Chemical industry turning to cyber insurance as threats and regulations intensify: Moody’s

Chemical companies worldwide are increasingly turning to standalone cyber insurance policies to mitigate the risks associated with a surge in cyber incidents and impending regulatory changes, Moody’s noted in its 2023 cyber survey, the results of which have just been released.

The survey indicates that approximately 70% of chemical industry respondents now carry standalone cyber insurance. The prevalence of these policies is highest in the Americas, where 88% of companies have coverage, followed by EMEA at 60%. While none of the respondents from the Asia-Pacific region currently have cyber insurance, all indicated plans to purchase it within the next year.

The primary coverage areas include business interruption, ransom payments, reputational damage, legal settlements, regulatory fines, and incident response.

Motivations for increased coverage

The heightened focus on cyber insurance is driven by a combination of escalating cyber threats and stringent new regulations. Chemical companies recognize the potential financial and operational impacts of cyber incidents and are proactively seeking insurance to protect against these risks. Moreover, regulatory frameworks in the EU and US are set to impose new cybersecurity requirements on critical infrastructure sectors, including the chemical industry.

In the EU, the Network and Information Security (NIS) Directive 2.0 will come into effect in October 2024, expanding the scope of industries required to adhere to stringent cybersecurity measures. Similarly, the US is expected to finalize the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) by October 2025. These regulations will mandate chemical companies to report cyber incidents and implement robust cyber risk management practices.

Advanced Cyber Defense and Governance

Alongside the adoption of cyber insurance, chemical companies are enhancing their cybersecurity frameworks. The survey shows that 95% of cybersecurity heads in the chemical sector report directly to a C-suite executive, ensuring that cyber risk management is a top priority at the highest levels of management. Additionally, many firms have tied CEO compensation to cybersecurity performance, particularly in the Americas, where 38% of respondents have implemented this linkage.

The chemical industry is also addressing the risks posed by third-party software providers, Moody’s noted - a trend also seen in other lines of business such as healthcare. Companies in the Americas are leading the charge by imposing strict cybersecurity requirements on external vendors, including mandatory cyber risk assessments and timely incident notifications. Despite these measures, many chemical industry firms globally remain vulnerable to breaches originating from their third-party providers.

The trend toward increased cyber insurance coverage is expected to continue as regulatory pressures mount and cyber threats evolve, Moody’s said. Chemical companies are likely to further enhance their cyber defenses and insurance policies, ensuring greater resilience against potential cyberattacks and compliance with forthcoming regulations.