CyNat: an industry-focused cyber risk solution for the power sector

Introduction: a critical infrastructure
We all have memories of when the lights went out and the power stopped working. Even now, parts of our world suffer debilitating power cuts; this is being driven by several factors, including aging grid systems, natural events and geopolitics. A UK power cut in August 2019 saw one million people lose access to power¹; in this instance a series of events, triggered by a lightning strike on a power line, led to a loss of power input to the grid and forced a technological response to protect the integrity of the system. It can be said that the grid’s technology did what it was meant to do; that is, close parts of the grid system to rebalance and avoid consequential damage to the network and further afield. A blackout was the result.
What this has given us is a stark reminder of the role that the power sector plays to enable us to get on with our day to day lives. Without power, our industry cannot function, our houses will not be heated and our computers cannot connect us with family, friends or colleagues. It’s the critical infrastructure that needs to operate - or we all slow to a standstill. Technology is being advanced and deployed to improve the reliability of these systems, but in the shadow of progress such as digitalization sits an evolving risk issue that dominates the concerns of many risk managers, boards and even governments - cyber risk.A dynamic risk environmentThe power sector has seen an increasing exposure to cyber-incidents. The merging of technology, process and people is increasing the incident surface, on both a micro and macro level; it is estimated that utilities worldwide will collectively spend nearly US$247 billion on energy IT and cyber security software from 2019 through 2028².At the same time, the threat continues to evolve and adapt, outpacing our ability to protect against it. Cyber is a unique peril in that it can move from system to system, from nation to nation, in ways that businesses have not had to deal with before in terms of traditional perils such as fire or flood; it’s a product of our digitally connected world and there is no going back.Recent events demonstrate this cyber vulnerability, from the cross-industry impact of the SolarWinds breach³ to the sector-specific Ukraine power grid attack and European Network of Transmission System Operators for Electricity hack incident⁴, signaling a new epoch of digital cyber-crime.However, these incidents are focused on a malicious cyber-attack, where a business could be specifically targeted or become collateral damage due to a randomly distributed attack. But a business could also fall victim to a non-malicious incident, such as human error or technical failure.In any instance, these incidents can lead to a variety of losses; from physical damage/business interruption losses to liability claims, from additional costs of working to regulatory action.

These new risk issues demand new thinkingJust as the threat grows and insurance buyers are gaining a deeper understanding of the impacts that a cyber incident can have on their business, all the while cyber insurance cover is being excluded from many traditional lines of insurance, often in uncoordinated ways, driven by a market requirement to address the silent cyber issue⁵.In parallel to this loss of cover, buyers are increasingly reminded of the additional exposures and ancillary costs, such as non-damage Business Interruption and incident response costs, that would not have been covered under their traditional Property and Liability insurance forms. For example, cyber coverage gaps for various outcomes following a cyber incident in traditional lines of insurance are shown in Figure 1 on the previous page (for illustrative purposes only).The increase in the cyber issue and gaps in cover – often ambiguous in nature - becomes a challenge for any policyholder; from our experience, insurance buyers have historically approached a specialist and affirmative cyber policy as an optional extra to their risk management strategy. However, now it should be viewed as a core business need - the risk is just too large, and the impacts on boardroom accountability just too unpredictable for risk transfer not to be part of the risk management equation.For Willis Towers Watson, it became clear that there was a need in the power industry for a new insurance solution to address this growing challenge for insurance buyers.CyNat: a new insurance solution for the power sector
CyNat is a new, innovative product designed to address the power sector cyber insurance need. From cover to placement to claims, our new product as been developed and delivered by power and cyber insurance experts with the following at its core:

Clear and simple policy language, drafted from the policyholder’s rather than insurers’ perspective

Industry-relevant and broad cover

Customer choice (you pay only for what your business needs, not for what insurers think generic businesses need)

Coordinated insurance capacity, attracting support from several leading insurers to increase the limits available and to promote competitive pricing

Industry expertise across the power & utilities and cyber sectors

What CyNat coversCyNat has been built to address the following exposures (among others) in a modular manner:

Loss of revenue, whether caused by a cyber-attack or human error, on both IT & OT systems

Physical damage to plant, machinery and assets caused by cyber-attack

Replacement utility/service

Regulatory exposures under cyber security legislation (e.g. NIS Directive) and industry specific regulation (e.g. NERC CIP) as well as data protection legislation (e.g. GDPR).

Third party property damage, bodily injury and environmental liability

Emergency incident response to ransomware attacks and data breaches etc.

Reputational harm loss and mitigation

Supply chain vulnerabilities

Illustrating the scope of cover availableIn a series of webinars⁶ at the end of March 2021, the Willis Towers Watson team illustrated the scope of cover on the CyNat product using a case study and three scenarios of cover shown in Figure 2 on the previous page:Applying this, Figure 3 to the left shows a clear expansion of cover under the CyNat product.

How a cyber engagement worksThe two key considerations for insurance buyers when assessing a new product are how it will work and how they will obtain the maximum benefit from the solution.

We have the following base framework for engaging on the issue of cyber and in our view, there is no bad time to begin the process outlined in Figure 4 overleaf.

Conclusion: choosing an industry-designed approach
The insurance industry has a unique role to play in addressing cyber risk for the power sector. It provides a platform for not just risk transfer - using products such as CyNat - but also knowledge sharing and access to specialist solutions and advice.We have developed an industry focused approach that addresses a growing exposure and insurance gap for the industry, simplifies the cyber product design and delivery, reduces ambiguity in the event of a claim and enhances the customer experience throughout the process.

Myles Milner is Power Account Director & Broker, Natural Resources at Willis Towers Watson in London.
Myles.Milner@WillisTowersWatson.com

¹ https://www.drax.com/energy-policy/britains-blackout/#chapter-1
² https://energycentral.com/c/iu/navigant-electric-utilities-spend-247-billion-it-cybersecurity-through-2028
³https://www.willistowerswatson.com/en-GB/Insights/2021/01/client-alert-solarwinds-cyber-incident
⁴https://www.europarl.europa.eu/doceo/document/E-9-2020-001606_EN.html
⁵ https://willistowerswatson.turtl.co/story/power-market-review-2020/page/14/1
⁶ https://www.willistowerswatson.com/en-GB/Solutions/products/cynat