Wednesday, March 5, 2014

Energy Firms Not Ready for Cyber Insurance?

Or so says corporate underwriter and veteran cyber insurance provider, Lloyds of London, in a BBC article last week:
Any company that applies for cover has to let experts employed by Kiln and other underwriters look over their systems to see if they are doing enough to keep intruders out. Assessors look at the steps firms take to keep attackers away, how they ensure software is kept up to date and how they oversee networks of hardware that can span regions or entire countries.
Sadly, as the article goes on to say:
After such checks were carried out, the majority of applicants were turned away because their cyber defenses were lacking.

The article notes a great uptick in the last year in the number of energy sector firms seeking cyber coverage, but it doesn't posit a reason for the sudden rush.  Questions immediately spring to mind:
  • What is the audit or investigation like that Lloyds puts applicant through? 
  • What is examined?  
  • Who is interviewed?  
  • Is this only data/privacy breach cyber insurance being discussed or is business continuity also on the table?
  • Are any technical tools used?  
  • Are 3rd party risks evaluated?
  • Etc.
And for me the biggest two: what are the key indicators insurers look for that tell them that an organization is on the ball cyber security-wise and worth the risk of insuring?  And where is the line drawn, above which an organization is secure enough?

I am confident someone knows the answers to these questions, but I haven't been able to find him/her yet. But when I do, it'll be to tease out the most common energy-sector-specific shortcomings and then roadmap to an insurable state.

Here's the URL for the full article:

Image credit:

No comments: