Jump-Start the Cyber Insurance Market to Drive Better OT Security

Experts have been predicting for decades that the insurance industry would eventually help drive better private sector cybersecurity practices by pricing premiums based on cybersecurity risk.

The idea is similar to the way insurance carriers encouraged businesses to adopt fire suppression technology and consumers to buy automobiles with safety features such as seatbelts and airbags.

Unfortunately, the cybersecurity insurance market is growing more slowly than many would like and is unable to adequately provide the market incentives for better security hygiene that some envisioned. An article published last year in the IEEE Security & Privacy Journal concluded:

“Cyber insurance appears to be a weak form of governance at present. Insurers writing cyber insurance focus more on organizational procedures than technical controls, rarely include basic security procedures in contracts, and offer discounts that only offer a marginal incentive to invest in security.”

Sponsorships Available

Sponsorships Available

Sponsorships Available

A Warning from Tomorrow

There is a lot to digest in the report, but one of the more interesting themes is the recognition that the cyber insurance market is not maturing fast enough to adequately drive better risk management decisions in the private sector.

This opinion is shared by many U.S. government policymakers and is highlighted in a more recent report produced by the bipartisan Cyberspace Solarium Commission. The commission released a comprehensive report on the state of cybersecurity in IT and OT systems in March 2020.

The commission was established by the 2019 National Defense Authorization Act, and its members include cyber experts, private sector representatives, members of Congress, and senior government officials. The report, titled A Warning from Tomorrow, makes more than 75 recommendations for improving U.S. cybersecurity and infrastructure resilience.

The authors are clear in their concern regarding the vulnerability of U.S. critical infrastructure and note that a major cyberattack on (Read more...)