Focused on the potential challenges faced by Operators of Essential Services (OESs), the analysis performed also explores aspects of cyber insurance from a policy development perspective, and suggests recommendations to policymakers and to the community of OESs.
What does the report reveal?
With the current trend of increasing cyber incidents also affecting OESs to a large extent, a majority of them perceive cyber insurance as a service they cannot afford given the outstanding premiums and disadvantageous coverage. According to data gathered through a survey targeting 262 OESs across the EU, three in four do not currently have cyber insurance coverage. The survey also reveals that other risk mitigation strategies are often considered more favourable by OESs.
For 77% of respondents, a formalised process has been set to identify cyber risks. The remaining 23% do not have any such process in place. On the other hand, 64% of organisations declare not quantifying cyber risks. However, all interviewed contributors declare having risk-management practices in place and a process to determine controls.
The motivators behind the decision to contract insurance coverage include coverage in case of a loss as a result of a cyber incident for 46%, requirement by law for 19%, pre-incident or post-incident expert knowledge from insurance companies.
56% of respondents declared they considered other risk mitigation tools more effective than cyber insurance.
Recommendations to policy makers
- Implement guidance mechanisms to improve maturity of risk management practices of OESs;
- Promote the establishment of frameworks to identify and exchange good practices among OESs, specially related to identification, mitigation and quantification of risk exposure;
- Encourage initiatives, including standardisation and guidance development, to provide assessment methodologies on the quantification of cyber risks;
- Develop collaborative frameworks with public and private partners to enable skills frameworks and programmes for cyber insurance, particularly in areas such as risk assessment, legal aspects, information management and cyber insurance market dynamics.
Recommendations to OESs
- Make progress towards the maturity of risk management practices;
- allocate or increase budget to implement processes on identification of assets, key metrics, conduct periodic risk assessments, security controls identification and quantification of risks based on industry best practices;
- Improve knowledge transfer and sharing with other OESs.
To coincide with the publication of the report, ENISA welcomed the visit of Petra Hielkema, Chairperson of the European Insurance and Occupational Pensions Authority (EIOPA).
ENISA has developed synergies with stakeholders such as the EIOPA to engage in actions to understand the mechanisms and potential needs of the cyber insurance sector in relation to cybersecurity and market development. These synergies materialise through the coordination of activities meant to monitor cyber insurance developments, knowledge exchange and multidisciplinary collaboration.
For press questions and interviews, please contact press (at) enisa.europa.eu