March 3rd, 2015, Advisen held their Cyber Risk Insights Conference in San Francisco (http://www.advisenltd.com/events/conferences/2015/03/03/2015-cyber-risk-insights-conference-san-francisco/). Advisen provides information, analytics, research, and events for the insurance industry and reaches more than 150,000 commercial insurance and risk professionals at 8,000 organizations worldwide. There were approximately 150 attendees at the Conference from insurance companies, brokers, and consultants. The following were my observations:
- The Conference was focused on data breach with heavy emphasis on recent large data breaches such as Anthem, Sony, Target, etc. There was generally little understanding of the unique cyber security issues of industrial and building control systems or the risk they pose to insurance companies.
- There were several presentations on cyber analytics and modelling. It was stated that Advisen has the largest cyber risk event database but there are no control systems events included (my database includes almost 400 actual control system cyber incidents). Advisen showed the penetration rate for cyber insurance for public administration, finance, wholesale/retail, and services. Except for the finance industry, the penetration rate is slowly rising. There were no industrial organizations included in the analysis. During the modeling discussion, the issue of business interference (continuity) was raised as being difficult to quantify. Yet availability (business continuity) is key for control systems.
- I was on the Operational Risk panel (next to last session) and presented control system cyber risk issues. I was asked about the general awareness of the Board level to control system cyber issues. My response was in general it is still lacking.
- The last session was a critique on the live cyber incident simulation exercise performed prior to the Conference. The exercise was based on an auto manufacturer being hacked and the associated corporate response. The first slide identified the corporate organizations involved in the response – there was no initial participation from manufacturing/control systems. (see last item about Board’s not being sensitive to control systems issues)
- I was surprised with the number of insurance companies that provide insurance to industrial organizations. Those in attendance did not seem to be aware of the unique control system cyber security issues. I was told that London appears to be more focused on insuring industrial infrastructures than in the US.
I believe the insurance industry is very important for improving control system cyber security as they can provide both carrot (lower premiums) and stick (higher premiums or no coverage) to their commercial and industrial customers. Control system cyber security is both a potential revenue stream and a potential significant liability to the insurance industry. There have already been control system cyber incidents that have had tens of millions to billion dollar impacts and deaths. I am hoping the insurance industry will become better educated and more involved in control system cyber security.
Joe Weiss
