For cyber criminals and the organizations they are targeting, it’s the wild west out there. The scourge of COVID-19 is driving workers to log in from home and widening the utility attack surface even further. Community-owned utilities are victims of ransomware and other attacks at an alarming rate. As part of their cybersecurity risk management efforts, utilities should investigate the financial and operational security provided by the cyber liability insurance program from Marsh Wortham Power Gen Insurance through Hometown Connections, Inc.
Marsh Wortham is the insurance partner of Hometown Connections, the non-profit utility services organization meeting the unique needs of community-owned utilities. Marsh Wortham has assembled a team of technical specialists with extensive experience in developing insurance strategies and risk management solutions for organizations that develop, generate, and sell power and other utility services.
Cyber Threat Landscape and Cyber Liability Insurance Protections
Public utilities must understand the scope of the cyber threat they are facing and deploy a complex variety of defense tools, including the purchase of cyber liability insurance protections.
Threat Actors
Utilities offering electric, natural gas, water, and wastewater services must defend against today’s primary cyber threat actors: criminals stealing information and extorting victims for financial gain and nation states or terrorist groups seeking to sabotage computer systems that operate critical infrastructure.
Threat Scenarios and Costs
Attempts to compromise critical infrastructure systems are up substantially since the beginning of 2020, according to cybersecurity officials at the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a division within the U.S. Department of Homeland Security that tracks and investigates attacks against ICS and corporate networks. Public utilities must prepare for a variety of costly loss scenarios from a cyber-attack:
- Business interruption losses from ransomware incidents.
- Malicious malware finding its way into the industrial control systems, causing an interruption in critical substations and blackouts in the power territory.
- Power generation shut down for an extended period while regulators investigate the cause of the malware and appropriate remediation steps.
- Distribution systems shut down when information technology or operational technology systems are hit.
- Regulatory investigation by FERC/NERC or PUC following a cyber breach of IT or OT systems.
- Bodily injury and property damage caused by cyber incidents for which utility could be held responsible.
Ransomware incidents are becoming more frequent, increasingly targeting utilities and municipalities of all sizes with hefty extortion demands. Once a ransomware attack occurs, the average downtime can be as long as 16 days.
COVID-19 Cyber Vulnerabilities
As the world contends with the COVID-19 pandemic, cyber criminals are taking full advantage of the resulting disruptions and chaos. Remote working/e-learning/telemedicine presents an expanded attack surface that may be harder to ringfence and are potentially less secure, creating new points of entry for cyber adversaries.
Cyber adversaries are creating new phishing emails containing links or attachments that claim to contain important information about the virus. Once opened, malware is inserted or victims can be tricked into transferring money or other property to fraudulent recipients, sensitive data can be exposed, or ransom demanded after systems are encrypted or locked up.
At the time this writing, utilities have not seen rates for cyber insurance rise to the extent that other insurance categories have in recent months. However, the potential impact of the COVID-19 pandemic on insurance rates is not yet known. Therefore, the savings and extensive coverage made available through Marsh Wortham and Hometown Connections are more critical than ever.
Adding Cyber Liability Insurance to Your Cybersecurity Arsenal
Bad actors try 24/7 to gain access to utility networks through SCADA, metering, and other utility systems as well as vendors’ systems connected to the utility networks. Along with searching for ways to disrupt operations, these cyber criminals target the financial and social security data of utility customers and employees. Because no technology solution can offer 100% protection against an intrusion, insurance policies secured by Marsh Wortham Power Gen Insurance protect the utility from the potentially enormous financial and reputational risk of a data breach or system disruption.
The liability and privacy Insurance program by Marsh Wortham offers community-owned utilities innovative risk assurance options for breaches of customer and employee data and protects against risks not covered by property & casualty policies or TORT immunity statutes for municipal entities. Offering protection designed specifically for public utilities with lower rates & broader terms, the insurance program parameters include:
- All members of the American Public Power Association are eligible
- $0 deductible available for entities with <$100m in revenues
- Other Departments and Parent Organization can be included
- Negotiated group rates and terms available through joint action agency or state association
- Bundling cyber policies brokered by Marsh Wortham with the monitoring and vulnerability assessment services of Hometown’s cybersecurity partner Acumen
- Free Cyber Risk Evaluation and Report
- 24/7 Cyber Incident Triage Hotline
- Post Cyber Breach Services:
- Claims Process Management – Appointing Specialists
- Legal Services
- Computer Forensic Services
- Notification/Call Center Services
- Fraud Resolution Services
- Public Relations and Crisis Management Services
Recently, Marsh Wortham developed a proprietary loss estimate calculator exclusively for members of the American Public Power Association to estimate their cost of both a data breach and business interruption loss following a cyber-attack. By understanding the basic cyber threats and calculating the potential for financial loss, community-owned utilities can make an informed decision about cyber risk insurance purchasing.
For complete details on the liability solutions for addressing today’s cyber threat landscape, contact:
George Adkins
Public Power Generation Practice Leader
U.S. Power and Utility
+1 281 935 7586
george.adkins@marsh.com
Aidan Heisey
U.S. Power and Utility Practice
+1 520 869 0353
aidan.heisey@marsh.com
About Marsh Wortham
Built on the foundation of two leading professional firms, Marsh Wortham brings clients a singular focus of local service backed by global resources. Marsh Wortham, a division of Marsh USA Inc., was formed in 2018 upon the combination of Marsh and Wortham Insurance, and consists of Wortham offices in Texas and Marsh offices in Texas, Oklahoma, and Louisiana. Our parent company is Marsh & McLennan Companies (NYSE: MMC), the leading global professional services firm in the areas of risk, strategy, and people. With 75,000 colleagues worldwide and annualized revenue approaching $17 billion, Marsh & McLennan Companies also include global leaders Guy Carpenter, Mercer, and Oliver Wyman. Visit http://www.worthampowergen.com/