The insurance industry has a key role to play in helping governments and critical infrastructure businesses prepare for cyber attacks, AEGIS London’s active underwriter David Croom-Johnson told an audience at the Houses of Parliament in London this morning.
Speaking at the 2014 Electrical Industry Security Summit, a global event involving politicians, academics, security experts and infrastructure companies, Croom-Johnson drew parallels between the insurance industry’s reaction to the sinking of the Titanic and the 1906 San Francisco earthquake with the role it could play in preparing countries to manage future cyber terrorism and cyber warfare. In the cases of both the Titanic and the San Francisco earthquake, insurers’ calls for safety improvements and their direct funding of initiatives led to improvements in wireless telegraphy, Marconi signal stations and building codes. Croom-Johnson argued that AEGIS risk assessment capabilities and their cyber security expertise made them the ideal advisers to governments and national infrastructure bodies on cyber risk.
He also called for the formation of a centralised body to take a holistic view of cyber security for the energy sector. The body could be modelled on the Institute of Nuclear Power Operations, which promotes safety in nuclear power facilities.
He said: “We need a unified industry response to risk management, security, incident response, threat intelligence and loss control. From our own discussions, we know there is growing regulatory and compliance fatigue over the question of cybersecurity. Yet critical infrastructure companies, more so than other sectors, are all too aware of the cyber spectre. “It’s a spectre growing in stature with the backdrop of increasingly complex geo-political situations.
“Both the US and UK security agencies have offered alternative visions, but none are unified or consistent. Critical infrastructure companies would like unified guidance; no-one wants a repeat of the situation which occurred after US retailer Target was attacked, with regulators and shareholders becoming increasingly aggressive and militant.”
Croom-Johnson said that governments should understand that insurance cannot be the total solution to cyber risk. He said: “Governments tend to think there is unlimited capacity within the insurance market. This is far from the case. Insurers have only a finite capacity to respond, and indeed some will not wish to respond at all. Governments need to work with us with the objective of increasing cyber risk management and risk modelling capabilities and of improving security.”
Lloyd’s of London insurer AEGIS London, and its parent AEGIS, insures the vast majority of utility infrastructure in North America.
In April, AEGIS London launched its Cyber Resilience product – the first cyber insurance product for the energy and critical infrastructure sectors to protect against both traditional cyber risk – privacy, data loss – and threats to operational technology such as generators and pumps.
The Electrical Infrastructure Security Summit takes places 30 June–1 July at the Houses of Parliament, London. It is the fifth annual world summit on infrastructure security.
David Croom-Johnson was speaking in a debate on man-made threats to critical infrastructure.
|