NAIC Cyber Security Principles – not for industrial control systems

There is still a significant gap in understanding of industrial control system (ICS) cyber security by many in the insurance industry. The National Association of Insurance Commissioners (NAIC) issued "Principles for Effective Cyber Security Insurance Regulatory Guidance". The NAIC principles effectively focus on data breach. According to the NAIC principles, “Insurance regulators have a “significant role and responsibility” regarding protecting consumers from cyber security risks, regarding insurers' efforts to protect sensitive customer health and financial information, and protecting sensitive information housed in insurance department..." However, data breach is not a significant issue for ICS cyber security. ICS cyber incidents can, and have, led to significant equipment or environmental damage, business interruption, and deaths. These significant impacts need to be considered as insurance policies often have exclusions for cyber attacks. Unintentional cyber incidents are not cyber attacks and therefore may not be excluded from existing policies. ICS cyber attacks can affect multiple facilities in multiple locations causing very significant near and long-term damage to facilities and people. The insurance companies need to better understand their risks and potential liabilities to ICS cyber incidents whether they are malicious or unintentional.

Joe Weiss