Content Assessment: Fitting the Needs of Operators of Essential Services? Demand Side of Cyber Insurance in the EU
Information - 93%
Insight - 94%
Relevance - 90%
Objectivity - 92%
Authority - 91%
A short percentage-based assessment of the qualitative benefit of the announcement and report from ENISA on current perspectives and challenges of Operators of Essential Services related to acquiring cyber insurance services.
Editor’s Note: ENISA, the European Union Agency for Cybersecurity, was established in 2004 to promote a high level of cybersecurity across Europe. The EU Cybersecurity Act has strengthened its role, and it works towards enhancing the trustworthiness of ICT products, services, and processes with cybersecurity certification schemes, contributing to EU cyber policy, cooperating with Member States and EU bodies, and preparing Europe for future cybersecurity challenges. Through knowledge sharing, capacity building, and awareness raising, ENISA collaborates with key stakeholders to build trust in the connected economy, boost the Union’s infrastructure resilience, and maintain digital security for Europe’s society and citizens. The recent report from ENISA, titled “Demand Side of Cyber Insurance in the EU,” delves into the difficulties that Operators of Essential Services (OESs) in the EU encounter when attempting to obtain cyber insurance. The report’s findings could prove useful to professionals in cybersecurity, information governance, and eDiscovery, as they aim to gain a better understanding of the cybersecurity terrain for essential infrastructure and develop sound risk management strategies.
Background Note: Operators of Essential Services (OESs) are entities that provide critical services that are essential for the functioning of society and the economy. These services include, but are not limited to, energy, transportation, healthcare, drinking water supply, and financial services. OESs are identified by the European Union (EU) as entities that operate in sectors that are crucial for the maintenance of essential societal and economic activities and whose disruption would have a significant impact on the security, health, and welfare of citizens or on the functioning of the economy. The EU has established a framework for the identification and designation of OESs, and these entities are subject to specific cybersecurity and resilience obligations to ensure the continuity and security of their services.
Press Announcement And Report* (February 23, 2023)
Cyber Insurance: Fitting the Needs of Operators of Essential Services?
The new report by the European Union Agency for Cybersecurity (ENISA) explores the challenges faced by Operators of Essential Services in the EU, when seeking to acquire cyber insurance.
Focused on the potential challenges faced by Operators of Essential Services (OESs), the analysis performed also explores aspects of cyber insurance from a policy development perspective, and suggests recommendations to policymakers and to the community of OESs.
What does the report reveal?
With the current trend of increasing cyber incidents also affecting OESs to a large extent, a majority of them perceive cyber insurance as a service they cannot afford given the outstanding premiums and disadvantageous coverage. According to data gathered through a survey targeting 262 OESs across the EU, three in four do not currently have cyber insurance coverage. The survey also reveals that other risk mitigation strategies are often considered more favorable by OESs.
For 77% of respondents, a formalized process has been set to identify cyber risks. The remaining 23% do not have any such process in place. On the other hand, 64% of organizations declare not quantifying cyber risks. However, all interviewed contributors declare having risk-management practices in place and a process to determine controls.
The motivators behind the decision to contract insurance coverage include coverage in case of a loss as a result of a cyber incident for 46%, requirement by law for 19%, pre-incident or post-incident expert knowledge from insurance companies.
56% of respondents declared they considered other risk mitigation tools more effective than cyber insurance.
Recommendations to policy makers
- Implement guidance mechanisms to improve maturity of risk management practices of OESs;
- Promote the establishment of frameworks to identify and exchange good practices among OESs, especially related to identification, mitigation and quantification of risk exposure;
- Encourage initiatives, including standardization and guidance development, to provide assessment methodologies on the quantification of cyber risks;
- Develop collaborative frameworks with public and private partners to enable skills frameworks and programs for cyber insurance, particularly in areas such as risk assessment, legal aspects, information management and cyber insurance market dynamics.
Recommendations to OESs
- Make progress towards the maturity of risk management practices;
- Allocate or increase budget to implement processes on identification of assets, key metrics, conduct periodic risk assessments, security controls identification and quantification of risks based on industry best practices;
- Improve knowledge transfer and sharing with other OESs.
To coincide with the publication of the report, ENISA welcomed the visit of Petra Hielkema, Chairperson of the European Insurance and Occupational Pensions Authority (EIOPA).
ENISA has developed synergies with stakeholders such as the EIOPA to engage in actions to understand the mechanisms and potential needs of the cyber insurance sector in relation to cybersecurity and market development. These synergies materialize through the coordination of activities meant to monitor cyber insurance developments, knowledge exchange and multidisciplinary collaboration.
Read the original announcement.
Complete Report: Demand Side of Cyber Insurance in the EU (PDF) – Mouseover to ScrollDemand Side of Cyber Insurance in the EU
*Shared with permission under Creative Commons – Attribution 4.0 International (CC BY 4.0) – license.
- International Cyber Law in Practice: Interactive Toolkit
- Defining Cyber Discovery? A Definition and Framework
Have a Request?
If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.
ComplexDiscovery is a premier online publication renowned for providing essential insights and intelligence in the realms of cybersecurity, information governance, and legal discovery to professionals navigating these fields. As a leading source of information, the publication expertly combines original research with aggregated news to cater to a highly specialized audience. Committed to enhancing readers’ understanding of relevant topics, ComplexDiscovery stands as an impartial and comprehensive resource for exploring trends, technologies, and services associated with electronically stored information.
The driving force behind this influential publication is ComplexDiscovery OÜ, a technology marketing firm that excels in strategic planning and tactical execution for organizations operating within these sectors. Registered as a private limited company in Estonia, a global leader in digital advancements, ComplexDiscovery OÜ dedicates its primary focus to supporting the publication. The company capitalizes on its virtual presence to provide marketing consulting and services to a diverse array of clients around the world, further solidifying its reputation as a leading voice in the eDiscovery ecosystem.