February 13, 2023
How exactly can cyber insurance help advance the cybersecurity of a critical infrastructure owner’s IT-OT environment? As an initial matter, it’s important to emphasize that simply having a cyber insurance policy does not make a company safer. Instead, an enhanced cybersecurity posture results from going through the cyber insurance application and underwriting process. That process provides a huge opportunity for better cyber collaboration and, as a result, enhanced risk management. Stated another way, cyber insurance can bolster a critical infrastructure company’s cyber preparedness across the board in the face of unpredictable threats and unknown potential consequences.
While underwriters routinely pay out cyber insurance claims, they understandably want to limit losses whenever possible.
To provide coverage, brokers and underwriters need information about an applicant’s cyber risk posture. Brokers seek that information to tell a client’s “story” to the market – specifically, how a client is addressing cyber risk, the lessons it’s learned, and how it’s applying those lessons. Stories that show steady risk management improvement over time help brokers make an effective case for coverage. For their part, underwriters take on all the risk. In other words, they’re the companies that pay out when a bad cyber day happens. Unsurprisingly, they want as much certainty as possible about an applicant’s cyber position before they issue a policy.
How does all this play out? As a company begins completing a cyber insurance application, it needs to come to consensus on several core questions:
What are our business critical functions, and what key assets support them?
Who owns those assets within our organization, and who’s responsible for them operationally?
What are our cyber strengths and weaknesses vis-à-vis those assets, and what are we currently doing to address gaps?
What physical security improvements, if any, should we make to better secure our IT and OT assets?
And finally, how should we improve to ensure that we not only survive a cyber incident but also thrive in its aftermath?
As corporate leaders on both the IT and OT sides of the business collaborate on their answers, the criticality of certain assets becomes clear. Once that happens, the business case for protecting them – for the good of the entire company – becomes dramatically more persuasive. Funding is then more easily justified.
All these benefits result as a critical infrastructure company’s broker builds the company’s cybersecurity narrative. That narrative ultimately covers where its cybersecurity has been in the past, its current posture based on lessons learned, and where its cybersecurity program will go in the future to keep ahead of risk over time. Having that story down pat is a huge differentiator. It signals that an applicant is at a higher level of cyber maturity and is likely a safer cyber risk as a result of its assessments, awareness, and actions. The broker then brings that story to the insurance market, advocating on the applicant’s behalf for the best terms possible.
For their part, underwriters consider that narrative before asking their own sets of questions of applicants. While underwriters routinely pay out cyber insurance claims, they understandably want to limit losses whenever possible. Their questions accordingly often reflect very real losses that their existing clients have suffered. Put simply, they want to know what an applicant’s plan is to address particular threats and vulnerabilities of which they are acutely aware. The benefit to critical infrastructure companies is straightforward: underwriter questions provide essentially free insight into what types of incidents are actually happening to their peers and similar companies. Companies can then use that insight to update their own cyber strategies and fortify themselves accordingly – whether they buy a policy or not.
If a company does choose to buy a cyber insurance policy, these risk management benefits continue. Policies renew every 12 months, an annual process that typically requires an insured to answer new sets of questions that reflect the changing cyber risk landscape. This helps focus the company on any needed cybersecurity improvements that, if implemented, further bolsters its narrative to the market. In short, cyber insurance helps support a virtuous cycle of cybersecurity improvement that keeps up with the times.
Kevin Edwards, 703-653-0596, email@example.com