Editor's Note: In one of our recent blog posts, OTORIO CEO Danny Bren wrote about the viability of ransomware payouts for insurance companies. Here, OTORIO VP of Marketing Yoel Knoll introduces the intricacies of supply chain to cyber insurers.

Even in the shadow of the Coronavirus pandemic, global industrial supply chains are here to stay. They are a lifeline for the economy, and offer a wealth of benefits for both consumers and manufacturers. Yet in the never-ending quest to streamline global supply chains – as they seek out more affordable labor, services, goods and components, companies are facing new challenges and risks. 

Supply Chain Cybersecurity: You’re only as strong as your weakest link

There is one part of every single link in the industrial supply chain, however, that does pose an existential threat to the enterprise – OT network cybersecurity. In a hyperconnected global economy, threat actors have learned that gaining access to enterprise OT networks directly is challenging. Yet gaining access to these networks indirectly – through third party connected networks – is often much simpler. 

The integration of customer and supplier systems has created a massive opportunity for cyber criminals to infiltrate the weakest links in the OT network chain, then move laterally once inside in order to reach the enterprise’s inner sanctum.

Luckily, insurers have begun to take notice. 

Supply Chain Cybersecurity: Why Should Insurers Care - and What Can Insurers Do?

Cyber insurance is a $4.5 billion market and is expected to grow to $21.4 billion by 2025. Given the sheer size of the risk, and to massive potential exposure to third-party risk, many insurers have begun to demand to know who - and what - exactly they’re insuring. The problem is that larger and more sophisticated enterprise customers are focused on supply chain risks; but as insurers move down the chain to smaller and medium-sized businesses – these players are simply less focused on cyber risk management.

So what can insurers do? Insurers are beginning to meet demand for protection by offering contingent business interruption coverage within cyber policies. This creates an underwriting challenge, especially with regards to risk aggregation. The problem? The underwriting process includes identifying probable maximum losses, and in the cyber realm – given the complexities of industrial supply chains - the risk aggregation is extremely complex to calculate.

Understanding and Quantifying Supply Chain Cybersecurity risks 

To prioritize industrial supply chain cyber risk, OTORIO recommends that insurers take the following steps to understand what they do not understand as relates to sensitive data within the policyholder network and across its supply chain:

1. Get to know the policyholder’s business — Understand what assets (digital and physical)  policyholders have, where it resides, who has access to it, or when it is purged. From this, the process of evaluating how to manage cyber security challenges can begin. So a good place to start would be to have comprehensive asset inventory management that is also capable of mapping potential weak spots and risks. 
2. Quantify your client’s digital assets — Cyber liability insurance will not prevent a cyberattack, but will help a company recover more quickly from a data breach or network security failure. Yet insurers need to make sure policyholders understand what they want to protect. A company may be positive that it is managing (and protecting) 500 assets, for example, but considering the supply chain, it potentially has hundreds and even thousands of assets. And most of these assets reside outside the company’s perimeter.  
3. Understand the impact of supply chain vendors on your clients - In today’s digital industrial world, the supply chain is an integral part of the manufacturers daily operations. Here’s an example. If a manufacturer purchased a machine or a full line from a certain ventor, that vendor will continue to support the enterprise throughout the lifetime of the machine or line. This means the vendor may (and often will) have direct remote access to the manufacturer's production environment - for example, to perform maintenance tasks. The immediate impact: your client’s security is only as good as that of its vendors (OTORIO recently posted an article about vulnerabilities we found on a number of industrial remote access tools). Sure, it’s impossible to extend cybersecurity to every supplier - but you need to make sure that your client pays extra care to protect the access points into its environment. 
4. An ear to the ground - Insurers can help their customers to better prepare (and hopefully prevent) cyberattacks by staying on top of the news. If your client operates in a vertical that is making cybersecurity headlines - you had better start preparing for an attack.
5. Employ industrial risk scoring -  Because it involves multiple assets, i.e. IT/OT/IoT/IIoT, industrial security risk scoring is more complex than “standard” cybersecurity. When opting for a cybersecurity partner, be sure to choose one who has an established risk scoring model and risk score automation tools. When done correctly, the risk will also factor in 3rd party and supply chain risks, to allow organizations and their insurers to single out - and fix - those vulnerabilities. 
6. Partner with cyber technology experts - Long used to partnering with IT cybersecurity firms, cyber insurers are beginning to internalize that IT and OT cybersecurity are vastly different fields. IT cybersecurity specializes in securing bits and bytes – inarguably crucial for business. OT cybersecurity, on the other hand, specializes in securing both data and physical systems – and especially the intricacies of OT components that communicate via industry-exclusive protocols, that are not even visible to IT networks.

The Bottom Line

Insurers dealing with cybersecurity should be aware of supply chain risks in the industrial and manufacturing sectors. If the supply chain is breached, everyone along the line can be breached. Cyberattacks aimed at an enterprise policyholder may not initially target that policyholder, but rather a target along the supply chain. The same is true in reverse. Your client may be a prime target of an attack which starts with one of its suppliers (or sub-suppliers). 

By taking steps to better understand risk, and partnering with industrial network cybersecurity domain experts – cyber insurers can mitigate risk and positively impact their bottom line.

To learn more about industrial and supply chain cybersecurity risks, to speak with one of our professionals or find out how you can partner with OTORIO, fill out the form below, and let us know how we can assist.