Cengiz Özemli
Akademisyen
- Thread Author
- #1
## New Era in Cyber Insurance: Industries Must Adapt to Insurance Rules Amid Rising Risks
The cyber insurance market has undergone a significant transformation in the last five years. Insurers, who once issued policies at low cost and without detailed scrutiny, are now acting more selectively due to the increasing number of ransomware attacks.
The manufacturing sector accounts for 68% of cyberattacks in the first quarter of 2025, which has led insurers to re-evaluate who they cover and how. Insurance firms and brokers are now scrutinizing companies' cybersecurity postures in much greater detail before offering policies.
### Critical Infrastructure and Risk Assessment in Cyber Insurance
Companies in the critical infrastructure sector are in a high-risk group for insurers due to their economic and societal importance. Unlike IT providers or large enterprises, there is no clear standard yet for measuring cyber defenses for critical infrastructure. However, current insurance practices provide clues as to how future criteria will be shaped.
### Strengthening Technological Infrastructure
- Strong cyber defenses increase insurability.
- Basic measures include firewall structure, monitoring, and response systems.
- Some insurers offer incentives to customers who adopt advanced security measures, similar to safe driver discounts in car insurance.
- Examples include advanced monitoring, proper network segmentation, data diodes, and hardware that provides one-way data transfer.
- These technologies are widely used in the nuclear sector, which mandates the separation of IT and OT systems.
### Integrating OT Security into IT Security Strategies
- Critical infrastructures outside the nuclear sector still lack regulations regarding the physical separation of OT and IT systems.
- Transferring data from OT devices to the cloud offers benefits such as remote diagnostics, supply chain management, and predictive maintenance, but also increases risks.
- Advanced security measures like network segmentation, which prevent attacks on OT systems, are viewed favorably by insurers.
### Documented Cyber Policies Becoming Mandatory
- Insurers are requesting documented policies to verify cyber defense infrastructure.
- Official mechanisms, such as the US Department of Defense's Cyber Maturity Model certification, mandate compliance with cyber standards for defense contractors.
- In the private sector, evidence such as access controls, recent incident response exercises, and cyber audit results are sought.
### Managing Risk Profile
- Critical infrastructure firms should align their cybersecurity investments with their risk profiles, determine their risk appetite, and consider transferring some risks where necessary.
- Some insurers can calculate companies' total residual risk in dollar terms, not just based on industry data benchmarks and average losses, but also by weighting the control environment.
- At this point, extra security measures contribute to risk reduction and lower premiums.
### Risk Mitigation Tied to Compliance Frameworks
- Insurers follow compliance with the National Institute of Standards and Technology's (NIST) 800-82 cyber regulation, the ISA/IEC 62443 standard, and CISA's cross-sector cyber performance goals.
- Hardware-based security solutions support companies' compliance with these standards, improving their insurance profiles and are often a prerequisite for financing and contract eligibility.
### Understanding Insurance Coverage and Responsibilities
- Research shows that despite 91% of companies having cyber insurance policies, more than a quarter do not fully understand the scope and responsibilities.
- While cyber insurance provides protection, data security is the primary goal, and additional defenses play a critical role in preventing data breaches.
- As insurers' risk analysis methods evolve, companies with evidence of data protection find insurance with more favorable premiums and are more secure.
