Cybersecurity Insurance for Buildings, BAS, BMS

Building owners should have cybersecurity insurance for their building automation systems (BAS) due to the increasing risk of cyberattacks on connected infrastructure.

Key Reasons for BAS/BMS Cybersecurity Insurance

1. Protection Against Financial Loss: A cyberattack on BAS can result in significant financial losses from system downtime, operational disruptions, or damaged equipment. Cybersecurity insurance can cover the costs of repairs, system restoration, and business interruptions.
2. Mitigation of Liability: If a breach affects building occupants—such as through compromised security systems, HVAC failures, or data theft—building owners could face lawsuits or claims. Cyber insurance helps cover legal fees and settlement costs.
3. Ransomware and Extortion Coverage: Hackers may seize control of critical systems like HVAC, lighting, elevators, security, or life safety and demand ransom to restore functionality. Insurance can help cover the ransom payments and the recovery costs associated with ransomware attacks.
4. Data Breach Coverage: Many BAS collect and store sensitive data (e.g., access logs, surveillance footage). Cyber insurance can protect against the financial and reputational damage resulting from data breaches, including the costs of notifying affected parties and credit monitoring.
5. Regulatory Compliance: Many regions are implementing stricter cybersecurity regulations for critical infrastructure. Having cyber insurance not only helps in case of a breach but also demonstrates a proactive stance in mitigating risks, which can aid in regulatory compliance and reduce penalties for non-compliance.
6. Rapid Incident Response: Most cybersecurity insurance policies include access to specialized cybersecurity response teams. These teams can assist in quickly identifying, containing, and resolving breaches, minimizing the damage to building operations and occupants.

Cybersecurity insurance provides a financial safety net and access to expert resources, helping building owners recover from cyber incidents affecting their building automation systems and reducing the long-term impact on operations and reputation. However, many building owners don’t have cyber insurance for their building systems.

The podcast video below addresses cybersecurity insurance and is worth watching. Here’s an insightful quote from the video:

“most of the industry is probably self-insuring and does not know it while at the same time doing very little to mitigate the actual risks”

Podcast Highlights – BAS/BMS Cybersecurity

• Digital transformation and automation of buildings started to occurs in the 1980s and security was not a concern (there was no internet)
• The technology cycle for building controls is decades and they are much further behind general IT equipment such as servers and desktop computers.
• There are many different types of building systems from various vendors and this results in fragmented decision making.
• Insurance companies are realizing that that there is a risk that they’re insuring against that they don’t understand, so policy riders are getting inserted into new insurance contracts to not cover things like the impact from attacks on building controls systems.
• The first step is to inventory your building systems
• Keep your software current
• Back-up your systems for faster recovery
• Look for ways to add security and recover without having to add or modify IP addresses

Beyond this, using a Zero Trust framework from solution such as DOME for securing building controls ensures only authorized and authenticated users and control devices can communicate with each other.

Video source: Memoori