Effective insurance programs are a critical component of operational technology (OT) cyber resiliency, to support an organisation’s underlying liquidity, reduce downtime, facilitate expert vendor engagement, and offset third party risks.
So, why should this be a focus now for your business? To explain why issues of concern are increasingly coming to the fore, we first need to look at how organisations set up their technology ecosystem.
Many companies implement a blend of OT and Information Technology (IT). OT devices control the physical world; OT networks are industrially oriented, driving plant, equipment and machinery while an IT network is business oriented, dealing mainly with the processing of commercial information or data. They present dual challenges for all businesses.
Over the past 10 years, most cyberattacks have focused on IT assets and while many organisations have undertaken significant cyber maturity uplift work across their IT network, OT assets have traditionally been viewed as being “air-gapped” or isolated from the digital world, and accordingly much less prone to cyber events. This historical distinction no longer reflects modern OT environments which regularly use servers, storage, networking and other connected devices to leverage the Internet of Things (IoT), run applications and process data.
It is now increasingly rare for IT and OT to occupy separate domains and this raises complex issues around the extent of sharing and monitoring of data, asset ownership and control, and on the need to draw on expertise and oversight from a diverse set of business stakeholders to leverage distinctly different skill sets required to develop a robust OT cyber risk management approach.
Recent OT asset and lifecycle management advances, such as the increased reliance on IoT and big data analytics, have accelerated this problem. They have created significant IT/OT convergence, system dependencies and the merging of business processes, in order to better leverage insights and controls across OT environments.
The last 20 years has seen several changes in the way cyber risks, particularly OT cyber risk, are addressed and mitigated through insurance products. Going back to the 1990s, OT-related technology and cyber risks were broadly covered by the property insurance market.
This was also the time that saw the beginning of a split in how the insurance market approached physical and non-physical property, and the creation of distinct insurance products to respond to non-physical perils and risks (such as data loss and IP loss). The need for exclusive insurance products to address non-physical risks and intangible property is a primary reason why cyber liability insurance wordings were created.
Cyber liability insurance was designed to address the incident response, data recovery, ransom threat and business interruption risks flowing from cyberattacks. Due to the blend of physical perils (fire, explosion, property damage) and non-physical risks (data loss and availability failures) which can result from OT cyber events, organisations increasingly required a blend of property and cyber covers to effectively manage OT cyber risk.
Since 2017, insurance carriers have become increasingly concerned by OT cyber risks and imposed exclusions and limitations across a number of policies. The well publicised WannaCry, Petya/NotPetya incidents that year started a wave of cyber incidents causing physical asset loss and the rendering of both IT and OT assets inoperable. In May 2021, Colonial Pipeline also suffered a ransomware attack that impacted IT systems relied upon to manage the OT systems controlling a major US gas pipeline.
In response to these incidents, both traditional property and cyber insurance policies sought to implement new language to remove the risk of broad coverage for “silent cyber” (i.e. policies not being specific around the extent to which cyber events are indemnified) and a substantial increase in exclusions across property, ISR, and packaged programs to reduce coverage for events caused by malicious system intrusions and cyber events.
Against this backdrop, any exclusions or changed language added to insurance programs must be carefully analysed to ensure maximum cover remains for key OT cyber risks.
Again, since 2017, there has been a drastic increase in ransomware and malicious compromise attempts against OT assets.
These incidents have demonstrated that OT cyber events regularly involve high levels of investigation costs, have crossover implications for connected IT systems, can result in direct property damage losses, long term business interruption, significant extortion demands, onerous restoration expenses and asset replacement challenges.
The many layers of OT cyber related losses have made it difficult for insurers to determine appropriate premiums, what sufficiency of underwriting information should be demanded from insureds and how potential claims impacts should be managed. This has led to several carriers declining to cover large OT environments, significant rate increases and the imposition of numerous exclusions across OT asset owner programs.
These challenges can be strategically managed, by critically focusing on how an organisation’s own maturity and risk profile influences insurance drivers and program needs. A chief consideration of any risk analysis is creating a deep understanding of likely OT cyber events that could impact the organisation and developing robust quantification analysis to explore the key likely impacts and loss outcomes which could result from likely incidents.
WTW has regularly examined these issues for organisations, by splitting out how cyber events are likely to create short, medium and long-term consequences. Each scenario is unique and considers the individual circumstances of the specific organisation. Common short-term consequences include direct loss of revenue or loss of use, increased cost of working, incident expenses and ransomware costs and expenses. In the medium to long term, other issues that should be considered include reputational damage, supply chain impacts, third party liability, asset replacement consequences and regulatory liability.
Because OT cyber risks are likely to generate both physical and non-physical perils and losses, insurance programs should be collectively analysed, with key consideration given to both first party and third party covers. There is also a need to examine how policies will respond to attack chains that are most likely to cause OT cyber risks. Examples of these can include supply chain incidents, state sponsored attackers, hacktivism, extortion attacks and malicious pivoting across IT/OT environments.
Where possible, the widest possible cyber liability language should also be pursued, including work to limit the impacts of exclusions relating to war, cyber terrorism, legacy systems and the extent to which a client’s computer systems include SCADA (supervisory control and data acquisition) and ICS (industrial control systems).
Work should also be performed to develop a strong insurance proposal and answers, given the insurers who offer cyber liability cover will increasingly demand more granular information around the OT environment. The most common OT questions asked by carriers can be grouped into five key categories which may also overlap with questions used to examine an organisation’s IT environments:
For more information, please contact WTW. If you have further queries on coverage or resilience options do not hesitate to reach out to:
This article was prepared resulting from a recent presentation by Ben Di Marco and Renewable Energy Account Director Miles Milner, in partnership with Integra, at a forum organised by the NZ ICS Cyber Technical Network. NZ ICS is an industry leading network promoting knowledge sharing and the uplift of industrial control cyber security systems for NZ industrial companies.
