Cyber-attacks on operational technology systems are increasing rapidly. At the same time, the probability of non-malicious cyber-incidents is increasing due to the greater use of automation and autonomous operation. The net effect of these two cyber risks is a high probability that you will suffer a cyber-related loss at some point in the future.
While effective cybersecurity is essential to reducing or even preventing cyber incidents, one must also be prepared to deal with the significant financial losses which can result. While this financial risk can be mitigated with the proper insurance coverage, obtaining this coverage can be an unnecessarily difficult and costly task.
Underwriting cyber technology risks had previously been governed by the policy clause 380 (CL380), which essentially excluded coverage for any loss, damage, liability, or expense caused by the malicious use of cyber technology. Written long before the advent of modern integrated operational technology and cloud-based information technology systems, CL380 provided insufficient underwriting of today’s cyber technology related threats and risks. In July of 2017, UK Prudential Regulation Authority (PRA) called upon regulated non-life insurers to address this insufficiency and begin to manage their cyber risk exposures more effectively for businesses underwritten in the UK.
In response, the joint rig committee (JRC) of the Lloyds Market Association (LMA) and International Underwriting Association (IUA) in 2019 released three updated exclusion and buyback endorsement clauses to better align the definition and underwriting of cyber risk with modern systems threat profiles. Most notably, for first-party property damage policies effective January 1, 2020, Lloyd’s underwriters are required to ensure that all policies specifically affirm or exclude cyber events.
The most significant improvement in the policy clauses was clarity about the specific cyber threats that are covered. The clauses now specifically identify cyber loss due to the cyber act (malicious use of a computer) and cyber incident (non-malicious use of a computer) as excluded or included under the coverage. While these new clauses provide significantly better definitions and coverage options for cyber related threats and risks, they also introduce new challenges in determining which coverage is appropriate, and how to qualify for that coverage.
What this means to the asset owner, end user, or marine insurance underwriter is that to determine which cyber loss coverage can be provided, both cybersecurity capabilities, which reduce the risk of the cyber act, as well as overall software quality levels, which reduce the risk of cyber incident, must be evaluated.
In other words, you must prove to the underwriter that you have achieved sufficient reduction in the risk of cyber act or cyber incident to qualify for the insurance necessary to cover your exposure to cyber loss. Defining what “sufficient reduction” looks like will need to be a cooperative effort, that will involve operations in what has traditionally been a legal, finance, and IT discussion.
There are three primary artifacts that you can provide to the underwriter to demonstrate that you are acting in a way that reduces the risk of cyber act or cyber incident-related financial loss. These are an Asset Profile, a Threat Profile, and a Vulnerability Profile.
These three artifacts are called out in the US Dept of Energy Cybersecurity Capability Maturity Model (C2M2). Having these artifacts, in an actively managed and current form, can provide solid assurance that your cyber loss prevention capabilities are mature enough to warrant the desired coverage. These artifacts also align with the prevent (Identify and Protect) functions of the US National Institute of Standards and Technology (NIST) cybersecurity model.
The Asset and Threat Profiles assume the threat to operations already exists in the cyber technology, and the cyber act or incident is going to occur. For this reason, they are very useful in risk analysis – much like Failure Mode Effects and Criticality Analysis (FMECA) — to identify and implement prevention and mitigation methods which assume the cyber act or incident is going to occur.
The Vulnerability Profile is used to address the access and transport of the threats that can cause cyber acts and cyber incidents. Unlike the Asset and Threat Profiles, the Vulnerability Profile provides the information necessary to prevent the threat from gaining access to the controlling system in the first place.
Athens Group Services has developed a comprehensive and efficient method, the Threat Mode Effects and Criticality Analysis (TMECA®), to create or improve these profiles. Contact us to discuss how you can evaluate your cyber loss exposure and work with your underwriters to obtain the best insurance coverage at the lowest cost.
To see the latest Athens Group Services developments, please follow us on Linkedin and Twitter.