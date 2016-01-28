Jan 28 U.S. utilities are looking hard at their
cyber vulnerabilities and whether they can get insurance to
cover what could be a multi-billion dollar loss after hackers
cut electric power to more than 80,000 Ukrainians last month.
The Dec. 23 incident in Ukraine was the first cyber attack
to cause a power outage, and is one of just a handful of
incidents in which computer hacking has caused physical effects
on infrastructure rather than the loss or theft of electronic
data.
A similar attack in the United States could cripple
utilities and leave millions of people in the dark, costing the
economy more than $200 billion, an insurance study estimated
last year.
Security experts, insurance brokers, insurers and attorneys
representing utilities told Reuters that the Ukraine attack has
exposed long-standing ambiguity over which costs would be
covered by insurance in various cyber attack scenarios.
"People in the insurance industry never did a great job
clarifying the scope of coverage," said Paul Ferrillo, an
attorney with Weil, Gotshal & Manges who advises utilities.
Cyber insurance typically covers the cost of attacks
involving stolen personal data. Some general property and
liability policies may cover physical damage from cyber attacks,
but insurers do not always provide clear answers about coverage
for industrial firms, said Ben Beeson, a partner with broker
Lockton Companies.
That has led to some unease among U.S. utilities.
"When you get these kind of headline-grabbing cyber
incidents, there is obviously a flurry of interest," said Dawn
Simmons, an executive with Associated Energy and Gas Insurance
Services, or AEGIS, a U.S. mutual insurer that provides coverage
to its 300 or so members.
Getting a policy that includes cyber property damage is not
cheap.
Sciemus Cyber Ltd, a specialty insurer at the Lloyd's of
London insurance market, charges energy utilities roughly
$100,000 for $10 million in data breach insurance. The price
balloons to as much as seven times that rate to add coverage for
attacks that cause physical damage, said Sciemus Chief Executive
Rick Welsh.
INDUSTRY WARNINGS
Security experts have warned for several years that a cyber
attack could cause power outages due to the growing reliance on
computer technology in plants that is accessible from the
Internet.
In the Ukraine attack, hackers likely gained control of
systems remotely, then switched breakers to cut power, according
to an analysis by the Washington-based SANS Institute. Ukraine's
state security service blamed Russia for the attack, while U.S.
cyber firm iSight Partners linked it to a Russian hacking group
known as Sandworm Team.
Utilities are now trying to determine if they have insurance
to cover these kinds of attacks, and if not, whether they need
it, said Patrick Miller, founder of the Energy Sector Security
Consortium, an industry group that shares information on cyber
threats.
American Electric Power Company Inc, Duke Energy
Corp, Nextera Energy Inc and PG&E Corp
are among publicly-traded utility companies that have warned of
their exposure to cyber risks in their most recent annual
reports to securities regulators, and that their insurance
coverage might not cover all expenses related to an attack.
Representatives with AEP, Duke and PG&E declined to disclose
the limits of their insurance. Officials with Nextera could not
be reached for comment.
The potential costs of an attack in the United States are
huge. Last year Lloyd's and the University of Cambridge released
a 65-page study estimating that simultaneous malware attacks on
50 generators in the Northeastern United States could cut power
to as many as 93 million people, resulting in at least $243
billion in economic damage and $21 billion to $71 billion in
insurance claims.
The study called such a scenario improbable but
"technologically possible."
There are precedents, including the 2010 'Stuxnet' attack
that damaged centrifuges at an Iranian uranium enrichment
facility and the 2012 'Shamoon' campaign that crippled business
operations at Saudi Aramco and RasGas by wiping drives on tens
of thousands of PCs.
In late 2014, the German government reported that hackers
had damaged an unnamed steel mill, the first attack that damaged
industrial equipment. Details remain a mystery.
AMBIGUITY OVER COVERAGE
"It's getting a little competitive just to get a carrier
quoting your policy," said Lynda Bennett, an attorney with
Lowenstein Sandler, who helps businesses negotiate insurance.
Some insurers have cut back on cyber coverage in response to the
increase in the number and types of breaches, she added.
American International Group Inc, for example, will
only write cyber policies over $5 million for a power utility
after an in-depth review of its technology, including the
supervisory control and data acquisition (SCADA) systems that
remotely control grid operations.
"There are companies that we have walked away from providing
coverage to because we had concerns about their controls," said
AIG executive Tracie Grella.
AIG and AEGIS declined to discuss pricing of policies. It
seems likely they will find coverage more in demand after the
Ukraine attack.
"A lot more companies will be asked by their stakeholders
internally: Do we have coverage for this type of thing?" said
Robert Wice, an executive with Beazley Plc, which offers cyber
insurance. "Whether they actually start to buy more or not will
depend on pricing."
(Reporting by Jim Finkle; Additional reporting by Rory Carroll;
Editing by Bill Rigby)