Today, Bloomberg posted recent findings pertaining to cyber insurers’ role in policyholders’ security posture, specifically those within the US water systems industry.
Unlike many other CNI entities, the water sector is extremely fragmented, with at least 150,000 utilities spread throughout the country with smaller systems serving as few as just dozens of customers, operating with low budgets that often don’t account for cybersecurity.
A May EPA alert found over 70% of systems inspected since September 2023 violated the Safe Drinking Water Act’s requirements to develop risk assessments and emergency response plans.
Amidst meager cybersecurity regulations from federal agencies, many cyber insurers have moved on from a traditional, application-based underwriting model in favor of new, hands-on cyber risk practices to help spread the risk and improve resilience of the US water sector, including testing existing systems and helping policyholders address shortcomings.
Sezaneh Seymour, head of regulatory risk and policy at cyber carrier Coalition Inc. said Coalition was able to reduce vulnerabilities of water entities it covered by over 90% in six months through risk pooling.
Despite a growing appetite from insurers to cover cyber risk, many entities, especially in the water sector, still can’t obtain coverage due to lack of resources, knowledge, and dated operational systems that won’t meet the minimum qualifications to attain cyber insurance.
“It’s just a matter of time before a determined adversary bypasses the safety functions that have kept systems, people, and the environment safe thus far,” said Jennifer Lyn Walker, the director of infrastructure cyber defense at WaterISAC.
Stephen Gates, Principal Security SME, Horizon3.ai had this to say:
“Although there’s a strong desire for the water sector to adopt the latest IT technologies and security practices, this isn’t always practical. Autonomous risk assessment solutions provide a way to determine if older operating systems and unsupported software are truly exploitable based on their specific deployment scenarios. While a component of the infrastructure might be flagged as being “vulnerable”, that doesn’t necessarily mean it can be exploited from the outside in.”
Anything that is considered to be a critical sector needs to step up their game to manage cyber risk. That includes really getting onto the bandwagon of being up to date in terms of the threat landscape and taking the required steps to mitigate those threats. That needs to happen ASAP.
Cyber insurers bridge security gap in water sector with hands-on cyber-risk practices
Posted in Commentary with tags Cyber Risk on October 28, 2024 by itnerdToday, Bloomberg posted recent findings pertaining to cyber insurers’ role in policyholders’ security posture, specifically those within the US water systems industry.
Unlike many other CNI entities, the water sector is extremely fragmented, with at least 150,000 utilities spread throughout the country with smaller systems serving as few as just dozens of customers, operating with low budgets that often don’t account for cybersecurity.
A May EPA alert found over 70% of systems inspected since September 2023 violated the Safe Drinking Water Act’s requirements to develop risk assessments and emergency response plans.
Amidst meager cybersecurity regulations from federal agencies, many cyber insurers have moved on from a traditional, application-based underwriting model in favor of new, hands-on cyber risk practices to help spread the risk and improve resilience of the US water sector, including testing existing systems and helping policyholders address shortcomings.
Sezaneh Seymour, head of regulatory risk and policy at cyber carrier Coalition Inc. said Coalition was able to reduce vulnerabilities of water entities it covered by over 90% in six months through risk pooling.
Despite a growing appetite from insurers to cover cyber risk, many entities, especially in the water sector, still can’t obtain coverage due to lack of resources, knowledge, and dated operational systems that won’t meet the minimum qualifications to attain cyber insurance.
“It’s just a matter of time before a determined adversary bypasses the safety functions that have kept systems, people, and the environment safe thus far,” said Jennifer Lyn Walker, the director of infrastructure cyber defense at WaterISAC.
Stephen Gates, Principal Security SME, Horizon3.ai had this to say:
“Although there’s a strong desire for the water sector to adopt the latest IT technologies and security practices, this isn’t always practical. Autonomous risk assessment solutions provide a way to determine if older operating systems and unsupported software are truly exploitable based on their specific deployment scenarios. While a component of the infrastructure might be flagged as being “vulnerable”, that doesn’t necessarily mean it can be exploited from the outside in.”
Anything that is considered to be a critical sector needs to step up their game to manage cyber risk. That includes really getting onto the bandwagon of being up to date in terms of the threat landscape and taking the required steps to mitigate those threats. That needs to happen ASAP.
Leave a comment »