Cyber-defence: insurance is no substitute for security claim insurance underwriters

The UK’s leading energy companies have taken a battering over recent months, not just from the elements, but also from the insurance companies they have previously relied upon. It isn’t the high level of claims that are causing sleepless nights for insurance underwriters however: it’s the industry’s weak cyber-defences. Leading underwriting firms have expressed deep concern that the UK’s power companies are ill equipped to deal with the threat of hacking and cyber-attack, and are therefore increasingly reluctant to provide insurance to cover these eventualities.

Underwriters at Lloyd’s of London have stated that though they’ve seen a significant increase in demand for insurance cover from energy firms over the last couple of years, their surveyor’s assessments of the power companies’ cyber-defences concluded that virtually all existing protections were inadequate. The refusal to grant cover may have come as a bit of a shock to the companies, but energy industry veterans were not in the least surprised.

Unfortunately after such checks were carried out, the majority of applicants were turned away because their cyber-defences were lacking.

The market is one of few places in the world where businesses can come to insure anything from container ships, oil tankers, body parts and large development projects and to secure cash that would help them recover after disasters. Insurance for data breaches is a more recent development and has grown with the increased threat. Nevertheless, many syndicates still felt confident enough to offer companies cover for data breaches and to help companies recover if attackers penetrated networks and stole customer information.

However, the times have now changed. Insurance underwriters no longer see cyber-attacks as an occasional threat: they regard them as a persistent problem. These firms will now only offer cover if energy companies are prepared to invest in multi-million pound policies to help them rebuild if their computers and power-generation networks are damaged in a cyber-attack. Moreover, any company seeking cover has to let experts, like those employed by Kiln and other underwriters, to look over their systems to see if they are doing enough to keep intruders out. Effectively what that means is that assessors will scrutinise what steps firms are taking to prevent attacks away, and satisfy themselves that software and networks hardware that can span regions or entire countries is being kept up to date.

Speaking to the BBC, Laila Khudari, an underwriter at the Kiln Syndicate, which offers cover via Lloyd’s of London said:

“In the last year or so we have seen a huge increase in demand from energy and utility companies. They are all worried about their reliance on computer systems and how they can offset that with insurance. We would not want insurance to be a substitute for security,”

It remains unclear why energy firms are suddenly seeking cover in such large numbers. It’s true that the government has sent warnings about the threat from hackers and attackers to utility firms and other organisations running critical infrastructure, but none of these warnings had mandated them to get cover. The only explanation appears to be the threat posed by greater interconnectivity.

Mike Assante, who helped develop cyber-security standards for US utilities and now helps to teach IT staff how to defend critical infrastructure including power networks, told the BBC it was “unfortunately not surprising” that insurers were turning away energy firms. He believes that power generators and distributors have struggled with the complexity and size of the networks they managed, and have also found it hard to find and recruit staff with the requisite skills to defend these systems:

“There have been a number of incidents that have caused company leadership to re-evaluate their risk and develop strategies to mitigate it.”

Financial pressures and the ability to manage systems remotely was inadvertently giving attackers a loophole they could slip through, claimed Nathan McNeill, chief strategy officer at remote management firm Bomgar. He told the BBC that trying to cut costs by linking up plant and machinery to a control centre so they could be managed remotely meant those systems were effectively exposed to the net:

“If something has basic connectivity then it will become internet connectivity through some channel,” he said.

Unfortunately he believes such changes leave critical infrastructure exposed as the typical control systems for such hardware were written long before the web age and had only rudimentary security tools. The flawed software for these control systems known as Scada (Supervisory Control and Data Acquisition) has been severely criticised by security researchers. Mr McNeil also added that it was often very difficult to update the core code in many Scada systems to close loopholes that attackers had slipped through.

If your business needs help with security auditing, please contact Krypsys on 01273 044072 or [email protected].