American Oil and Gas Reporter - August 2023 - 66

SpecialReport: Cybersecurity
FIGURE 2
U.S. Cyber Insurance Rate Changes by Quarter
25
30
35
40
20
15
10
5
-5
34.3
27.6
25.5
11.1
18.0
6.5
1.4
0.0 0.4
-0.7
0.1 0.0 0.3 1.2
4.4
-0.2
2.9
7.7
8.4
15.0
27.5
26.8
20.3
Source: The Council of Insurance Agents and Brokers
digital assets, and repairing or replacing
computers and other hardware. These direct
costs come alongside business interruptions
that can reduce revenue
significantly.
Then there is the matter of cybersecurity
compliance. Federal authorities such
as the Transportation Security Administration
are expanding cybersecurity regulations
and therefore firms' potential
exposure to fines and penalties.
A cyber insurance policy can cover all
these costs. Several vendors provide financial
loss modeling services to help
upstream companies evaluate their
unique risks and financial exposure to cyberattacks
and weigh different insurance
options. In general, the cost of cybersecurity
insurance is small compared with
the potential losses from a cyber-incident.
Cyber insurance often comes with side
benefits. For example, some insurers have
partnered with cybersecurity software
providers to offer policyholders discounts
on their software and services. If a cyberincident
occurs, the insurer likely has prenegotiated
rates with incident response
firms and other vendors that can help during
the claim and incident response
process. Tapping these resources rather
than spending time finding the right vendor
can enable a fast response, which is
critical to limiting the incident's impacts.
A Strong Defense
As the insurance market stabilizes, upstream
firms can focus on implementing
policy and technology changes to soften
66 THE AMERICAN OIL & GAS REPORTER
premiums and, hopefully, reduce the
threat or consequences of a cyberattack.
One of the best steps a company can
take is to upgrade its technologies. This
advice applies not only to corporate information
technology but also to the operational
technology that helps
companies manage drilling platforms,
well sites, facilities and pipelines, such as
SCADA systems, network operations
centers and industrial control systems.
Underwriters want access to both the OT
and IT environments to be governed by
strong cybersecurity controls.
Speaking of strong controls, implementing
multifactor authentication
(MFA) is a good start. MFA can help prevent
bad actors from accessing networks,
cloud applications, corporate email accounts,
special privileges or backups by
requiring employees, contractors and
vendors to verify their identity in at least
two ways, often by pairing a password
with something physical. For example,
online bank accounts may require users
to enter a password, then text a number
to their smartphone or ask them to provide
a number from an authentication app
it contains.
There are other ways to authenticate,
such as fingerprints or flash drives. The
more required, the less likely an attacker
will be able to replicate them all.
Although MFA is powerful, it is not a
silver bullet. To prevent bad actors from
entering internal networks, companies
should also:
· Use Web and email security tools
to filter out emails that contain malicious
links and attachments, block malicious
websites or downloads and automatically
evaluate suspicious files in an isolated
sandbox before they reach the end user;
· Implement a process to scan for
and identify software vulnerabilities so
they can be patched quickly, with priority
going to patching critical security vulnerabilities;
and
· Protect the network with a next-generation
antivirus firewall that is smart
enough to identify previously unseen threats.
To bypass some of these defenses, bad
actors often attempt to trick users into
sharing passwords and other sensitive information,
a practice called phishing.
Training can make employees aware of
the most common phishing tactics and
encourage them to respond appropriately
(meaning they avoid opening a suspicious
message, report it and delete it).
The training usually takes the form of
Web-based lectures with quizzes to ensure
attentiveness, understanding and retention.
Blunting
Impacts
Preventing access to networks is a
vital part of an effective cybersecurity
strategy, but it is only the beginning.
Even with the best protections, bad actors
eventually may find a way in.
These actors may be external threats or
disgruntled employees. With that in
mind, many companies divide their networks
into segments to limit how much
information is revealed when one segment
is compromised.
In case bad actors gain users' log-in
credentials, companies should practice
privileged access management (PAM).
PAM has several components, but the key
idea is to limit users' capabilities within
a network to the ones they need to perform
day-to-day tasks, with other capabilities
unlocked only when they are
needed through separate credentials. This
approach restricts the changes attackers
can make and the information they can
retrieve. Modern PAM solutions monitor,
detect and prevent unauthorized access to
accounts-including service providers'
accounts-and critical resources.
Companies with intellectual property
or sensitive information about employees
or customers should consider implementing
data loss prevention tools.
Quarterly Rate Change (%)
3Q17
4Q17
1Q18
2Q18
3Q18
4Q18
2Q19
3Q19
4Q19
1Q20
2Q20
4Q20
1Q21
2Q21
3Q21
4Q21
1Q22
2Q22
3Q22
4Q22
1Q23
1Q19
3Q20
American Oil and Gas Reporter - August 2023

Table of Contents for the Digital Edition of American Oil and Gas Reporter - August 2023
