In this part of our two-part series, I identify the types and breadth of insurance claims that can result from a cyber breach or cyberattack on technologies deployed in the Smart Grid industry. These claims can affect a full range of entities and individuals, including electric utilities implementing Smart Grid technology, energy consumers, Smart Grid technology suppliers, and their individual officers and directors.
The Smart Grid: Costs and Benefits
The U.S. electric power grid is among the last major infrastructure systems to be computerized. At its beginnings, power generation was localized, designed simply to provide one-way interaction to deliver electricity to customers’ homes; electricity was not stored beyond its immediate needs. That model made it difficult for utilities to respond to increasing demand and to manage multiple sources of renewable and non-renewable energy. The “Smart Grid” is gradually introducing a multi-way dialogue whereby electricity and information can be exchanged between the utility and its customers. Because of its interactive capacity, the Smart Grid will allow for automatic rerouting when equipment fails or outages occur. The Smart Grid takes advantage of customer-owned power generators, weather predictions, and renewable energy sources to produce power when it is not available from utilities.
Of course, the Smart Grid’s reliance on computers to accomplish these goals creates inherent vulnerabilities. Data breaches can occur, whether accidentally or through malicious attacks by hackers. Beazley PLLC, a specialist insurer, recently reported survey data showing that while hacking and malware attacks continue to be the leading cause of data breaches, accidental breaches caused by employee error or by third-party suppliers continue to account for 30 percent of breaches overall. This ongoing high level of accidental data breaches, according to Beazley, suggests that organizations are still failing to put in place measures needed to safeguard client data and confidentiality. For example, technologies specific to the Smart Grid are also vulnerable to cyber breach. As reported by the industry publication Smart Grid Today, an expert has warned that the connection of actuators (monitoring devices used in industrial control systems) directly to the internet could be dangerous because actuators are not designed to be cyber-secure, with no authentication or endpoint security protection. Connecting these devices to the internet could lead to the injection of malicious software into power grids.
On one hand, the Smart Grid intends to reduce the economic costs associated with power outages. Studies by the Electric Power Research Institute have estimated the yearly cost of power disturbances across all business sectors in the United States at between $104 billion and $164 billion as a result of outages, and another $15 billion to $24 billion due to power quality phenomena. See Electric Power Research Institute, “Estimating the Costs and Benefits of the Smart Grid” (2011).
On the other hand, the introduction of Smart Grid technologies can increase the possibility of an accidental or intentional data breach causing monetary loss. Smart Grid industry companies may need their insurance to step in to cover these losses. A 2015 report titled “Business Blackout” prepared by Lloyd’s of London and the University of Cambridge examined the insurance implications of a massive cyberattack on the power grid in the Northeast United States. It found that property damage and bodily injury claims would arise in six principal categories:
- Power generation companies would suffer property damage to their generators; business interruption from being unable to sell electricity as a result of property damage; and incident response costs and fines from regulators for failing to provide power.
- Related companies could be sued by power generation businesses seeking to recover a proportion of losses incurred under those companies’ liability insurance policies.
- Companies that lose power could suffer property losses to inventory; business interruption from power loss; and claims from failure to protect workforces (from bodily injury) or from causing pollution as a result of the loss of power.
- Other companies could be indirectly impacted by supply chain disruption from the blackout region; could have contingent business interruption; and could suffer share price devaluation as a result of having inadequate contingency plans, generating claims under their directors and officers liability insurance.
- Homeowners could suffer property damage, for example from refrigerator and freezer contents defrosting.
- Specialty claims would be possible under various specialty covers, such as event cancellation.
The Lloyd’s study concluded that in the most extreme version of the blackout scenario, the insurance industry could be expected to pay between $21.4 and $71.1 billion in claims. Under that scenario, the total impact to the U.S. economy was estimated at between $243 billion and $1 trillion.
The above cyber-related losses can be loosely grouped into two types of losses for an insurance policyholder: (1) first-party losses and (2) third-party losses. In general, first-party losses are the direct losses a policyholder suffers as a result of a cyber breach. Such losses can include the policyholder’s costs in direct response to the event (e.g., investigation, forensic, and remediation costs; credit monitoring expenses; and public relations expenses) and the policyholder’s loss of business income or property (e.g., from business closures, spoilage of inventory, or looting). Third-party losses are incurred as a result of claims and lawsuits brought against the policyholder by individuals and entities alleging harm caused by a cyber breach (e.g., regulatory fines, employee injury compensation, or pecuniary injury to another company).
In the next part of this series, I examine how to obtain insurance coverage for these kinds of cyber losses in the Smart Grid industry, and ways to minimize gaps in coverage.