The Washington Post reported last week that Russian hackers had penetrated the U.S. utility grid through Burlington Electric Department, a Vermont utility. Although the utility later clarified that the attacked computer was not connected to the grid and that the connection to Russia was not confirmed, hundreds of news sources picked up the story, demonstrating the widespread concern over cyber intrusions into our electric grid.
The United States electricity grid is critically important to our lives. The “grid” is vulnerable to not only weather-related power outages but also to cyberattacks. The most likely path for a hacker into a utility is through a utility’s control systems, which almost always are connected to the internet. The connection between the control systems in any piece of equipment or device and the internet is called the “Internet of Things.”
A shutdown in service by a utility by a cyberattack could produce dire economic consequences to both small and large businesses. It is therefore essential that businesses try to manage this business interruption risk, and because the risk is outside of a business’s control, insurance is the best (and possibly only) tool to use.
Cyber Attacks on Utilities – Frequency and Potential Impact
Electric utilities experienced a spike in cyberattacks in 2016, according to a survey by Tripwire, a cyber security firm. Seventy-five percent of the information technology workers surveyed reported that their companies in the oil, natural gas and electricity sectors had experienced at least one successful cyberattack in the past twelve months, meaning intruders were able to breach one or more firewalls or other protections.
Cyber hackers have successfully shut down electric utilities in the past. FireEye, another digital security firm, reported that in December 2015, Russian-nexus actors attacked several Ukrainian utilities causing blackouts in several regions. The hackers used malware inserted through the connections between the utilities’ industrial control systems and the internet to gain access to their computer systems. The hackers then shut down circuit breakers at multiple substations, cutting off power to over 230,000 homes and businesses.
Impact of an Attack on the U.S. Electricity Grid
A cyberattack on the United States electricity grid could result in both property damage at the utility and a significant impact to customers. As they did in the Ukraine, hackers could use malware inserted through the Internet of Things to gain access to computer systems at a utility. Then, hackers could cause electric generators to overload and burn out, resulting in fires and explosions. Alternatively, the perpetrators could simply shut down utility substations. Regardless whether a cyberattack results in property damage at the utility, the resulting losses to utility customers could be in the billions. A 2014 Federal Energy Regulatory Commission analysis revealed that successful attacks on just nine of 55,000 U.S. power-grid substations could cause nationwide blackouts for weeks, if not months.
Insuring Against Cyber Attacks on Utilities
Coverage Available Under Traditional Property Policies
Business interruption (“BI”) coverage protects against lost profits resulting from property damage to the insured’s property. Standard property insurance policies include coverage for lost profits arising from a covered event at an up-stream supplier. This is called “contingent” BI coverage. Many policies also include “service interruption” coverage, which is a type of contingent BI insurance insuring lost profits arising from damage to an electric utility’s property causing an interruption in the utility’s service.
Coverage under traditional property insurance policies for lost profits arising from a cyberattack on a utility may be limited. Standard property insurance policies require direct physical loss to property at the utility in order to trigger coverage for business interruption to a downstream power customer. Many courts have held that damage to data is not a “direct physical loss.” Moreover, property policies typically exclude coverage for losses arising from damage to or destruction of electronic data. Therefore, unless the cyberattack on the utility causes an explosion or a fire – physical loss to property – standard property insurance policies may not provide coverage for lost profits arising from a utility shut down.
Coverage Available Under Cyber Policies
Because traditional property policies may not provide BI coverage for a cyberattack on an electric utility, policyholders should consider cyber insurance. Cyber insurance policies provide coverage for a variety of cyber risks, including the type of malware that a hacker might use to attack an electric utility. Recently, many carriers have broadened cyber insurance offerings to include contingent BI coverage that would protect against lost profits arising from a utility shutdown initiated by a hacker. Because breaches to the U.S. electrical grid pose such a widespread risk, however, insurers typically limit this coverage in a number of ways. These limitations include reducing the duration of the coverage, setting waiting periods of up to 60 days before the coverage applies, and adding exclusions.
One key exclusion that could apply to an attack on a utility is the terrorism exclusion. These exclusions bar coverage for losses arising from acts committed “for political, religious, ideological or similar purposes including the intention to influence any government and/or to put the public, or any section of the public, in fear.”
An attack on the U.S. electrical grid would generate intense focus on the source of the attack and whether it had a political, religious, or ideological purpose. Moreover, as the recent debate concerning the Russian attacks on the Democratic National Committee demonstrates, it is difficult to identify with certainty the source of a cyberattack. Therefore, disputes over the application of terrorism exclusions likely will arise following an attack on a utility.
Best Practices
Businesses should carefully evaluate their existing property insurance policy to determine whether it provides coverage for lost income arising from the interruption of electrical power arising from a cyberattack on a utility. Coverage under traditional property forms may be limited, however. Insureds also should review their cyber insurance policy to assess the scope of BI coverage offered there. Even if the policy provides such coverage, it is important to review the applicable sublimit, duration of coverage, waiting period, and exclusions to assess how broad the coverage truly is. If the coverage limitations are significant, keep in mind that in today’s cyber insurance market, many policy terms are negotiable. Furthermore, because the cyber insurance market is still rapidly developing, insureds should be sure to carefully compare their existing policy with other policies that may be available in the market at renewal time. Working with counsel and an insurance broker, businesses may be able to negotiate changes to the carrier’s proposed language to expand the coverage available for this very important and potentially catastrophic risk.