Cyber insurance is a $20-plus billion industry with sources indicating that direct written premiums accounting for a big chunk of that in the U.S. market, according to the National Association of Insurance Commissioners. Cyberattacks are driving that growth, naturally, bolstered by the relentless stream of ransomware and data breaches.
Cyber insurance is also a key risk management driver inside the enterprise, yet this is still a relatively nascent facet of the insurance industry. On this episode of the Nexus Podcast, Pankaj Goyal, Chief Operating Officer of Safe Security, joins to discuss the nuances of protecting OT environments, and how cyber insurance must adapt as OT and cyber-physical systems are connected online and increasingly exposed to attackers.
"Insurance is a data problem. So if you look at insuring a home, what the underwriters or the cyber insurance carriers need is a history of what has happened in that particular zip code, what has been the construction costs, what has been the historical losses," Goyal explained. "And based on that, they can project the future and they can make intelligent decisions about your premiums, your coverages, and so on. Now, cyber insurance compared to other platforms."
Cyber insurance for OT, in essence, is still catching up to the rest of this chunk of the market.
"Now cyber insurance compared to other principles or lines of insurance is relatively new. So the data is limited—and it is frustrating," Goyal said. "It has been frustrating over the last four to five years where the insurance industry has basically in many ways it is driving blind. They want more data."
Carriers and brokers need data in order to understand gaps in the IT/OT environment, and how third-party risk impacts your overall security program.
"Based on that, the underwriters can make more intelligent and better decisions in terms of coverages, in terms of premiums," he said, adding that there is good and bad risk that must be considered. For example, access to data about actual controls within an environment informs a provider's risk calculation much better than irrelevant or insufficient anecdotal data.
Goyal sees a rapid expansion of the OT environment, bolstered by connectivity and third parties. He also sees OT as a fragmented ecosystem that lags behind IT in terms of security investments.
"The easiest way I understand this is that OT is much closer to the human life compared to IT. IT is closer to the digital life, the data, but OT can cause, and we have unfortunately seen many examples where OT can cause bodily injuries in a couple of cases, even human deaths, system failure, and so on," Goyal said. "So the level of impact is much more physical, much more close to our hearts and it creates a lot of noise, especially for mission-critical systems."
This risk dynamic is attracting sophisticated attackers and even criminal gangs motivated by profit.
"As a result, from an attacker perspective, especially if your motivation is beyond financial , then OT systems will be on your radar. And I think that's what we are seeing," Goyal said. "And as a result, insurance companies are also trying to understand the OT environment better because from their coverage perspective, from the risk perspective, OT might be equal or even actually contributing more to the risk that the insurance companies are underwriting."
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.