A recent article from Reuters suggests that energy companies are rushing to buy cyber insurance in the wake of the Colonial Pipeline ransomware attack. The article suggests that insurance companies will be increasing prices by 25-40% as their costs continue to rise with the large number of ransomware cases the industry is seeing, with energy companies most likely to see high increases.
To many, this will feel like insurance companies cashing in on the state of the industry. However, our opinion is this reflects the true nature of the threat and a maturing of the cyber insurance industry. Many insurers, and cyber risk rating providers who often help inform insurers, have focussed on the attack surface of a company only. While overlayed with claims information, the decisions on premiums have largely focussed on what vulnerabilities a company has and does not always reflect the different threat level that companies may face. Two companies in different industries could have a similar attack surface but very different threat levels.
As insurers struggle with rising costs, mitigation of the attack surface is also likely to play a bigger part. Already in place for some companies, it seems inevitable that insurers will insist on verifiable processes and controls to be implemented when deciding on premiums for cyber insurance. A greater understanding of risk-based vulnerability management may also rise in importance. It isn’t reasonable for companies to patch every vulnerability they may have but they do need to patch the most critical ones if they want to reduce their risk. Understanding which are critical requires some planning, especially where they have limited resources as we have traditionally seen in the energy sector.
Cyber insurance is becoming essential for companies but without risk mitigation, the costs will only continue to increase.