Imagine that skilled hackers strike a New York-area utility, knocking out electricity to hundreds of thousands of customers in the dead of winter.
Once the dust clears and the power comes back on, can insurers help foot the bill for all the damage?
Not long ago, such a nightmarish cyber scenario seemed about as likely as Godzilla crawling out of the ocean and knocking down transmission lines. But a recent onslaught of online attacks targeting the U.S. energy sector has raised questions about who will pay for the fallout if and when the bad actors succeed.
Joseph Rigby, CEO of Pepco Holdings Inc., which oversees electricity to the nation's capital, has called a successful cyberattack an "extinction-level event" for an average power provider.
While most utilities hold big-ticket insurance policies for natural disasters such as hurricanes and even physical terrorist attacks, cyberthreats have received less attention.
That's partly because insurance underwriters have had trouble fleshing out risk assessments with hard numbers. Utilities are tight-lipped about their cyber vulnerabilities for fear of legal repercussions (and exposing themselves to new threats).
But experts at the EnergyBiz Securing Power Forum yesterday in Washington, D.C., say a more robust insurance market could encourage companies to step up their cyber readiness.
Enter an unexpected player: the Department of Homeland Security.
In 2012, DHS tasked its National Protection and Programs Directorate with finding limitations in the fledgling cyber insurance market.
The federal agency has since found itself promoting cyber insurance policies, hosting a workshop and a round table to unite several critical infrastructure industries around the issue.
"We thought that cybersecurity insurance could, as a market force, help raise the cyber floor in return for more relevant and hopefully more affordable coverage," said Tom Finan, senior cybersecurity strategist and counsel at DHS, at yesterday's EnergyBiz forum. "We may in fact get there, but we're not quite there yet."
Insurance carriers know how big and bad a cyberthreat could be for the nation's power sector, Finan said, but "the real problem lies with the first-party market, which covers the company's own damages after cyber incidents -- lost profits, lost reputation, lost intellectual property."
Scant actuary data in those areas has left insurers uneasy as advanced, persistent threats keep knocking on key networks. DHS data show that 59 percent of 256 reported cyberattacks on critical infrastructure last year targeted the energy sector.
Until the private market warms up to offering more comprehensive cybersecurity insurance, experts at the Bipartisan Policy Center have suggested the federal government provide reinsurance coverage to insurers after a devastatingly costly cyber event.
In a report released Friday (EnergyWire, Feb. 28), researchers with the BPC's Electric Grid Cybersecurity Initiative suggested such a backstop could be modeled after the Terrorism Risk Insurance Act (TRIA), to be phased out as the market matures.
TRIA passed Congress after the 9/11 terrorist attacks as a way to help businesses insure themselves against such threats.
"At present, cybersecurity insurance does exist," the BPC notes in its report, titled "Cybersecurity and the North American Electric Grid." "However, coverage for utility companies is limited and often expensive."
Avoiding a 'cyber hurricane'
The DHS says insurers fear a "cyber hurricane" could swamp their ability to pay back policy holders quickly after a widespread attack.
The interconnected nature of the North American electric grid means a powerful cyberattack could cascade across multiple companies, or even multiple sectors. It's hard to keep businesses running when the lights and computers are off and the elevators don't work.
Standard & Poor's, a top credit-rating agency, has faith in utilities' ability to pick up the pieces after a terrorist disaster.
In a report published Friday, analysts at the ratings service concluded that the credit outlook for the sector is stable, despite increased spending on security -- both physical and cyber -- and "likely" new federal regulations.
"Through the combination of security measures, system redundancy, regulatory recoveries, and adequate insurance, we believe the electric sector could still maintain credit quality even if a terror attack on the electric grid were successful," the researchers wrote.
A daily dance
Although utility executives acknowledge the existence of the cyber threat, there is little consensus on how much money to throw at it.
The highly regulated sector is often under immense pressure to avoid passing on costs to ratepayers.
"It's critical that you stay competitive price-wise," said Patricia Kampling, chairwoman, president and CEO of the Midwestern public utility Alliant Energy Corp. "It's a dance we have daily with customers -- where would you have us deploy capital?"
Kampling created an executive-level opening at her company for overseeing cyber and physical security. The position was designed to bring cyber issues out of the weeds of the IT shop, where CEOs generally don't tread.
Elevating the cyber discussion to the boardroom is a key goal of DHS's insurance plans. The hope is that executives will take a closer look at their cyber posture as they try to get the best value out of their insurance plans.
"Just thinking your way through it is a huge advantage," noted former National Security Agency Director Vice Adm. Mike McConnell at the Securing Power Forum.
"[Cybersecurity's] a solvable problem if we do the right things -- today, we are not doing the right things," he added.