Insurance
The insurance industry is undergoing a cyber security transformation - from the early 2000’s when the earliest cyber insurance policies were introduced through to the mid-2010’s when huge numbers of high-profile organisations were breached, insurers have always struggled to accurately quantify the cyber risk of an organisation and therefore have rarely been able to offer policies which cover the often sizable costs involved in recovering from an attack. This couldn’t be more relevant today, when attacks are more prevalent than ever before and the costs of recovery can include not only reviving your technological infrastructure and the losses involved in business disruption, but potentially also regulatory fines due to the likes of GDPR and the NIS Directive.
The reasons for cyber attacks on large scale organisation are many, but include:
State-based attacks
Espionage
Disgruntled employees
Accidental/Unknowing actors
or a combination of any/all of the above
WhAT ARE THE CONSEQUENCES?
According to the FBI, $6.9bn was lost due to cyber attacks in 2021 alone, and NCC Group have reported a 92% year-on-year rise in ransomware attacks alone.
High-profile attacks have reported major costs to their recovery, including the Colonial Pipeline ransomware incident of $4.4m, or the $300m estimated cost to Maersk due to NotPetya.
Both GDPR and NIS Directive regulations both carry a €20m or 4% of annual global revenue (whichever is higher).
Cyber Security Regulation - Your responsibilities
Ask yourself
How are you managing cyber security risk?
How are you protecting against cyber attacks?
How are you detecting cyber security events?
How are you minimising the impact of those incidents?
There are very few organisations which aren’t affected by regulations which link back to cyber security. Whether you’re a very specific organisation which fall under the definition of Critical National Infrastructure under the NIS Directive, or due to the data you process, you fall under GDPR - you will have a responsibility to protect your organisation from cyber attacks - whether to protect your customer’s personal privacy or the delivery of your critical services. Regulatory pressure has been building across the board, and governments are developing more complex legislation to affect change.
So - What’s the PRoblem?
The likelihood of being affected by a cyber attack are significantly increasing; the costs of recovering from a cyber attack both technologically and as a result of regulatory fines are significantly increasing; and both of these are massively driving up the cost of a cyber security insurance premium. But, that can’t be fair - not every organisation is at the same risk of a cyber attack! Your organisation may carry significantly less cyber risk due to the proactive work you’ve undertaken - but how can your insurer validate this?
We can help
Whether you’re a insurer looking to better quantify the cyber risk of your clients, or you’re an organisation looking to provide proof to your insurer that you’re taking proactive steps to reduce your cyber risk - we can help! We’re collaborating with leading-edge academics to build out a standardised quantifiable risk measure of organisations with operational technology, and we’d love to work with you to put it into action within your organisation.
We have years of experience in cyber security, digital forensics, incident response and software engineering. We also understand the unique challenges and requirements of Operational Technologies (OT). We develop solutions from the ground up with these OT-specific challenges and requirements in mind, and we know that you cannot simply re-purpose (or re-brand) existing IT tools.
In addition, our software solution offerings below in Profile and Dot both help organisations quantify their regulatory risk against the Cyber Assessment Framework for the NIS Directive, and quantify their operational technology cyber risk by uncovering the assets and vulnerabilities present in their networks.
Perhaps you would like to make the whole NIS Directive auditing process a lot simpler, and a bit more collaborative - avoiding complex excel spreadsheets with dodgy versioning. Profile is built with the NCSC Cyber Assessment Framework (CAF) at its core, with more standards and regulations being supported. If this sounds of interest, then Profile is definitely for you.
Maybe you are looking for a more in-depth understanding of the OT assets and their vulnerabilities, but in a way that is automated but still safety and security critical. Dot currently has support for Modbus, Siemens S7, DNP-3, Ethernet-IP and more. If this sounds of interest, then Dot is for you.
Or perhaps you are looking for something a bit more bespoke, or require some consultancy. If we can help, we will. If we can’t help, then we will work with our partners to deliver the services and systems that you require.
Contact us today to get a quote, or to just chat about possibilities - with a guarantee of no hard-sell.
hello@awencollective.com