Cyber risks for power companies

15 April 2019

Power companies have the crucial responsibility of keeping the public safe with well-functioning critical national infrastructure.

However, this task is becoming markedly more difficult with the looming threat of nation state attackers, sophisticated hackers, automated operational processes and their increasing reliance on technology.

After discovering a disparity between risk managers’ perception of the cyber coverage available and the reality, we decided to dispel some of the common cyber insurance myths:

Cyber risk is purely an IT concern; it doesn’t affect general operations

Common-Misconceptions-About-Cyber-InsuranceCyber risk and operational risk can be one and the same. For power companies in particular, cyber risk can affect every operation within the power plant. This will be especially true as the use of Internet of Things (IoT) devices increases within the power sector and operational functions become more automated.

The IoT further complicates the risk landscape and provides hackers with more opportunities to gain access to company systems. Cyber insurance offers coverage for contingent BI at full limits for the supply chain, to protect third party vendors.

Our cyber risk can be solely delegated to a nominated executive, as it is not a C-suite issue

The power industry’s unique social responsibility means that they have more at stake than other industries. Complying with cyber security legislation and having someone specifically delegated to address your cyber risk exposures are always positive first steps, but C-suite engagement is vital to encourage positive cyber security practices from the top down.

The underwriting process can also help your company to understand the amount of capacity available in the market in order to transfer some of your risk. This process involves a cyber risk audit, which can indicate your security posture and whether your capabilities are enough to tackle the ever-growing risk.

If I comply with the relevant cyber security standards and regulations, my risk management strategy is effective

Compliance to standards and regulations, like the GDPR, does not mean that the volatility of your residual risk is now under control, or that the standards and regulations address the changing threat landscape.

Cyber risk, like operational risk, is multi-faceted. Your organisation’s risk management strategy needs to be tailored to your specific exposures, rather than the broader requirements given by legislation. Most organisations strive to go beyond the requirements of the regulator to ensure that they remain ahead of the evolving threat landscape.

The cost of replacing systems data and dealing with a cyber incident can be contained within our balance sheet

Common-Misconceptions-About-Cyber-InsuranceThe rapidly-evolving risk landscape requires companies to keep their security systems regularly patched and their technology up-to-date to prove their resilience in the face of danger. The power industry has traditionally managed their capital expenses very conservatively; and therefore has not approached the replacement of equipment and other assets any differently since cyber attacks or system failures have risen in frequency. The additional long term expense of replacing their controls more often will be a solid investment for power firms, as it could potentially prevent a financially devastating attack.

However, even the most effective controls can fail and if that happens, the necessary resources immediately available to deal with it may seem insufficient. This complexity can require the assistance of third parties, which will significantly increase the financial impact of the incident. To ensure their resilience, power companies will prepare, recover and adapt to this expense by absorbing the risk. For this sustainable resilience plan to work, the company will need to be financially stable in anticipation of another event.

Risk transfer and insurance can ensure that power companies bounce back and are able to continue to operate with resilience. The first step is to identify which risks would prove the most valuable to transfer, determine the amount of capital at risk you’re willing to retain; and the level of investment you’re willing to allocate to upgrading your capital assets, including your technology and the security around this.

There is no point in purchasing cyber insurance, as the procedures we have in place and our risk of nation state attacks will mean that coverage will automatically be excluded

Insurers don’t always enforce exclusions if the company hasn’t implemented all the necessary prevention methods during a cyber event. Similarly, war exclusions in the context of cyber attacks are interpreted differently in a specialty insurance market. A nation state attack targeting infrastructure is the type of risk power generation companies want to transfer, due to the sophistication of the attack and the catastrophic nature of the potential losses.

When underwriting cyber risk for critical national infrastructure, insurers consider the increased risk, which is reflected in their terms and conditions. A specialist broker will help you to navigate these complexities and bring clarity to the risk transfer process. The wording of exclusions is vital, as it could mean the difference between indemnification and a claim denial. Exclusion wording can sometimes be vague and left up for interpretation, which causes coverage disputes and unnecessary confusion. When the terms of the exclusion are clear and the event doesn’t trigger it, insurers rarely deny coverage.

Business Interruption (BI) limits are not available in the market

Common-Misconceptions-About-Cyber-InsuranceDedicated cyber programmes can be tailored to the company’s risk transfer needs. The policy can cover the physical damage resulting from a cyber attack, the costs and expenses associated with responding and investigating the attack, preparing business interruption proof of loss, an effective media relations campaign, data restoration and recreation, among other elements of a cyber incident.

Business interruption has been a particular concern of our clients, and the cyber insurance market is prepared to offer non-physical damage BI coverage with limits up to GBP 500 million. Deductibles are typically measured in hours, while increased costs of working are also covered for the period of restoration. Currently clients can expect 3 to 6 months of indemnity for a non-physical damage business interruption. BI caused by physical damage can also be covered in a standalone cyber or property programme.

The market is not able to insure my total resultant losses, as the amount of capacity required is not available in the cyber market

The biggest challenge is deciding whether to transfer any risk in the first place, so when the decision is made that potential losses are catastrophic and need to be transferred in part to third parties, then the process begins to find the most cost efficient solution. As this is an emerging area of loss for both clients and insurers, insurers can take a cautious ‘risk taking’ approach, which can be perceived as not having enough capacity available. The limits that clients want to buy may be too restrictive, as the severity of the loss means that insurers will charge extra for taking on a greater risk than they currently hold on their books.

Our advice is to invest in an insurance programme with an efficient limit structure that will indemnify the client in the event of a loss; as opposed to buying cheap capacity with products that are untested and unlikely to be paid because there is little discipline to how the risk is taken.

Conclusion

There is no such thing as perfect cyber security and perfect compliance, so power companies must remain vigilant in protecting themselves against the ever-evolving risk landscape. Preventative measures, including risk transfer, would help your organisation maintain a sustainable business model and avoid costly business interruption, while providing the much-needed financial safety net to facilitate your speedy recovery. JLT Specialty offers insurable risk workshops to help you to identify and assess your risks.

We can review the gaps in your current coverage and develop affirmative solutions to transfer your cyber risk and the resulting losses. Our team of legal advocates can also assist with developing the structure of your product to ensure that you are adequately protected.

For more articles like this, read our
Power insurance insights
Cyber Learn more about cyber insurance solutions and risk management >>
  • TALK TO AN EXPERT

  • YOU MAY ALSO BE INTERESTED IN

  • Gemma ClaaseGemma Claase

    As part of Marsh JLT Specialty’s London-based Power team, Gemma is dedicated to helping clients within the power generation industry throughout the entire project lifecycle.

    After graduating from Oxford University, Gemma started at Aon as a renewable energy specialist in Germany. She obtained a Masters in Renewable Energy Finance and became the COO for Global Power. In 2015, Gemma joined JLT Specialty to become the Head of Sales Operations and she is now part of the Power team.

    Gemma has worked in the power sector for over 10 years and enjoys projects involving new types of technology and innovation.

    If you would like to talk about any of the issues raised in this article, please contact Gemma Claase, Business Development and Operations Director on +44 (0)20 7528 4129