For U.S. critical infrastructure businesses, such as utilities,telecommunications and water suppliers, the threat of cyberattackis a growing and persistent concern. According to the PonemonInstitute, cyberespionage attacks have risen 38% since 2010. Forcyberinsurance providers seeking to accurately assess risk for U.S.critical assets, it is becoming increasingly clear that acomprehensive, holistic approach is required.  

Impact of market forces on risk
Criticalinfrastructure companies fulfill an important role in facilitatingbusiness. Unlike the private industry, these firms are bothphysically and virtually exposed by the very nature of the servicesthey provide. As market forces evolve, so too does the risk ofexposure for these companies.

Operating distributed and complex infrastructures requiresenergy companies to pursue long-term, cost and technology-efficientinvestments in equipment. Those investments in efficiency, bothlegacy and current, have created more dynamic vulnerabilities thatclosely match the security trends of traditional IT networks. Withthe range of risks increasing, from disgruntled employees tohacktivists, and the public policy pressures growing, energycompanies must seek an improved method of addressing theseexposures while reducing and transferring risk appropriately.

Additionally, operational risks stemming from reliance onoutsourced services and complex supply chains continue tocomplicate strategic risk management. These business relationshipsoften exacerbate privacy liability and extend externaldependencies, thereby increasing vulnerability. These exposurescompound security risks and create opportunity for increasedliability–a tangled web for infrastructure companies thatdelicately balance serving public needs with security.

The changing face of cyber-threats
Whenthinking about cyber-threats, most people think about a virusdeveloped by a lone hacker trying to access financial informationfor personal gain. While that scenario is realistic, today's cyberthreat has become far more complex and more challenging toidentify. Consider that hackers gained entry to Target's customerdata via an unsuspecting HVAC supplier.

For infrastructure companies, the danger of a cyberattack isalso far more threatening. Imagine the potential damage and lossthat could result from a malicious attack targeting watermanagement, energy or gas production facilities. In suchcircumstances, insurance generally covers equipment damageresulting from the cyber event, but there is a host of otherfinancial consequences following an attack.

It's these potential catastrophic scenarios that are forcinginfrastructure businesses to take a closer look at their securityprofiles in order to make informed risk-management decisions.

This is where cybersecurity insurance can help infrastructurecompanies identify and reduce their risk exposure, while reducingtheir own potential for financial burden. In the course of policydevelopment, underwriters must assess a potential insured's risk.Traditionally, this process is limited to a questionnaire completedover the phone. The data gathered is not validated, nor is thereany third-party evaluation. This process is simply insufficient toproperly assess a company's risk profile.

When assessing cyber-risk, insurers must consider every possibleavenue of exposure. Security is neither a single act, nor a vendorsensor; it is a collection of activities that harmonizes corporateinvestments in people, technology and process. This perspectiveguides the holistic assessment methodology, as well as the domainsthat must be evaluated for risk: insider threat, data security,mobility and physical security, and internal and external businessprocesses. The maturity of existing security policy, procedure andgovernance is assessed, and organizational resources areprioritized based on the severity of vulnerabilities identifiedacross the multiple threat vectors.

The value of holistic enterprise riskassessment
Leveraging enterprise security riskassessment methods, cybersecurity insurers can gain a realisticunderstanding of a potential insured's holistic risk posture. Forcritical infrastructure companies, this offers a two-fold benefitby highlighting necessary business investments made in the publicinterest, while also generating information about high valuesecurity investments that are aligned with real business decisions.Herein lies actionable intelligence that supports infrastructurecompanies' needs to balance their investments to both meet marketdemands and also reduce risk.

These benefits extend to existing policy holders, as well. Forexample, enterprises can use an annual policy stipend towardholistic security assessments that provide actionable intelligenceto assist in the enhancement of their security awareness andpreparation. Further, the insured can benefit from improveddecision-making on resource allocation against high-risk areas,thereby maximizing the value of existing security investments andreducing risk exposure. Combined, this can reduce the probabilityof future loss and ensure that the policy holder's value ispreserved.

For critical infrastructure companies, holistic assessmentsillustrate the capabilities and limits of their securitymechanisms, facilitate their selection of appropriate insurancecoverage relative to their customized risk profiles, and recommendinvestments in additional controls where the return on investmentis warranted, such as transitioning from a lower maturity level toa higher one in a priority area. 

With Executive Order 13636, it has become incumbent on allpublic and private organizations to proactively share and defendU.S. critical infrastructure from potential cyber-threats. In thisvein, insurance providers are in a unique position to play a rolein helping to protect critical assets by engaging in holistic riskassessments that enable risk-informed decisions by their clientswith regard to their risk tolerance.

Related: "The Status of Data Breach Notification Laws in theUnited States."

As the patchwork of traditional insurance coverage istransitioning to exclude "cyber" from existing property &casualty, errors & omissions, professional and privacyliability policies, presenting a holistic security assessment iscentral to establishing stronger proportional links betweeninsurance premiums and customers' validated security profiles.