WHO TURNED OFF THE LIGHTS?
HOW CYBER ATTACKS HAVE FORCED ENERGY COMPANIES & GOVERNMENTS TO MANAGE NEW RISK
It was a cold day December 23, 2015 in Kiev and it got a lot colder when hackers attacked the energy grid in western Ukraine. After shutting down substations, the hackers proceeded to jam the power company’s customer service phone lines to delay the outage from being reported. Ukrainian officials were eventually able to get the lights back, but it required them to manually reset circuit breakers at each station.
This internationally recognized incident brings light to a growing concern among energy companies and governments alike. As the energy sector has become quick to embrace new internet-connected Industrial Control Systems (ICS), the ability for hackers to exploit and attack energy infrastructure is no longer science fiction, but rather a very concerning reality.
Here is the good. ICS technologies have been at the heart of reducing costs, improving efficiency, and streamlining operations. With razor thin margins in renewable energy particularly, companies are constantly battling operation costs in an effort to make clean energy affordable an attractive to both the commercial and residential consumer. New technology based control systems have helped this effort.
The bad? Reuters reports that in the U.S. alone, over 40% of attacks on infrastructure are now aimed at its energy grid and that the total global spend to defend against these types of attacks is expected to balloon $1.87B by 2018. The same technologies that have helped modernize energy production and deployment are unfortunately experiencing a nasty financial byproduct that doesn’t look to be going away anytime soon. With the expectation of consistent energy incumbent upon these energy companies, their reputation for supplying reliable is now in jeopardy. A growing global population that is increasingly dependent upon energy supply will not be all too willing to forgive and forget a company that allows the lights to go out. In business, recovering from a tarnished brand can be a significant challenge.
Is reputation the only risk from these attacks? The answer, a resounding no. The cost can go well beyond a company’s reputation. It’s conceivable that a hacker could overload certain systems, causing a violent explosion. Most energy companies turning to their insurance company to recover these types of losses would be shocked to learn that they have NO COVERAGE for damage caused by a cyber-attack.
SO, WHAT DO YOU NEED TO KNOW ABOUT YOUR INSURANCE POLICY AND ITS CYBER LIABILITY COVERAGE GAP?
Since the financial impact is so hard to measure as a result of cyber-attacks, many insurers have been unable or unwilling to provide a compelling premium for their insured to pay in order to transfer the risk. Instead, they have added a clause to their policy form (such as the Institute Cyber Attack Exclusion Clause CL380 in the UK) excluding property damage, bodily injury and loss of business income from software, virus or other malicious computer code.
For those companies that see “cyber liability” itemized on their insurance policy forms, read the fine print. While many of the cyber liability insurance policies that exist today cover minor things such as data loss or downtime caused by IT issues, major events like explosions at multiple facilities triggered remotely by hackers are excluded.
Yes, there are pitfalls within many of these insurance policies and clearly the threat of cyber-attacks is real. However, despite these challenges, technology must continue advancing to keep our energy infrastructure moving forward. The electronic interconnectedness of our energy systems is a major advancement towards the universal sustainability of clean energy.
In response to these challenges, energy companies engaged in the use of advanced software and technology to operate their systems should simultaneously be looking to partner with insurance brokers and carriers specializing in Energy Risk Management. These brokers and their team of underwriters are trained to identified gaps in your coverage and have access to unique insurance solutions that will respond. Today, several carriers now exist who can offer coverage for gaps in cyber liability exclusions. If you are not confident in your incumbent insurance program or sense there may be deficiencies, then it may be time to work with someone who can help.