Every organization, from global corporations to small businesses, faces the omnipresent threat of cyber attacks. That’s why cybersecurity has become paramount, gaining mainstream attention with high-profile cyber attacks on companies like MGM and Clorox. What used to be a niche concern handled by boutique insurers has now become a focal point for major players in the insurance industry and it’s crucial for businesses to understand the nuances of cybersecurity insurance.
The historical context of cybersecurity insurance, specifically as it relates to manufacturing and engineering, reveals a growing divide between information technology (IT) and operations technology (OT) in industrial settings. This rift, which began about 25 years ago, has left many organizations struggling to bridge the gap. Cybersecurity experts, such as E Tech, play a pivotal role in facilitating a more efficient convergence, offering IT/OT assessments as a starting point to understand and address cybersecurity challenges.
Rigorous auditing
In the not-so-distant past, obtaining cybersecurity insurance was a relatively straightforward process. Companies could secure coverage by filling out questionnaires provided by insurance companies, affirming their security measures, and declaring compliance with industry standards. However, the playing field has shifted dramatically in recent years. Gone are the days when a company's word was sufficient; insurance providers now often conduct rigorous audits to fact-check the responses provided in these questionnaires.
This transition has introduced a new level of scrutiny and challenge for businesses seeking cybersecurity insurance. Many companies find themselves unprepared to authenticate the information presented in the questionnaire[1] or prove their compliance adequately. They often discover that the cybersecurity measures they claimed to have implemented are not well-documented or lack concrete evidence of implementation. This can result in companies being categorized as high risk, leading to undesirable consequences such as significantly higher out-of-pocket costs, elevated premiums and increased deductibles.
The IT/OT assessment
For those who might find themselves in the aftermath of an unfavorable audit and looking for the next step towards becoming insurable or lowering their premiums, an IT/OT assessment can serve as an effective first line of defense. This current state analysis becomes the foundation for devising a comprehensive roadmap towards remediating any identified threats or shortcomings, both in terms of the audit and the initial questionnaire.
An IT/OT assessment service goes beyond a mere checklist. It offers a fully documented process and report based on facts, complete with photographic evidence. This meticulous approach ensures that businesses not only claim compliance but can also provide tangible proof, making the audit process smoother and more successful. In some ways, an IT/OT assessor can serve as something of an expert witness.
As the cybersecurity insurance space continues to develop, preparation and collaboration with cybersecurity experts like E Tech emerge as indispensable components for companies navigating this challenging terrain.
Benchmarks for coverage eligibility To qualify for cybersecurity insurance, companies must meet some fundamental criteria, so understanding the minimum requirements is crucial for businesses navigating this complex terrain. Following is a list of E Tech’s five main cybersecurity pillars for those beginning their quest for coverage:
- Device-to-Device Communication (Zero Trust): In the era of interconnected systems, adopting a zero-trust approach is paramount. This involves scrutinizing device-to-device communication, ensuring that trust is not assumed and verification is a constant requirement. Insurance providers look for robust protocols that minimize the risk of unauthorized access and data breaches.
- Multi-Factor Authentication (MFA): Implementing MFA adds an extra layer of security by necessitating multiple forms of identification for user authentication. This reduces the risk of unauthorized access, a critical aspect for insurance qualification.
- Password Policies: Stringent password policies are non-negotiable. Companies seeking cybersecurity insurance must adhere to practices such as regular password changes, complexity requirements and secure storage protocols. Insurance providers assess the strength of password policies to gauge an organization's resilience against cyber threats.
- Firewall/Network Topology/Architecture: Expect insurance providers to scrutinize firewall setups, network topology and overall architecture to ensure that robust barriers are in place. This includes measures to prevent unauthorized access, detect anomalies, and respond effectively to potential threats.
- Social Engineering and Internal Phishing: Insurance providers may require evidence that you conduct regular testing, including simulated social attacks and internal phishing exercises. This ensures that employees are vigilant and well-prepared to identify and thwart potential threats.
Embracing imperfection
While a partner like E Tech can help you work towards the goal of getting your company insured by reducing cyber threats, it's essential to understand that complete risk elimination is an elusive goal. Cybersecurity is about risk reduction, not total elimination.
Achieving absolute protection is challenging because the threat is ever-changing. What's imperative is that you are able to promptly identify anomalies in network traffic and user behavior. Cybersecurity is not a one-time endeavor but an ongoing process of staying ahead of the curve.
Kevin Romer, CCNA, MCPS, CSP is solutions architect at E Tech Group. E Tech Group is a certified member of the Control System Integrators Association (CSIA). For more information about E Technologies Group, visit E Tech Group on the Industrial Automation Exchange.
