Lloyd's of London insurer AEGIS London has rolled out a new breed of cyber insurance product following a major study of the evolution of cyber risk in the energy sector and its impact on so-called critical infrastructure businesses.
In addition to data protection and privacy issues – the staple of first-generation cyber policies – AEGIS CyberResilience offers businesses protection for operational technology (OT) and critical infrastructure, the first to do so.
The AEGIS study and new product offering are a direct response to the growing number of attempted attacks on the energy and utility sector. In the first half of the 2013 fiscal year, the US Department of Homeland Security’s Industrial Control Systems-Computer Emergency Readiness Team responded to more than 200 incidents, 53% of which were in the energy and utility sector, and many of them sponsored by states such as China.
The study focussed on power and utility companies based in the US, UK, Canada and Europe. Conducted on behalf of AEGIS by BAE Systems Applied Intelligence ("BAE"), the leading specialist in the protection of critical operations and assets, the study found that:
– The overwhelming majority of respondents, as well as specialists and vendors who work with energy companies andutilities, believe it is not a matter of "if" – but "when" – there will be a cyber attack of major significance and impact on critical operational infrastructure such as the electric grid.
– Power companies are better prepared to deal with cyber threats to their operational technology than many recent mediareports have indicated. These organisations have a good understanding of the cyber threats they face.
– The biggest challenges energy companies and utilities face are constraints outside their control such as the lack of ‘adequate and mature technology solutions’.
CyberResilience product launch The new AEGIS CyberResilience product is designed to help protect critical operational technology and assets, before and after a cyber attack. The product combines liability, business interruption and terrorism coverage with a service-based offering that consists of cyber underwriting assessment, risk management consultancy, loss control, threat analysis, incident response and vulnerability management.
Alan Maguire, Chairman of AEGIS London, said: "Cyber attacks are no longer focussed solely on IT environments. Cyber terrorists have turned their attention to operational technologies and the critical infrastructure they support, so we have expanded our coverage accordingly. Our new CyberResilience coverage is offered in conjunction with specialized pre- and post-attack services provided by our cybersecurity partners who are global experts in the critical infrastructure industry. Now, for the first time, businesses can obtain secure and reliable cyber insurance cover and service-based offerings for both operational and information technology."
David Croom-Johnson, Active Underwriter at AEGIS London, said: "We believe that vulnerabilities in and threats to operational technology have the potential to lead to business interruption or significant loss of operating capability and availability. These represent some of the most acute organisational risks currently facing critical infrastructure, which is why we developed CyberResilience. However, this is only our first step in evolving a complete suite of products and services around global critical infrastructure cybersecurity."
Rick Welsh, Head of Cyber Insurance with AEGIS London added: "Cyber risks are one of the biggest challenges the insurance industry faces today. Improving the security posture of critical infrastructure industries such as the energy sector is paramount and nobody understands this better than AEGIS. CyberResilience acknowledges the need to understand and underwrite the relationship between industrial control systems and enterprise networks without disregarding the impact of data security and privacy liability."