an evolving risk
An evolving risk The world’s power systems have changed dramatically over the past decade, both by means and methods. Nations balance and trade power, under-sea and over-land, in ever increasingly resourceful ways made possible by advanced technology; in parallel, the power generation mix has evolved. Coal power plants - once the staple of base load power, and a key player in global carbon emissions – are being phased out in most major developed economies; their role in developing countries has been made uncertain, as international pressure grows to reduce global emissions. In their place, new power sources have plugged into the grid, developments driven by climate concerns and innovative enterprise. Gas, nuclear and hydro power plants provide large swathes of cleaner power, supported by many, often smaller scale, distributed renewable energy power plants. A systemic risk At the macro level the technology change is clear for all to see, and this has been supported by dramatic advancements at the micro level. There has been an integration of new automated, smarter and leaner technologies into utility processes – many internet-enabled. However, this has introduced a new type of systematic risk to the sector that risk managers, company executives and even national governments are waking up to – cyber risk. All industries, not just power, have been victim to an advancement in the sophistication and number of cyber incidents. Hacks have become easier to build and simpler to obtain. This merging of technology, process, and people increasing the attack surface on both the micro and macro level. This article does not intend to give an overview of the many incidents that have occurred, nor the different types of ransomware, malicious and destructive malware or social engineering techniques being utilized by cyber operators to gain access to IT and industrial control infrastructure. This has been written about numerous times, across many media. Rather, this article intends to give participants in the power industry greater clarity over:
Just as cyber risk exists across many parts of a power company, it also a peril that is covered, often unintentionally, in many different lines of insurance; indeed, insurance portfolios such as Property, Casualty, Marine, Terrorism, and even D&O cover cyber exposures. For insurers, this hidden peril is a concern; Lloyd’s of London and large insurance companies have taken a cautious and a pragmatic approach. Much of this work has been driven internally to both understand and protect itself as the industry looks to clarify the intent of cover and allocate adequate reserve capacity should a large-scale cyber event occur.
Growth of regulatory concern In parallel, regulatory concern has grown. In the first half of 2019, the Prudential Regulation Authority (PRA), directed that UK based insurers, including Lloyd’s of London, begin formulating clear manageable and measurable action plans to address the cyber exposure in their portfolios1. Both the insurance market, and its clients will see much of the effects of this taking hold in 2020; insurer action has been swift in order to pre-empt the regulatory pressure clouding above them.
Silent cyber Following on from the PRA directive, Lloyd’s of London released a market-wide bulletin focused on the issue of silent cyber2. Silent cyber is non-affirmative cyber, i.e. where a policy neither expressly provides nor excludes cover and is simply silent as to its existence. The bulletin laid out a timeline for this to take effect; for First-Property Damage policies, inception on or after the 1st January 2020 should either clearly affirmatively cover or exclude cyber exposure, while for Liability the requirements are to come into effect in two phases during 2020/2021. The difficulty here is that while organisations will obtain clarity over whether an insurer covers the peril or not, Lloyd’s of London has not been prescriptive in which approach they should take and whether they should cover the risk or not; they have left that decision to individual syndicates in the market.
Complexity compounded This complexity is then compounded by the different clauses available in the market that insurers may look to apply, either to the entire risk or, depending on the numbers of insurers on a programme, in a patchwork manner. Discussions must be had with insurers where they look to apply certain clauses, to drill down into why they are taking a certain stance and whether the wording achieves what they had intended. However, as the easiest approach they would likely look to exclude cyber in the first instance and then allow “carve back” to covers, subject to better understanding of the risk. This creates a complex minefield for both Insureds and their brokers to build a consistent and harmonised insurance programme. The clause dilemma Towards the end of 2019 it was made known in the market that the ever-present CL380 Cyber Attack and NMA Electronic Data 2914/15 cyber exclusions clauses (that many have become accustomed to) do not, by Lloyd’s of London standards, go far enough in addressing the issue of silent cyber and so are therefore deemed not satisfactory in respect of their requirements on this issue. As a result, in November 2019 the Lloyd’s Market Association published a set of new model clauses for Property and Marine risks3, which come in the form of an outright exclusions and one with provisions for buy backs such as Fire and Explosion from a cyber-attack. However, it should be noted that these are purely illustrative and can be adapted by a skilful wordings specialist to achieve different outcomes which do not conflict with the balance of the wording. Brokers are yet to see whether the wording will differ for the Casualty sector; however, a similar approach is expected. IUA one step ahead While Lloyd’s provided their clauses recently, the International Underwriters Association (IUA) were one step ahead and released their own London Market model clauses in the summer of 2019. In similar fashion, the intention was to address the issue of non-affirmative silent cover4. As stated by the IUA, these come in the form of a “Cyber Loss Absolute Exclusion Clause” which provides market participants with an option to exclude, in the broadest possible manner, any loss arising from the use of a computer system, network or data – each of which is clearly defined. Meanwhile, a Cyber Loss Limited Exclusion Clause enables only the exclusion of losses directly caused by cyber events, rather than ‘directly or indirectly’”. The nomenclature of these clauses differs slightly from that of the Lloyd’s clauses, adding to the difficulty.
There are several important considerations to point out here. From a cyber standpoint, property must be considered as two elements; the tangible and intangible. The former comprises the tangible assets such as the turbines, pumps, and transmission infrastructure. The latter comprises the non-physical intangibles as they are known encompasses the software and data underpinning the operations. Both may be impacted, and even damaged, by cyber-attacks. This first party data loss is an area which the traditional Property market generally has no intention of covering, unless the loss of this data comes from a physical peril that would generally be covered, i.e. Fire or Explosion. The loss of intangible without physical element is, however, offered in the specialist market. Cyber markets see increased interest As cover from physical damage from a cyber incident is more readily excluded by traditional Property markets, the Cyber markets now see increasing interest for this type of cover, and solutions are available. Non-damage Business Interruption cover is the loss of gross profit resulting from a cyber incident where no physical damage is experienced. For power companies with heavy operational technology (OT) this cover should clearly include both the IT and the OT. A common scenario which this cover could respond for is the dreaded ransomware strike bringing operations to a standstill. Third Party covers in the market are primarily focused on the potential liabilities surrounding the loss of third-party data. Third Party Liability cover for bodily injury and property damage is less readily offered by the market at this time. Finally, the incident response type solutions being offered allows cover for the event responders and their external experts, who come in to mitigate loss and to get companies back operating. It is important that this is matrixed in with the company’s existing incident response and claim protocols. Insurance capacity in the cyber markets It is no secret that the capacity available in the cyber market is not even close to that provided by the traditional Property & Casualty (P&C) markets. Cyber towers are modest in relation to that created in those markets. In last year’s Power Market Review5, it was noted that the largest capacity available, which can only come about from intensive global co-ordination of the markets, is around US$600 million. This top capacity level is only possible for the areas that are personal data risk such as financial services and retail where cyber insurers have a relatively strong understanding. In general, the cyber market has grown in a pragmatic yet cautious manner and there has not been an explosion of available capacity. Indeed, just as capacity withdraws and prices rise in the P&C markets, the Cyber market is experiencing its own degree of hardening.
Cyber risk for power is less readily underwritten by the markets’ insurers. There is less capacity with deep knowledge of the sector; however, much work is underway to create new appetite. Those with appetite at present are clear that they require high quality cyber security risk information for risk to be transferred. The question is often posed as to how much capacity is available for the power sector in the market, but there are too many different variables to consider. So perhaps this conversation should move instead towards truly quantifying, the key exposures (although a complex endeavour) – specifically what a cyber-triggered estimated maximum loss or maximum possible loss may look like, and how best to approach both the traditional and specialist markets.
So, what should a power company do?
Risk managers and power company executives now live in a digital world; they must protect their people, brand, assets and profit against cyber threat and be prepared to recover should something go wrong. But they are not alone, since all participants in the industry that make up the power supply are the building blocks to a cyber-resilient system. Everyone’s goal is to keep the power running and the lights on.
Myles Milner MEng, ACII, AMIMechE is an Account Director, Renewables GB, Willis Towers Watson London. Myles.Milner@WillisTowersWatson.com
1 https://www.bankofengland.co.uk/prudential-regulation/letter/2019/cyber-underwriting-risk-follow-up-survey-results 2 https://www.lloyds.com/~/media/files/the-market/communications/market-bulletins/2019/07/y5258.pdf 3 https://www.lloyds.com/~/media/files/the-market/communications/market-bulletins/2019/07/y5258.pdf 4 http://www.iua.co.uk/IUA_Member/Press/Press_Releases_2019/IUA_publishes_cyber_exclusion_clauses.aspx 5 https://www.willistowerswatson.com/assets/pdf/power-renewable-energy-market-review-2019.pdf
