lock.
Chris McIntosh, CEO of ViaSat UK, said that energy firms seeking insurance against cyber attacks shows that the vulnerability of the UK critical infrastructure is finally hitting home, and that cyber attacks “have developed to such a sophisticated level that they should now be viewed on a par with a physical attack on infrastructure, if not more likely”.
I guess the reason that this did become a big talking point is because it is hard to compare one business
es’ security infrastructure with another. So the banking community may be similar if they are global banks but where is the headquarters and which compliance frameworks do they fit into? With regard to energy businesses, the Stuxnet attack of 2010 showed how vulnerable a system can be to a sophisticated attack and should the National Grid face such a challenge, could it hold it off?
Tony Burton, critical infrastructure protection business lead at Thales UK, said that there is growing concern in the energy industry around the security of their infrastructure and its robustness against the modern day cyber attacks.
“Energy firms and other areas of CNI are beginning to face up to this challenge and are increasingly recognising that good security is good business. Energy firms need to commit to investing the time and money in this holistic approach to the security of their operations in our interconnected day-and-age and only then will they restore confidence from prospective insurers,” he said.
It seems that the solution for cyber insurers has been to say no, rather than face the maze of trying to determine individual approvals. To me it seems that it would be better for insurance companies to understand why these companies are asking for this and advise on why they are being rejected, rather than a blanket “no”. To improve security requires a lot of work on the part of everyone.