In a time of an ever-evolving geopolitical conflict, the integration of technology into business processes and the increased interconnectivity of our world, we are seeing a growth in both the sophistication and number of cyber incidents, both malicious and accidental. Hacks are getting easier to build and simpler to obtain, while the attack surface is growing. The renewable energy industry is no different to any other in this regard; while it can leverage the lessons of other industries, it also must face up to the challenge in quite a different way. For as the power transition continues to ramp up and technologies evolve, the industry has large numbers of distributed assets connecting to the grid system in a way that has not been seen before; all must be protected to ensure power supply stability.
This article does not intend to give an overview of the many incidents that have occurred, nor the different types of ransomware, malicious and destructive malware, or social engineering techniques being utilized by cyber operators to gain access to IT and industrial control infrastructure. This has been written about numerous times, across many media. Instead, this article intends to give risk managers, executives and other stakeholders in a renewable energy-focused business greater clarity over:
Our approach to this will start by giving an overview of cyber risk in the context of four different business elements of a renewable energy developer. Whilst we apply this thinking to a developer, this can be adapted to other participants in the renewable energy supply chain from as an asset manager, contractors, grid operators, and even financiers. We will then turn our attention to the global insurance market and explore how it currently is approaching this issue, both in the traditional and the specialist markets. Finally, we will look at how renewable energy companies at this moment should approach this issue so that they are cyber-resilient in an intelligent manner.
To illustrate cyber impacts on a developer, it is prudent to explore the four elements in Figure 1 above:
Just as cyber risk exists across many parts of a renewable energy company, it also a peril that is covered across many different lines of insurance: multiple areas such as Property, Casualty, Marine, Terrorism, and even D&O cover cyber exposures.
Lloyd’s of London and large insurance companies have taken a cautious and a pragmatic approach. Much of this work has been driven internally to both understand and protect itself as the industry looks to clarify the intent of cover and allocate adequate reserve capacity should an event occur.
In the last three years there has been a significant increase in central regulatory interest in the risk. In the first half of 2019, for UK based insurers including Lloyd’s, the Prudential Regulation Authority (PRA) directed that they begin formulating clear manageable and measurable action plans to address the cyber exposure in their portfolios1. We will see much of the effects of this taking hold in 2020; however, insurer action has been swift as they look to pre-empt the regulatory clouds above them.
Following on from the PRA directive, Lloyd’s of London released a market-wide bulletin2 focused on the issue of silent Cyber. Silent Cyber is non-affirmative Cyber, i.e. where a policy neither expressly provides nor excludes cover and is simply silent as to its existence. The bulletin laid out a timeline for this to take effect; for first-Property Damage policies, inception on or after the 1st January 2020 should either clearly affirmatively cover or exclude cyber exposure, while for Liability the requirements are to come into effect in two phases during 2020/2021.
The difficulty here is that while organisations will obtain clarity over whether an insurer covers the peril or not, Lloyd’s of London has not been prescriptive in which approach they should take and whether they should cover the risk or not; they have left that decision to individual syndicates in the market.
This complexity is then compounded by the different clauses available in the market that insurers may look to apply, either to the entire risk or, depending on the numbers of insurers on a programme, in a patchwork manner. Discussions must be had with insurers where they look to apply certain clauses, to drill down into why they are taking a certain stance and whether the wording achieves what they had intended. However, as the easiest approach they would likely look to exclude Cyber in the first instance and then allow “carve back” to covers, subject to better understanding of the risk. This creates a complex minefield for both insureds and their brokers to build a consistent and harmonised insurance programme.
Recently it was made known in the market that the ever-present CL380 Cyber Attack and NMA Electronic Data 2914/15 cyber exclusions clauses (that many have become accustomed to) do not, by Lloyd’s of London standards, go far enough in addressing the issue of silent Cyber and so are therefore deemed not satisfactory in respect of their requirements on this issue.
As a result, in November 2019 the Lloyd’s Market Association published a set of new model clauses for Property and Marine risks3, which come in the form of both outright exclusions and versions with provisions for buy backs such as Fire and Explosion. However, it should be noted that these are purely illustrative and can be adapted by a skilful wordings specialist to achieve different outcomes which do not conflict with the balance of the wording. We are yet to see whether the wording will differ for the Casualty sector; however, a similar approach is expected.
While Lloyd’s provided their clauses recently, the International Underwriters Association (IUA) also released their own London Market model clauses in the summer of 2019. In similar fashion, the intention was to address the issue of non-affirmative silent cover4. As stated by the IUA, these come in the form of a “Cyber Loss Absolute Exclusion Clause” which provides market participants with an option to exclude, in the broadest possible manner, any loss arising from the use of a computer system, network or data – each of which is clearly defined. Meanwhile, a Cyber Loss Limited Exclusion Clause enables only the exclusion of losses directly caused by cyber events, rather than ‘directly or indirectly’”. The nomenclature of these clauses differs slightly from that of the Lloyd’s clauses, adding to the difficulty.
As a tightening of approaches in the traditional markets is now apparent, we see organisations turn towards the specialist markets for solutions. This is where one will find solutions, not just to those exposures being excluded by the traditional markets, but also emerging exposures that were not covered in the first place.
The Cyber market has been historically grown from focusing on data related risk where organizations obtain cover for loss of data and liabilities resulting from breaches of sensitive personal information. For a general renewable energy company, be it a developer or contractor, personal data will not be primary focus; they do not hold large amounts of personal data, bar that of perhaps their own employees. They do hold operational data which may be affected, and the focus should be on ensuring operational resilience.
To deliver cyber resilience to the renewable energy and power sectors several insurers in the market offer generalised coverage wordings. However, these are complex and don’t address the nuances of these sectors. As such, brokers are actively developing simpler insurance solutions that are focused on the risk issues in these sectors; these are then further tailored to the individual client.
The solutions in the market, for both on and offshore renewables, can address the categories noted in Figure 2 on a clear affirmative basis - from a malicious cyber-attack, human mistake (i.e. a negligent employee) and/or the technology failure. Affirmative being the operative word here - it actually provides certainty! A solution from this market will avoids any of the issues and disputes that have been seen on traditional policies whereby cover interacted with War and Terrorism exclusions.
There are a few interesting areas to point out here. The first party data loss is an area which the traditional Property market generally has no intention of covering, unless the loss of this data comes from a physical peril that would generally be covered, i.e. Fire or Explosion; however, losses arising from a pure cyber incident are generally only provided in the specialist market. The Third-Party Liability cover can possibly be that of bodily injury, lost data, regulatory liabilities, and property damage. Finally, the incident response type solutions being offered allows cover for the developer’s responders and their external experts, who come in to mitigate loss and to get companies back on their feet quickly. It is important that this is matrixed in with the company’s existing incident response and claim protocols.
Insurance capacity in the Cyber markets It is no secret that the capacity available in the Cyber market is not even close to that provided by the traditional Property & Casualty (P&C) markets. Cyber towers are modest in relation to that created in those markets; last year it was noted that the largest capacity available, which can only come about from intensive global co-ordination of the markets, is around US$600 million. The market hasn’t seen an explosion of capacity growth over the past year; indeed, as we seen the changing tide within the P&C market, the Cyber market appears to be experiencing a degree of hardening at present, despite growing in a sustainable and calculated manner. Furthermore, this top capacity level is only possible for the areas such as financial services where cyber insurers have a relatively strong foothold and experience.
For power producers, being a part of a nation’s critical infrastructure, their industry risk is much less sought after by Cyber insurers and so expected capacity available is always going to be lower. While it is an interesting objective to quantify the maximum capacity that is available, there are so many different variables to consider. So perhaps the conversation should move instead towards the key exposures – specifically what a quantifiable estimated maximum loss or maximum possible loss may look like, and how best to approach both the traditional and specialist markets.
As we move into 2020, companies involved in the renewable energy sector should expect to see greater focus on cyber clauses in their current insurances. There may be a transition over to a new form of covers, owing to the new clauses which underwriters may apply. This will clarify intent of cover but may in some instances create gaps in cover or inconsistencies across the panel of insurers. Furthermore, for a project owner where lenders are involved, the issue may be heightened as now cover may not be in alignment to any financing requirements.
So, what should a participant in the industry do?
Taking this approach will empower any risk manager with the confidence to advise their key stakeholders how their insurances will, or will not, react to a variety of cyber incidents. As the insurance market continues to strengthen its approach to cyber, those in the renewable energy sector must know where and how their policies will respond to the different incidents that may occur and losses to which they are susceptible. Scrutiny of this element is only going to grow in the years ahead.
In traditional lines of business, cover may be excluded or covered in part, and there may be inconsistencies across insurer approaches. As a result, the Cyber market is active in developing new, clearer and simpler solutions to bridge the cyber gap where traditional markets are not able to assist.
To be sure that their risk is covered, renewable energy risk managers should be able to evidence how their company is assessing the risk, protecting its people, brand, assets, and profit, and able to recover should something go wrong. These are the building blocks to a cyber-resilient power supply.
Myles Milner MEng, ACII, AMIMechE is an Account Director, Renewables GB, Willis Towers Watson, London.
1 https://www.bankofengland.co.uk/prudential-regulation/letter/2019/cyber-underwriting-risk-follow-up-survey-results 2 https://www.lloyds.com/~/media/files/the-market/communications/market-bulletins/2019/07/y5258.pdf 3 https://www.lloyds.com/~/media/files/the-market/communications/market-bulletins/2019/07/y5258.pdf 4 http://www.iua.co.uk/IUA_Member/Press/Press_Releases_2019/IUA_publishes_cyber_exclusion_clauses.aspx