ICS 2022

Cyberattacks and breaches against ICS and OT networks have increased at an alarming rate. As threats grow, the number of companies inquiring about cyber liability insurance coverage has increased heavily...
The 2021 Colonial Pipeline incident and resulting $4 million ransomware payment represented a watershed moment. It led insurance companies to be more vigilant and offer strict and high-premium based insurance coverage especially for ICS industries that seek cyber liability protection.

In contrast to traditional IT cyber liability insurance coverage, ICS cyber liability insurance is still in its nascent stage. It is also seen as particularly complicated due to indirect damage to its productivity and costly ICS machinery. Due to this, some companies have even experienced insolvency due to wrong estimates and incorrect pricing. It has led insurers to tighten their policy terms and conditions to reduce unexpected losses. Traditionally, commercial property and casualty policies could include limited cyber coverage, but now, carriers are becoming less likely to include it, and are instead offering cyber coverage separately.

This paper details how a clear and focused ICS cyber risk assessment can save money on premiums and help underwriters offer more adequate insurance capacity. During an ICS cyber risk assessment, experienced engineers will examine a company’s compliance with multiple industrial cybersecurity standards including NIST CSF, IEC 62443, etc. It also provides a detailed Business Intelligence analytics report for ICS management so they can take an informed approach to risk mitigation that will strengthen their ICS networks and help them better negotiate with insurance carriers. It also helps insurance companies and underwriters make more informed ICS cyber liability insurance coverage decisions.

An ICS risk assessment determines risk percentage, risk scoring and breach probability of all individual key ICS networks and systems. The report determines a clear risk value in terms of dollar value for both the end-user and insurer.

Learning Objectives for Attendees
When insurance companies are making underwriting decisions on ICS cyber liability coverage, they must take many factors into account. They want substantial material and technical evidence. Self-initiated questionnaires won’t suffice. They are cautious about these decisions and thorough in their research. In fact, there have been frequent instances of underwriters rejecting inadequate risk assessment reports/questionnaires because they are too thin and don’t focus enough on ICS cybersecurity.
This paper addresses to the key question of first party revue losses and the third-party claims using ICS risk assessments to assess the breach probability in every stage of ICS to derive the cost of potential business disruption and revenue loss.