We had assumed that insurers were taking the risk of ICS cyber security seriously. We also thought this could be the driver to get end-users to actually secure their ICSs. Consequently, we intended to have a session on insurer's role in ICS cyber security at the 2013 ICS Cyber Security Conference (www.icscybersecurityconference.com). Apparently we may have jumped the gun on how insurance companies are becoming a catalyst for improved cyber-security in industrial control system design, products and processes. We wanted to have a panel of industrial property insurance company executives interact with the audience. For one, we wanted to know how their companies are reacting to increased cyber threats to critical infrastructure, and maybe more interestingly, how they plan to assess and respond to their customers' varying exposures and mitigation plans.
It turns out that we may have to nix that conference session. The assessment of someone we consider to be the insurance industry luminary on cyber-physical risks was that "most insurers have not thought about this, or if they have, do not seem to be taking it seriously - and won't until a spectacular loss occurs. The Property/Casualty industry is still largely reactive."