This article provides a comprehensive guide to approaching cybersecurity insurance for manufacturers, new changes for passing audits, key obstacles to expect, the role IT/OT assessments can play, and key benchmarks for coverage eligibility in the context of Industry 4.0.
The Shifting Landscape of Cybersecurity Insurance
Every organization, from global corporations to small businesses, faces the omnipresent threat of cyberattacks. In today’s complex technological landscape, cybersecurity has become paramount, gaining mainstream attention with high-profile cyberattacks on companies like MGM and Clorox. In an age of automation, where companies face threats they can neither see nor touch, cybersecurity and the risks associated with an unsecure automation system are myriad – and potentially catastrophic.
What used to be a niche concern handled by boutique insurers, cybersecurity has now become a focal point for major players in the insurance industry, so it’s crucial for businesses to understand the nuances of cybersecurity insurance. In this article, we’ll explore how things are changing in the space and the challenges companies may encounter on their path towards obtaining cybersecurity insurance.
Automation Makes Policy Parameters Difficult to Define
The historical context of cybersecurity insurance, specifically as it relates to manufacturing and engineering, reveals a growing divide between information technology (IT) and operational technology (OT) in industrial settings. This rift, which began about 25 years ago, has left many organizations struggling to bridge the gap. The collaboration between corporate IT and Operations has become fragmented, often exacerbated by a lack of IT expertise within the industry.
Another complexity of cybersecurity insurance is defining the parameters of coverage in quantitative terms – what would a cyberattack cost? That depends on the control system, the equipment and the process automation affected, among a host of additional variables. Cybersecurity experts like E Tech Group play a pivotal role in facilitating a more efficient convergence, offering IT/OT assessments as a starting point to understand and address cybersecurity challenges before they become liabilities.
Current Challenges: Transition to Rigorous Auditing
In the not-so-distant past, obtaining cybersecurity insurance was a relatively straightforward process. Companies could secure coverage by filling out questionnaires provided by insurance companies, affirming their security measures, and declaring compliance with industry standards. However, the playing field has shifted dramatically in recent years. Gone are the days when a company’s word was sufficient; insurance providers now often conduct rigorous audits to fact-check the responses provided in these questionnaires.
This transition has introduced a new level of scrutiny and challenge for businesses seeking cybersecurity insurance. As some companies struggle when faced with audits, many find themselves unprepared to authenticate the information presented in the questionnaire or prove their compliance adequately— they discover that the cybersecurity measures they claim to have implemented are not well-documented or lack concrete evidence of implementation.
This often results in companies being categorized as high-risk, leading to undesirable consequences such as significantly higher out-of-pocket costs, elevated premiums, and increased deductibles. Insurers want to see proof of cybersecurity protection for industrial control systems and facility networks to justify coverage eligibility. And in an automated system, that means taking multifaceted precautions in every step of the production chain.
The IT/OT Assessment: A Step in the Right Direction
For those who might find themselves in the aftermath of an unfavorable audit and looking for the next step towards becoming insurable or lowering their premiums, an IT/OT assessment can serve as an effective first line of defense. The assessment can provide a clear “you are here” dot, allowing companies to compare where they are against industry standards. This current state analysis becomes the foundation for devising a comprehensive roadmap towards remediating any identified threats or shortcomings, both in terms of the audit and the initial questionnaire.
An IT/OT assessment service goes beyond a mere checklist. It offers a fully documented process and report based on factual information, complete with photographic evidence. This meticulous approach ensures that businesses not only claim compliance but also provide tangible proof, making the audit process smoother and more successful.
In some ways, an IT/OT assessor can serve as something of an expert witness. As the cybersecurity insurance space continues to develop, preparation and collaboration with cybersecurity experts like E Tech Group emerge as indispensable components for companies navigating this challenging terrain.
What to Expect? Benchmarks for Coverage Eligibility
To qualify for cybersecurity insurance, companies must meet some fundamental criteria, so understanding the minimum requirements is crucial for businesses navigating this complex terrain. Below, we’ve outlined our five main pillars of cybersecurity for those beginning their quest for coverage:
- Device-to-Device Communication (Zero Trust): In the era of interconnected systems, adopting a zero trust approach is paramount. This involves scrutinizing device-to-device communication, ensuring that trust is not assumed and verification is a constant requirement. Insurance providers look for robust protocols that minimize the risk of unauthorized access and data breaches.
- Multi-Factor Authentication (MFA): Implementing MFA adds an extra layer of security by necessitating multiple forms of identification for user authentication. This reduces the risk of unauthorized access, a critical aspect for insurance qualification.
- Password Policies: Stringent password policies are non-negotiable— companies seeking cybersecurity insurance must adhere to practices such as regular password changes, complexity requirements, and secure storage protocols. Insurance providers assess the strength of password policies to gauge an organization’s resilience against cyber threats.
- Firewall/Network Topology/Architecture: Expect insurance providers to scrutinize firewall setups, network topology, and overall architecture to ensure that robust barriers are in place. This includes measures to prevent unauthorized access, detect anomalies, and respond effectively to potential threats.
- Testing: Social Engineering and Internal Phishing: Insurance providers may require evidence of companies conducting regular testing, including simulated social attacks and internal phishing exercises. This ensures that employees are vigilant and well-prepared to identify and thwart potential threats.
- An OT Specific Incident Report Plan: Industry 4.0 technologies range from decades-old technology like Advanced Process Control (APC) to completely new technologies.
While industry standards are still transforming, compliance frameworks like SOC 2.0, NERC CIP, IEC 62443, and NIST are increasingly common.
Cybersecurity in an Industry 4.0 Environment
The advent of Industry 4.0 has ushered in a new era of operational efficiency and connectivity, transforming the manufacturing world. However, this digital revolution comes hand in hand with heightened cybersecurity challenges. As companies embrace the interconnected nature of Industry 4.0-driven operations, they find themselves exposed to potential cyber threats with far-reaching consequences.
In essence, while Industry 4.0 promises tremendous benefits in terms of efficiency and connectivity, it also introduces a new frontier of cybersecurity challenges. Cybersecurity strategies must be agile, and capable of adapting to the new reality of Industry 4.0. Just as automation technology like robotics and machine learning continue to evolve, so, too, do the capabilities of hackers. Being secure, vigilant, and resilient is not just a mantra; it’s a prerequisite for manufacturers and organizations navigating the complexities of the fourth industrial revolution.
Closing the Gap: Embracing Imperfection
While a partner like E Tech Group can help you work towards the goal of getting your company insured by reducing your susceptibility to cyberthreats, it’s essential to understand that complete risk elimination is an elusive, likely impossible, goal. Cybersecurity is about risk reduction, not total elimination.
Like a living organism or virus, cyber threats are dynamic and constantly evolving. Achieving absolute protection is challenging because the threat is ever-changing. What’s imperative is identifying anomalies in network traffic and user behavior promptly. Cybersecurity is not a one-time endeavor but an ongoing process of staying ahead of the curve.
This article was originally featured on CSIA’s website.
IT/OT Assessments became a priority for an E Tech Group client when they faced a huge insurance premium resulting from continued cyberattacks. See how we stepped in and helped them avoid a costly penalty through an IT/OT Assessment:
Begin Your Journey to Industry 4.0
Download our Beginner’s Guide to IT/OT Assessments to gain an understanding of what an IT/OT Assessment is, its benefits, and how to get started today.