Data Security

Commercial building owners fretting over cyber risk should check the fine print on their insurance

A sign is displayed on the Lloyd’s building, home of the world’s largest insurance market Lloyd’s of London, on March 27, 2017 in London. While many commercial building owners may believe their properties are covered from cybercrime through general commercial property insurance policies, security professionals are highlighting an ...

While many commercial building owners may believe their properties are covered from cybercrime through general commercial property insurance policies, security professionals are highlighting an urgent need to address that misconception and help owners qualify for cyber insurance.

According to a recent whitepaper by JLL’s Property Management group, Red Bison Technology Group, and Aon, property owners must understand the operational technology threats and the level of cyber coverage, if any, in their commercial property policies to protect against catastrophic loss.

“I frequently have conversations with building owners who remain confused about the risk of OT threats and what is or is not covered,” Jason Lund, Leader of Technology Infrastructure at JLL, noted in the report. “In the past, this lack of understanding was not researched sufficiently by the owner. Unfortunately, the problem has now become too great to ignore.”

Indeed, while many property owners tend to link cybersecurity to information technology, there is a growing concern over OT and IoT in buildings.

“There have been successful hacks where attackers took over buildings’ automation systems. There have been threats against clients for their sprinkler systems. There have been threats with door locks and with communication aspects of the buildings as well,” Lund said during a LinkedIn panel Tuesday.

Earlier this year, Intelligent Buildings, an advisory and managed service for real estate owners, said a Chinese-speaking threat actor was targeting building automation systems across several Asian countries using the Microsoft Exchange ProxyLogon vulnerabilities. In 2019, researchers at ForeScout developed proof of concept malware code exploiting 10 different vulnerabilities capable of worming through different building automation systems.

Today, cyber insurance reaps estimated annual premiums of $8 billion to $10 billion, which industry experts says will reach up to $22.5 billion by 2025, as demand for coverage expands with recognition of threats.

A report by Fitch Ratings concluded that cyber insurers are likely to experience a windfall over the next few years amid price increases and tighter underwriting standards. However, they also noted that losses in the cybersecurity segment will remain more volatile than other insurance products.

Joanne Quintal, Managing Director at Aon, noted in the panel that cyber insurance is a hard market, and few properties qualify for it comprehensively.

In the insurance industry, a hard market is an upswing in a market cycle when insurance premium rates are escalating, and coverage exclusions are coming into play. Cyber insurance has come out of the hard market cycle since 2017 when the NotPetya malware attacks disrupted dozens of businesses, government institutions, and critical infrastructure with more than $10 billion global cost, according to multiple studies.

“In this [hard market] environment, insurers are keenly focused on identifying and evaluating the adequacy of individual cyber security profiles. This investigative work can result in insufficient coverage capacity for a buyer if sufficient cyber security protocols are not in place,” Quintal said. To qualify for comprehensive cyber insurance, David Cahoon, Chief Technology Officer at Red Bison, recommends that property owners and operators start with risk assessment.

“You must look at every aspect of your buildings, including access controls, IoT/OT devices, endpoints, network communications, health and safety, and fire controls. Based on these assessments, you can start determining the type of security and the level of what you want to achieve from risk mitigation,” Cahoon said during the panel.

Cahoon and Quintal also noted that property owners could focus on developing specific security controls that cyber insurance companies are looking for, such as multi-factor authentication, endpoint detection and response, patch management, secure remote access, incident response plans, and disaster recovery plans.

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.