Who would have thought a podcast on insurance would be one of my favorite and most interesting I’ve done in the past few years. I spoke with Eireann Leverett and Jennifer Copic of the University of Cambridge Centre for Risk Studies. They were two of the researchers who helped Lloyds put together the paper Business […]
United States


00:00:03welcome to digital bonds unsolicited response podcast I'm Dale Peterson and our topic for this episode is cyber insurance
00:00:14Lloyd's the famous specialist insurance and reinsurance Company recently put out a paper called business blackout the insurance implications of a Cyber attack on the power grid and in this podcast I talked with the two contributors to that they're from the center for risk studies at the University of Cambridge air unlevered and Jennifer Copic it's an interesting podcast is going to teach you a lot about insurance and delve into some of the questions we need to answer to have effective cyber Insurance rather than try to explain it all in this preview I'll let you listen to it one quote to keep in mind as you listen to this is from dr. Ross Anderson who said a trusted component or system is one you can Ensure
00:00:59before we get into the interview I want to remind listeners that the call for papers for S4 x 16 this January in Miami South Beach closes at the end of August to send your ideas for a technical session or any other Advanced session in ICS security OT related fields such a cyber Insurance send those to ask for at digital the agenda is looking absolutely fantastic lots of new work lots of very creative work I think you'll enjoy it but we're always looking for the best and we're hoping for a strong close here in submissions from our listeners and now to the interview
00:01:44joining me on the unsolicited response podcast is Aaron Leverett he is a senior risk researcher at Cambridge Center of risk studies and with him is Jennifer Copic and she is a research assistant at the Cambridge Center of risk studies I think a good place to start out well actually maybe I'll go back to where we began to talk I think Erin you and I talked a little while ago about this issue of insurance for ICS cyber incidents and you talked it as for about it and I originally this podcast was going to be trying to nail down what questions we need to answer before Insurance can be issued but then you I guess preempted it was something much more interesting this Lloyd's document the business blackout the insurance implications of Cyber attack on the US power grid and maybe two as a start can you tell us a little bit about how that document came about and what the purpose of it was
00:02:41absolutely in and it's really welcome that you phrased the question that way I think it's been a little misunderstanding about some of the reports purpose its goal is really to stress test the insurance communities there's about 200 ensures and Lloyd's Muffler kit and they're using this document as the starting gun for a number of conversations around insurance for OT and insurance for critical National infrastructure so the report is kind of the beginning of a conversation for them and it's meant to shake out a number of problems that they might run into such as liability legislation where they're accumulating and aggregating costs and risks and Jennifer work very tightly with me on the report and produced a bunch of fantastic cost estimation and Detail in some of the reporting and so so who else was involved in this besides
00:03:41the Cambridge Center where there are other partners in this yes so I mean Lloyd's funded the project and one of the people at the center is dr. Scott call Scott Kelly who is an anaconda Metro station at macroeconomist but with an engineering background as well and he helped us with a lot of the macroeconomic analysis using the Oxford economics model but the other partners in this where we spoke to people at Newark we spoke to people at DHS we spoke to many of the insurers and we were trying to do here is a bit of nuance diplomacy between private Enterprise particularly in insurance and the isotoners and government because government knows it's got a lot of problems with solving in a critical infrastructure protection issues and they wanted to bring one more piece to the table which I think is mitigation through insurance
00:04:41who came up with the I guess the scenario that would cause a large-scale blackout in the US power grid
00:04:48so that was mostly me but a joint effort with a number of other people we were Workshop in Cambridge and we had three scenarios and we discussed the different value of those different scenarios realism was one of the elements that that was important but also important were a number of particular issues for the insurance so the reason Aurora became very interesting is because their property damage and there's smoke which means that they are covering it under an all risks insurance and maybe Jennifer might like Salem bit more about about the all risks sure one of the aspects of the project that Lloyds wanted us to to highlight what's the difference between silent cover for cyber OT Events and Adventure if I'm going to cover for 7:20 events and and the difference between those two types of covers are if you haven't already check policy for property damage and you don't
00:05:48funny explosion causes on there for cyber and you have an aurora style event for your generator gets catches on fire explode then technically course I'm sure this will go to court but technically you are covered and so we call that silent coverage and that's a big concern for insurance because they could add to exposure accumulation for them and if you have affirmative coverage obviously you're buying a stand-alone plan that specifically covers various fiber events and currently in the market it's pretty heavily dominated by IIT cyber events or information technology as opposed to OT or I see a sermon to me you are just too kind of wrap up the scenario part of it people in our industry and I've been known to do it from time to time 10 to when they see something like this Pick-A-Part at the little details so this you know this one tiny detail is wrong or this this is wrong but you almost at the way I read the report and it sounds like this was a goal is you wanted to create an event
00:06:48and you wanted to have really the impact of that event well-known so then you could decide how insurance would play based on on what actually happened to the fact that maybe you know there's one tiny detail here there that some people would change really doesn't matter it's just this event happens here's the parameters around the event now what is the insurance implications of it is really I think the meat of the report and where there's a lot of value their shirts from the London Market who ensure Utilities in the US and as we would go through the scenario with them and terms of trying to justify our cost estimation they would stop us before we even get to our cost estimation bit and go oh well this is definitely a terrorism event and the tree of the terrorism Risk insurance Act is going to activate and we're going to
00:07:48basically be reinsured and we said okay we get that you guys feel that way but for purpose of a detailed conversation in an understanding of how much exposure you have we're going to assume that that doesn't happen sorry that's the doorbell no problem so dinner's here that's good so you get teeth after this but so maybe and this was one of the areas that was fascinating so this is Tria is that's a US base program right are there similar programs around the world or is is this something is fairly unique to the u.s. actually we're working on a project for the UK right now and eventually hoping to do one for Europe and so we will be able to answer your question in due course but Tria specifically as we. Lyman report is only a us-based program it was started shortly after the 9/11 event to help kind of give a buffer to the insurance industry in case another terrorist attack
00:08:48the general gist of the program it is that if an event what regardless of the type of event is deemed a terrorist attack then the insurance industry can use the government as a reinsure and the government will cover a certain amount of cost. Obviously the event has to be as a certain size and and meets a few requirements before the program will be interesting enough the programs never been used to date in order for the program to execute like I said it has to meet several of those key requirement but the government also has to be mixed a terrorist act or an act of War which typically doesn't happen
00:09:3010 interesting ly one of the things Report Chicago is that it's unclear whether Tria can be used for cyber attacks or if it's only relevant in the case of traditional terrorism or or War for example if it's just a major loss of money to that company in and lots of people were killed or injured are there wasn't other impacts that company may have just been destroyed in terms of their financial picture but I'm not sure that would necessarily be considered terrorism might I don't think the for example of Sony picture Attack was that was that considered terrorism although that ended up costing them quite a bit of money to actually to find something is Terrorism is pretty stringent I actually I don't have it in front of me right now but a lot of boxes have to be picked before those they'll go down that path
00:10:29epic. That brings to light again circling back around to some of the details that people want to discuss about the report and we're happy to do that but the goal of the report is not to be a final product and a final estimate of the cost it's one of many reports that's going to use for this purpose and we're essentially a sparring partner for the insurance industry to try and learn the risks of cyber the way their costs are going to accumulate the problems they're going to have and I've learned to think of these these stress test as a sort of quantify useful speculative fiction right and what I mean by that is
00:11:11we trying quantify the fact we do a cost estimation and some people may have some issues around the way we've done some of the cost estimation but this is really only round one now 200 different in your part of the woods Market will go and look at the policies that they've written and they'll try not understand how many generators they've been shirt and now assume the worst case for them as an individual company and now look at the weather cost aggregate so one of the criticisms I've heard out there is that we didn't talk particular about Transformers being damaged by an aurora event for the reason for that is the insurers have enough trouble figuring out whether or not they even sure the generator let alone you know smaller equipment such as Transformers I think one of the big surprises for me and then maybe I would just too skeptical but I just assumed that cyber events would not be covered
00:12:06I went in because maybe it's my own personal insurance for the company there's always all these waivers and specific exclusions and that so I was surprised that when you went through this event you actually identify I can't remember the number but it was at least six different types of insurance that may have to pay out claims based on this scenario that you created and what was your level of confidence that some of these insurance companies would actually have to pay or feel that it was a valid claim and they should pay
00:12:39of course before I go into my response I just like to add that there's always a Nuance to every single ensure and in most cases when there's not Clarity a lot of medication so you know I'm I'm not going to stay on the soul expert on this but we did interview about five or six of the insurance in the London Park it and went through our detail cost calculations with them to kind of guarantee or to justify are somethings key assumptions that we had made and ensure for that we weren't going down the wrong path so the kind of walk through the different categories that we went through we had power companies so if I'm a power company and I have property insurance
00:13:25we have to first ask what type of insurance do you have and from my understanding from these in decanter for that we had interviewed a majority of them will buy property insurance that covers cyber event and there's two ways I can do this they can buy just regular property traditional property insurance and they will have most likely and exclusion Clause that excludes by Mervyn unless they cause fire or explosion which is what was causing our scenario or the other option is that they buy an advance through an affirmative policies like I had mentioned earlier that specifically says they cover property damage from cyber events and so one of our key assumptions from the power companies was that regardless of the line of cover they're going to have to pay out because they've either bought a specific Advanced fiber cover or they have a silent situation but they have an endorsement cause that will cover afire explosion which is what happened in our scenario
00:14:25are champion at Lloyds wanted this project written is to shake out the difference between specifically excluded cyber Vans and Silent coverage and he wanted the insurance industry to reexamine its approach these things and got much more explicit about what kind of cyber insurance it was writing and not allow that to be regularly covered under an all risks cover supermarkets or food manufacturers or other companies that we listen to eruption lost four or contingent business Interruption loss for interest only enough and and as far as we understand have you interviewed five or six insures it does get a bit confusing I'm amongst them to be honest but as long as physical property damage had occurred at the utility
00:15:19that particular in a food manufacturer University whatever they actually are covered in terms of business Interruption so then they their insurance should pay out a claim now this part of the report we did find a lot of litigation happens in this area and particular after the 2003 cascading black blackout has one I'm sure was Liberty Mutual was forced to pay out to a supermarket chain that has lost all of their Frozen and refrigerated good because the judge said that physical damage didn't occur in the sense of the parts be damaged in that situation but physical damage did occur because the power is out for 4 days and ends to him that was physical damage however there's reverse case where another judge in another state told the supermarket chain that they weren't going to get a Pap because physical damage didn't happen so this is kind of a grey area in terms of the report that you had highlight
00:16:19in your question earlier there and because we're so interested in it as a center we've now got a legal expert working for us and who's digging into this a bit deeper than starts that's what that's one of the risks that the insurers themselves with reinsurers need to message is what are the probabilities that particular litigation or liability case are going to swing one way or another so for example they feel pretty comfortable about power companies not being sued for not providing electricity particular in the US because they're protected under protection under common cat is the term that I've been it's been explained to me right so you know there's a lot of gray area there and the insurance or trying to understand that you're going back to her movies playing in reiterating that the point of many of these things in the scenario is to be
00:17:13in writing so that they can be falsified or they can be verified and that they can be Quantified by these individual teams who will go out and study this and they're Portis the beginning of the end of that process and we chose a lot of elements in the report to stress you know these litigation cases or just dress the way they were riding their cover one of the things for example we put into their board is that 10% of the generators in the region where Aurora vulnerable or 20% in our extreme scenario I think you and I both know that those numbers are going to be much much higher for the point is to get the insurance to go out and verify that for themselves in an in an auditing capacity so the first round that's coming up at the moment is where the insurers estimate how much they might lose because damage the generators and then the third round of this process is where they go out to their customers themselves and start asking questions and I think that's where we're going to get some much Clear answers around then.
00:18:12generators that are vulnerable to Aurora in Leverett and Jennifer Copic with the Cambridge Center of risk studies about cyber insurance for the control system World in critical infrastructure I think this effort by Lloyd's is really you know that they deserve a lot of credit for pushing this issue and investigating this issue because as you describe the scenario that you develop to kind of push the limits on some of these insurance policies it sounds like it would be quite a different case if for example and it's an attacker came in and just took out the the cyberinfrastructure so they wiped out the plc's and the and the code and maybe the plant was down for a month while they got new equipment in got a deployed and all that there would be I guess no physical damage to the process if the Safety Systems works at sea
00:19:12head but there would be a complete loss of the factory for some period of time now. How did you look at all at what type of coverage would be affected if there was not
00:19:26property damage I guess you could say this was some property damage to that cyber equipment but not actually you know things running in the factory did you look at that issue we did and in fact one of the things again I think people have seen this report and they think there's only going to be one and then they get all wound up about it but I think the real
00:19:48success of this report and of Lloyd's effort in this is that we will be my writing many more reports at the risk Center but also we expect that other people will be many more of these reports as the as we go forward exploring a wide variety of these different issues but the thing we're particularly proud of is that they're considering now bringing 2270 billion in mitigation funds to the OT Community where a lot of that money might have gone to it cyber Insurance previously I think Jennifer has a few more things to say about clever ways that the stress testing can be used and why lots of people should be writing these stress test scenarios not just us so if people are interested in the realism of the report or have some criticisms they should really join the community and start speaking to the insurers and take an opportunity to to write some of the stress test themselves to push push the issues that they're particularly interested in
00:20:48are Jennifer right I would think that the insurance industry and the people that are being insured companies that are being insured it's it's in everyone's interest to be clear on what's it what the insurance actually means so if you're the insured person you don't want some you know vague thing about what risk you're actually transferring you want to know what risk you're transferring and obviously the insurance company doesn't like that silent risk exposure because that that's their business so I can see creating these scenarios in there they're probably will need to be a a large number and I would guess the insurance will maybe I'll ask that as a question do you see the insurance project the in the insurance product changing as a result of a better understanding of these scenarios
00:21:35I definitely think so and then to answer that question I'll give you a quote one study Martian Zurich did a cyber risk survey with the intent of collecting I to order OT they weren't specific axios you know do you have cyber insurance cover and 52% came back and said yes and when they actually went to check whether those is he owes had cyber insurance cover only 10% did so there's clearly a mismatch in people's understanding of what their policies that they currently hold are covering and it's partly due to exclusion positive thoughts to do 214 and and whatnot there's definitely room for improvement there but I think one of the cool things that are report his brought up and we had mention this at the very beginning of the talk was that there isn't too much OT Insurance cyber Insurance out there yet and I see this report hopefully motivating the market to get into that area not only to help protect utilities and and ICS
00:22:35some manufacturing companies but but also to help mitigate the risk that those companies have but if you're a large manufacturing you got a cyber policy
00:22:46I'm is this is this that area where there might be that side silent cyber risk exposure where they may be didn't plan on it covering OT but those are their computers and and other devices that would be considered cyber are there exclusions to say that it doesn't cover Factory computer systems or how is that working today around the event that occurs so some of the exclusion say that if a cyber event occurs that doesn't cause physical damage in terms of fire and explosion then we're not covering it but that's kind of the standard classes exclusion causes those are called in MA causes then there's another set of Clauses that say if the attack is a cyber-attack had a malicious intent which I'm you know I know there's are unintended cyberattacks but a majority of them are malicious and in nature and so those are covered and those are the c l 380
00:23:46explosion causes and so I think one thing when message to send out to the community especially for Risk Managers that work in manufacturing companies is to it to go have a conversation with your insurer and and when you go to that conversation before you even go to ask what am I covered for think about what you want to be covered for you know what type of assets do you have whether it's physical or you know if I stay I'm enterprise system wise what type of acids do you want to be covered for you know it do you have pii do you have personally identifiable information what is it that you're interested in getting covered for and then go sit with your insurer and ask what am I actually covered for any and get into the weed because if you don't do you know it and this was the intention of our report get into the weeds these questions generate an improvement in Risk mitigation for the manufacturing companies and also it helps to ensure understanding exposure to when you get into the week
00:24:46the one of the things I'm excited about you a lot of people who didn't believe this could be done and believe the insurance be willing to take on the kind of volume of risk cuz that is presented by critical infrastructure going down and I've had a great reaction from them and I think they had their willing to start having these discussions but the beauty of that for your risk manager at a large utility is that they know they have Legacy equipment and they know some of the older plants are more at risk because the Personnel are not as well trained and firewalls or whatever and this is a nice opportunity where you're doing great penetration testing red teaming and working on your supply chain for the new plants that your building but what do you do with those all plants well hopefully we're bringing Insurance the table and that gives you a risk strategy or or a new tool in the tool box to help you handle some of those plans where you know you're just not going to be able to rip and replace
00:25:46and bring them up today
00:25:49that leads to a question I wanted to discuss a little bit here so I'm glad you touched on it is there going to be
00:25:57it's going to be some sort of requirement for a minimal level of that's a good cyber practice or good cyber hygiene in these things so for example if you have a few have a plant in all of a sudden it gets taken down and then you know what they find out that while you had this firewall rule that allowed in a hundred people from all over the world to get into your network that that obviously would increase the risk of your network being compromised so how are we going to deal with your how is the insurance industry going to deal with this fact that there needs to be a certain level of protection or or do they just ignore that feature or fact
00:26:41so in the meantime and in the short term I guess is a better way to phrase that they are going to ignore that they're going to charge a lot of money for this I have insurance because they don't understand the risk yet but they're working on that and they're willing to take the time to understand the rest that's why they that's why they funded these reports right and they're going to find another round of these reports for a variety of different experts to the field so initially they'll just charge more money and then in the long run they're going to watch the aggregation of events across multiple people that they ensure and they're going to start to see patterns emerging of good behavior and where they see those patterns of good behavior they might ask people to replicate them and I can play out one of two ways either if you have an incident Response Team looks the same. The thing that they identify as a particularly good behavior and you have an intrusion detection system end and you have people monitoring it then
00:27:42will give you a reduction in cost if you've implemented that and the other way I could go is we won't sell a policy to anyone who doesn't share their firewall rules with us and we're not sure which way that's going to go and it'll be different between different ensures in the short-term so you might be able to shop around and get the policy you want in the meantime but I think that's sort of how it's gonna play out in the long run but today they're not going to be dictating good practice yet because we're still waiting to see what some of those good practices are particularly a nice yes you know what ICS system is always bespoke add a great security team working at one of those plans is also going to be bespoke and the insurance want to wait and and learn what that looks like and in the meantime they can accept the risk and charge what they like
00:28:33okay and then a similar issue it and not having a lot of data or information to write or estimate risk right policies are estimated wrist is yeah I think you pointed it out in the report that there is poor quality and quantity of loss information right now and actually this was that's probably the best reason I've heard for information sharing that rather than actually helping protective system helping determine what the risk is for writing policies like this in for other risk management so is it this the same sort of thing where they're willing to write policies even though they don't have the statistical information that they would normally have to write a policy is that this aft happening or going to happen but several the ensure that we worked with for this report and study have are crying out for information sharing and Analysis organizations and they they want them to exist and part of it because
00:29:33we had one insurer come to us and say look I actually have an event that happened and ICS event that happened but I can't tell you about it because I only know so much enough that I basically paid out my policy my claim is on it to the entry
00:29:52but I didn't know enough to really even understand if I should have been paying out because I got slapped with it this is a national security issue and so you know Aaron and I have a lot of respect for that we obviously don't want you know that sensitive information getting into the wrong hands but some level of incident information does need to be shared with the community cuz then ensure can understand the risks of taking on and then you know companies manufacturing companies do you know industrial facilities can also understand how to do better risk management some cells because they're aware of other incidences that have happened outside of you know their own doors at walls and so I'm definitely a big advocate for information sharing and Analysis organization that I was really happy to see you back in February that there's an executive order basically saying we're going to have these and a very interested to see how how they get shaped informed and hope that they can help both those communities
00:30:52Insurance model is that it's a market for buying your incident report right they for you to pay at get your insurance payout as a plant manager or risk officer you have to admit that an incident happened and share some data about what exactly happened and the insurer that point is literally purchasing the pain that you have felt through that process I can start thinking about doing aggregated statistics and building better models of how frequently cyber attacks occur or don't occur and how impactful they are when they do so they're literally buying that information and that
00:31:33all parties involved in that process have a reason to pay out or two to participate you know the other person who's been insured wants to make sure they get their payout for the event that happened and to do that they're going to fill in the forms and then provide the information being sure you might think they have no reason to pay out until weasel out of it but they know that if they do that for you too many policies their name becomes mud and then no one will buy insurance from the day ever get right so they know that they need to pay out on the other reasonable number of these policies to support the information gathering and I think that's really exciting even if you don't believe in inside entrance and you don't want to buy cyber insurance we still need these riskmetrics we still need to examine them across more than one company I mean if you if you're going to self insure and you're good to do this yourself you still need to know what kind of capital you need to put aside for the day that you do suffer open
00:32:33really bad Cyber attack so regardless of insurance succeeding or failing this respect we need these riskmetrics for the future of cybersecurity for tickly in large Industrial Systems it's funny though I have been a Critic of the ice axe and information-sharing in the end of that we know these ICS are insecure by design your what information can you really share about vulnerabilities or that sort of thing that is really going to help someone when they know anyone with access can do whatever they want but this was the first I guess I need or purpose for a nice act that actually makes a lot of sense I think collating this data so that cyber Insurance can be created more broad-based risk management information can be provided I I like that a lot and hopefully some of the ice axe are looking at it I haven't heard this approach from them but it might be
00:33:33thing they take up but I just Jennifer you mention one thing and I'm not going to push it for any details but I was just curious so they're there have been at least a handful or at least one case where a company had cyber insurance that had an ICS incident in a claim was paid you've seen that happen somewhere in the world worth more than what I said earlier I think a lot of people aren't aware that those things actually ever happened you know what what it was where it was isn't really important but that it actually that the process worked in a kind of key historical events in the back of the report if anyone is interested in taking a look at those
00:34:26yeah I mean I guess another thing we should share particular with your listeners is we're working with the insurance in the reinsurers and then what what kind of things would be seen there you know the number of people who didn't believe it was possible to physically damaged equipment through a Cyber attack and so that's another important element of this report is to convey that message straight through the insurance industry in a single shot so that they are taking that into account
00:34:59and that's good too because then that goes full circle and then the insurance company starts asking the company these questions and then the c-level executives maybe learn something that they didn't know so I said that yeah that's a good cycle I just to other areas I wanted to cover briefly the one you mentioned this statistic at S4 and I thought it was really pretty cool this GDP at-risk statistic Howard maybe explain what that statistic is in and how it's used in the insurance industry or how you're proposing it be used in the insurance industry
00:35:35Words Answer the last part of that question first we're not necessarily pushing it for the insurance industry's much that's really a risk metric from the risks and develop to the wrist Center to try and capture macroeconomic a fax not just of cyber attacks but of pandemics of trade disputes of conflicts a variety of different all the all the threats that we study all the risks we study the risk sensor so that came about because you do some modeling at the macroeconomic level it looks like you imagine a crop failure in a in a particular country
00:36:16that has a knock-on effect to biodiesel or something how do you want to measure the impact to Nations and two other nations will of course you're going to use macro economics so dr. Scott Kelly at the center and Andrew Coburn dr. Andrew Coburn they came up with this metric of GP at risk and it's it sounds complicated but it's really quite simple if you use a macroeconomic model and you assume that business as usual you know Garth in the economy and so on is happening and then you shocked that model with the events that you're interested in such as a rise in the price of biodiesel and the lack of a of a core crop then you see that effect on GDP and it will you know very from from GDP as would normally be the counterfactuals they call it and then eventually it will slowly return to to where it was before the return to mean and then
00:37:16there's a bunch of discussions we can have about that but let's just stick to GDP at risk which is essentially the area under the curve of GDP at risk what are the of the counterfactual to the factual is what we considered to be GDP at risk and you can see that some shocks take a few months to recover from and some shocks take years to recover from so we use that for all sorts of projects not just for cyber and it was a unique opportunity for me to go to work with those people and try and apply it to to a cyber project for the first time
00:37:48okay well I'm speaking with Aaron leverage and Jennifer Coe picked of the Cambridge Center of risk studies and the last year I wanted to touch on a little bit is maybe a little crystal ball in terms of How likely it is that you believe the ICS Community will be as active in the insurance Market five years from now so we are where we are today obviously some things are being covered through silent risk other things are being covered by some of the policies that are more explicit but five years from now you see there being an active o t r i c s Cyber Market where their policies written for that or do you see it being handled some way and I guess to make the question longer and more complex is how how active do you see critical infrastructure in
00:38:46using this insurance has a way of risk management
00:38:51so the first part of the question in terms of where do we see the market it going I personally think that I T O T cyber insurance is going to continue to grow I to cyber Insurance took off shortly after they were you know the string of data breaches the few years ago and most insurance offer it now as a stand-alone what I call the Primitive policy and I think we are just going to continue to grow so not in the OT events in terms of Akron might continue to increase as time goes on and OT insurance with us also increase to I mean the insurance Market the kind of be silly to not try to jump on a jump into this market and generate not only revenues for themselves but also to help the industry hedge against the risks that they have
00:39:44I think this is also I would agree with Jennifer that I think the Market's going to grow out of the Cyber Insurance Market is growing about 30% per annum anyway at least I have done it the last couple years so I see that Trend continuing I don't see everyone buying cyber insurance will be plenty of plant managers who don't have a use for it or it doesn't fit with their protection profile wfu that realize that it can help them do some transfer risk at the right time and at the right place and they'll use it that way others will use it a little more heavily I think that this kind of
00:40:22risk study that were doing and also the insurance is particularly well-suited to Industrial Systems if you try and do brand reputation risk you know if someone hijacked your Twitter account it's difficult to put a cost on that there are some ways of doing that but it's a little bit more challenging but when it comes to Industrial Systems be there in a small or large you know the cost of downtime and so it's almost a little bit easier it's one of the few advantages we have we had in industrial control system Community security Community is that we we have an idea of the cost of failure and we can put that put a number on that and the insurers like that they can see that it's you know a low frequency but high impact event and they're interested in buying some of that risk if other people don't have other ways of managing it so I do see it being an active community in the next five years if it will be bigger than the security Community I'm not sure
00:41:22but I would imagine it would be maybe
00:41:27200 billion by 5 years from now I don't even have a good good way of thinking is that a big number small number in my head because obviously it's a lot of money but compared to the market size like this probably still pretty small you know one thing your paper did or the white paper did was it really made me very bullish on this I am not sure about the five years but when you look at obviously insurance companies are in the business to write policies to cover wrists and at the right rate to make money and if you're a company running some sort of control system require weather is critical infrastructure or a bunch of that say factories that make food products and you're an executive her board member there I don't know why you wouldn't be starting to look at how addressing this risk and look at ways to transfer the really bad things that can happen
00:42:27it's just to me it's almost something that
00:42:31is inevitable I don't know why it wouldn't happen the only thing I wonder about it and maybe you couldn't address this is kind of a closing and then I'll give you a chance to add anything after that but
00:42:43will it be so expensive because they don't have the data for a while you know if you're covering all the if you're not worrying about how secure the system is we talked about that and you don't have good understanding of probable maximum loss or quality or quantity of loss information is is poor if you're uninsured you just have to write the policy at such a high rate that would may be depressed so use of the product or how do they deal with that in the past with other similar situations premium at the beginning next bus leave for new insurance or just coming into the market of OT policies there are going to write pretty high premium but add more and more come into the market they're going to have to because of laws of supply and demand are going to have to lower their premium rates if they're going to want to get if they're going to continue to get business and so as more people hopefully if you are reporting other people's other work become aware there
00:43:43OT cyber Insurance opportunities then hopefully this will just lower the premium race and and create a better pricing market for manufacturers and Industrial facilities
00:43:58I think that's that question that you asked is it is a perfect opportunity to Pivot into the question that I know you wanted to ask us in general with this podcast which is what research just left to be done and I think that's key to your answer there for those policies to come down to the premiums on those policies to come down you have to have the right kind of metrics and this has to become a bit of a science and the question becomes can you predict which Industrial Systems are more likely to be attacked or are more vulnerable without necessarily doing you know full pen test are there ways of predicting these things and it's a great paper in computer science about the removal of vulnerabilities and products called milk or wine and the question is do software products get better with age like wine or do they get worse like milk and I think the same thing is going on here with Industrial Systems in general would you have this problem of insecure by
00:44:58design and we know the protocols are insecure it's going to take me a long time to understand that and it's longer term effects but we understand that and we can engage them and conversations about these things getting back to that research question can we predict maybe not exactly which facilities will be impacted the how many facilities per year will be impacted can we predict from the age of the equipment or from the number of IP addresses that are assigned publicly or from the number of DNS names or any other sort of as tribute of a system whether or not it will be hacked or whether or not it's more vulnerable than the one next door and that kind of correlation analysis is what's going to really enable the Next Generation science of cybersecurity and I think like you said that can only happen
00:45:55with insurance or what's up insurance but the point is you're going to have to put some money aside to protect yourself from these events even if you're not buying insurance and so that that science if you like is inevitable and I see it in much the same way as I as I think you do as well deal exposure accumulation but they they take on with their various clients in with her various policies that they offer and so that's one area of research that we're getting into and hope to have wrapped up early spring of next year is how how does an insurer how much exposure do they take on how much is it going to cost them a lot of custom in around that so that's another project that we have going on in the Cyber realm and what do you mean that both for OT nit incident
00:46:48you know Aaron you mentioned a few minutes back that the plant manager might decide if he needs insurance or not or whether to self insure I'm not sure that the plant managers are going to be making those decisions I think once the board in the end of the sea levels learn about this they're not going to let some plant manager decide whether they need insurance or not and I almost wonder I hadn't thought about it until you were talk answering that last question but the cybersecurity framework has some very specific risk management requirements in it and we are experience with owner operators is they really haven't looked at much risk management for their system Beyond redundancy requirements and so I think that and that's getting sea level and board level attention the cybersecurity framework so that's going to get them thinking about the risk management program which maybe we'll introduce Insurance into the equation more than a
00:47:48did before but not from the plant manager level more from the top level at least that's my thought but why don't we don't feel free to talk about that or why don't I give you a chance here because as you can tell this is not a topic I'm very first in so I've been struggling with my question so if there's something you want to point out about the report or the efforts that we didn't talk about when I give you both the chance to do that before we close the podcast one point that I also have a general interest in and Report highlights but I think a lot more work needs to be done in this is the Cyber threat Evolution you know we we wrote this report as a snapshot in time in two or three years that the vulnerabilities that are in generators obviously have changed and there could be more there could be by we don't know and I think that's an interesting area of research along with that I also think that as we just
00:48:48forward in life I T Systems in OT systems will continue to converge and this is of great importance to anyone who manages industrial control system is how do I keep those two system separate so that someone who can get access to my IP system cannot control you know my O2 system and in the last point to in terms of the electricity grid one time thing that was a lot of interest to us in a lot of the time ensures that I guess there's a lot of questions around this was how will smart grid change this landscape when when we switch to a system that does control and monitoring of the electricity utilities what happens then and then these are all great questions we don't have the answers for the day but hopefully others will take on his as research activities
00:49:37I think I'll finish up with a couple other research questions I know other people want to get involved and then I'd like to encourage them there's people starting to create a while people there's Tim Yardley is working on a database of cyber liability legislation and cases case studies I think that will be a key element too much of this discussion I think that one of the other things that we've been misting is study of attackers not in a deeper anthropological sense but just did in the sensor of logistical burden not all attacks are equal you know if you have a command and control server that can handle 200 connections or can handle two million connections it's going to cost you a different amount of money time and Manpower as an attacker and I think that we haven't done enough studies of penetration testers and how long it takes them to bypass different controls and different
00:50:37different use different techniques and of course not all penetration testers are equal and they have different experiences and start to study a little bit more how far attackers gay hat with a certain amount of money in a certain amount of time and Manpower I also think that we have a tendency to examine most cybercrime as a zero-sum game where if I spend $50,000 at Accra has to spend $50,000 and I don't think it is a zero-sum game I think it's a non zero-sum game and I think the ancient mystery of it is very complicated getting some attackers can spend a small amount of money even in some cases just their time and perform an extraordinary amount of damage so I'd like to see a little bit more research around what that scaling factor is you know what's the maximum if an entire Chris Penn's a hundred can they do a million in damage to the right kind of system and those are the kinds of
00:51:36is that were interested in at the risk unturned will continue to study and the report is a first pass and we know that there are a number of things that most Engineers would find difficult to swallow but it's not written for engineer's it's written for the insurance industry to stress test themselves and if I can just sort of some of that up again we're providing a sort of boxing partner sparring partner if you will to the insurance industry to try and get them to understand the risks that that's your listeners face everyday as quickly as possible
00:52:15like to thank my guess in his podcast Aaron levered and Jennifer Copic from the University of Cambridge Center for risk studies I find the Cyber Insurance topic fascinating and I expect a lot of changes in it it's something we're going to track very closely remember get your S4 session proposals in before the end of August that's when the call for papers closes and as always we're looking for feedback on the podcast what you liked what you didn't like suggested guess or topics anything you have to say about it send it to info at digital that's a show for now I'll talk to you again next time something warrants and unsolicited response

Transcribed by algorithms. Report Errata
Disclaimer: The podcast and artwork embedded on this page are from Dale Peterson, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.


Thank you for helping to keep the podcast database up to date.