Seeing opportunity in an evolving cyberwar battleground, the insurance industry is rolling out new, big-ticket polices to protect grid utilities against damage claims by their customers from catastrophic cyber-caused blackouts.
The coverage adds another issue for utility executives and boards: Do they need insurance to shield themselves and their shareholders against the legal fallout from a devastating cyberattack? And if so, how much and at what cost?
The new policies are being developed and offered to protect against cyberattack losses in the energy sector and to overcome the exclusions for cyberattacks and terrorism that are common in most policies now, said Andrew Herring, leader of Marsh LLC's energy practice, in an interview.
"Energy companies are having a hard time persuading insurance companies to cover them," said Thomas Morante, co-chairman of the Holland & Knight law firm's insurance industry team.
"The challenge is that very few carriers are willing and able to indemnify [cybersecurity] risks over $50 million," he said. "An attack could trigger incredible disasters, including things we don't want to think about. Insurers really don't know how to price that risk."
A fact sheet from the Obama administration, which has convened panels and research on cyber insurance issues, similarly notes: "First and foremost, insurers are afraid of a 'cyber-hurricane' -- a major disaster resulting in a great number of claims."
"If an energy source goes down, that not only can have dire consequences for that industry, there could also be a large business interruption claim," said attorney Joshua Gold, co-chairman of the financial industry practice at Anderson Kill.
The 2003 Northeast blackout, affecting 50 million people, caused estimated economic losses of between $7 billion and $10 billion, according to one study. Most customers had power restored by the next day. A grid attack -- if launched and successful -- could theoretically cause damage to critical equipment that could take much longer to repair, experts warn.
Market in flux
"As a general proposition, it's very hard to make blanket statements on insurance" for cyberthreats, Gold said. "Right now, the entire market for cyber-related insurance is in flux.
"Insurers are beginning to offer specific cyber coverage, but there isn't a uniform product, so each option has to be carefully reviewed," he said. "Some policies may have valuable existing language that could provide coverage in the case of a successful cyberattack. Companies should check their policies. But some insurance companies may resist paying claims for damage due to cyberattacks, and there are some notable recent cases on this front." Gold won a court decision allowing a major shoe retailer to collect on its insurance coverage after a data breach.
Herring said that insurers are moving to fill that need now in part in the hope that this new market can offset the current squeeze on business insurance premiums and industry profits.
"We are slowly but surely developing a vibrant marketplace for cyber risk," underwritten by insurers and reinsurers, Herring said. AEGIS, a Bermuda-based mutual insurance group, has expanded its coverage. Lloyds and reinsurer Munich Re are adding products, he said.
"I've been very encouraged by the visible momentum of the past few weeks, and I expect by the end of this year, we'll have a viable marketplace, and within three years, a competitive marketplace with multiple products and adequate capacity," he added.
Herring said the goal is to raise coverage ceilings at least to $300 million per insured company, at no more than 10 percent of a standard premium for an all-risk policy.
"Coverage available can include damage to the insured's property and consequent business interruption, to complement insurance products that indemnify software and data losses in utility IT [information technology] and operating systems, and may also extend to cover third-party losses, including injuries to people resulting from damage caused by cyberattacks," Herring said.
"The same aggregation of risk exists with hurricanes, earthquake or other natural disasters," Herring added. A 10 percent premium implies that 1 in 10 coverage cases will be from cyberattack losses. "In fact, it will be much more remote than that," Herring predicted.
However, there are volumes of history about the incidence and severity of nature's assaults. While there have been a few headline attacks to energy companies and control systems in other countries, and cyberattackers' probes occur daily, the likelihood of a successful attack is a matter of debate.
Insurance would come with another complication for utilities, experts explain. If the policies take hold, the power industry would find insurance providers scrutinizing energy companies' cybersecurity defenses.
The policies will be accompanied by underwriting standards that test utilities' diligence in detecting, defending against and recovering from cyberassaults, industry officials say. As in the trucking industry and other sectors, utilities that pass underwriting standards would get favorable insurance rates, and those that that fail would not -- if they could even get coverage.
"It's been our argument within the industry that this risk can be underwritten. You will have good risks and less good risks, and you will be able to differentiate among them. Why can't you offer insurance for this sector of the market?" Herring said.
Marsh, working with Lockheed Martin Corp. cybersecurity staff, has designed a cyber insurance application form that asks about the strength of a utility's cyberdefenses, including specifying the industry control systems that are at risk, the extent of protection and a response plan if an attack succeeds, Herring said. "There is a lot of common sense in it." The process will raise utility's cybersecurity preparations, he added.
Along with insurance question marks are unsettled legal issues.
The exposure of utilities for damages caused by a blackout is being tested in a court case that followed the 2011 blackout that cut off power to roughly 5 million people in San Diego, Calif., and parts of Arizona and Baja California.
The blackout was triggered by a technician with the Arizona Public Service utility, who had been sent to remedy a substation equipment issue. According to an investigation by the Federal Energy Regulatory Commission and the North American Electric Reliability Corp., the technician became distracted and skipped two steps on a repairs checklist, causing an electric arc that tripped the entire power line, leading to the cascading system failure.
The 12-hour blackout caused economic damages estimated at about $100 million. Robert Waldon, a San Diego business owner, filed a class-action suit against APS to recover economic losses, but the case was dismissed in December by U.S. District Judge Marilyn Huff in the Southern California district. She ruled that under California law, a utility does not have a legal duty to service a non-customer, and Waldon was not an APS customer.
Waldon's attorney, Natasha Naraghi, appealed the decision to the 9th U.S. Circuit Court of Appeals, arguing that Huff had "applied an outdated judicial exception that public utilities owe no duty to non-customers for service interruptions." Had the judge applied Arizona law, the duty would have been established, she said.
Bonnie Suchman, an attorney with the law firm Troutman Sanders, notes that local distribution utilities, which operate under state-approved tariffs, tend to be protected by those tariffs from ratepayer lawsuits for damages from outages resulting from simple negligence. So, for example, a court held that Consolidated Edison Inc., the New York City utility, was not subject to lawsuits following the massive Northeast blackout in 2003 based on ordinary negligence.
Presumably, a ratepayer would have to show that a utility was grossly negligent in what it did -- or didn't do -- that led to a damaging cybersecurity attack, she said.
It is an open legal question, however, whether state tariffs protect a utility from lawsuits if a cyberattack or some other incident caused damages outside its service territory, where its tariff is not in effect, she added.
What constitutes "gross negligence" on the part of a utility that is subject to a cyberattack may not be clear.
In the San Diego case, APS and the other industry companies involved were held to have violated a more explicit standard -- FERC's mandatory reliability rules. APS in July accepted a FERC civil penalty of $3.25 million for its part in the outage.
Citing the FERC rules, Naraghi said her clients had "suffered the very type of harm such standards were designed to protect against."
Holland & Knight attorney Stephen Humes said, "It is absolutely true that if you have a freezer full of steaks and your power fails due to a hurricane or other storm event and it takes a week for your power to get restored and you try to sue the utility for the lost steaks, you will get no recovery due to the tariff exculpatory clauses. It is a closer call, however, when a utility arguably fails to comply with NERC's critical infrastructure protection standards for cybersecurity and the result causes damages."
Following the Sept. 11, 2001, terrorist attacks, Congress passed the Terrorism Risk Insurance Act (TRIA) of 2002, which creates a formula for the insurance industry and federal government to share losses following another terrorist act. It expires at the end of this year, and the Senate has voted decisively to renew it, but the outlook in the House is uncertain because of conservatives' concerns about the costs.
"The utility industry is actually lobbying for the federal cybersecurity legislation to include immunity from liability, which gives you an indication that they are not too comfortable relying on the exculpatory clauses in their tariffs," Humes said.
"The outlook isn't promising for passage of TRIA-type federal backstop coverage for large-scale losses from cyberattacks -- the kind of low probability-high impact threat that infrastructure companies face," Gold said.
"It would probably take a catastrophic event to change the political climate in Congress on this point," he added.
Like what you see?
We thought you might.
Start a free trial now.