Commercial Risk Europe features CRIF amid concerns on Energy Company cover
Following the reports from the BBC on the challenges facing some energy companies in obtaining cyber insurance CRE helped CRIF get out our message on the need for a more mature and integrated approach to the management and cover of Cyber Risk.
The BBC article stated that "... a number of energy companies had bee refused cover because of inadequacies in their cyber security"
As anyone experienced in the sector will know the statement made may be a good headline, but there is more to the situation than that and a lot will depend on the scope and detail of the cover that was being sought even before the pricing was calculated.
There are established policies available, but as awareness grows of the level and threat and consequences business and the insurance sector need to work together more closely to detail the right blend of activities and cover to best meet the challenges. To do this well business should look to engage with brokers and underwriters in a more evolved fashion and work more closely together to construct the right solution. Security can be improved in various ways that directly affect the options and price of the cover such as by developing improved Cyber Risk Management infrastructures. An example of this would be more inclusion of Network Monitoring & Surveillance, stricter policies to manage access and privileges and many other active measures that are included in the Good Practice guidance and advice that is available (See NIST Framework & BIS Cyber Hygiene).
CRIF Chairman Matt Hogg says “As underwriters we are trying to get as much information as possible, particularly around the overlay between the physical and IT sides, but it is a complicated space. We are bringing in experts and third party vendors to give us another perspective on what is going on and we are working with our energy and property teams to get a greater understanding of the aggregation issues that these exposures create.”
What is though undeniable is that if business wants to properly protect itself from the risks around Cyber and Information Assurance there has to be evidence of responsibility in how it manages its Cyber Security and be prepared to share this with insurers. After all would the insurance sector really want to cover firms who did nothing to protect themselves ... we don't think so!