Having reliable, stable power is such a given that Americans tend not to think about it until there’s an outage. Then, when everything is off, our immediate thought is to wonder how long it’s going to take for the outage to get fixed.
Usually, power outages are brief and typically caused by inclement weather.
But there’s another threat that is increasing, which can be challenging to fix: cybercrime.
Protect your business
The risks
There are a number of reasons that energy companies are at an elevated risk for cybercrime. First and foremost, energy companies are a target because of their importance. We are heavily reliant on a stable energy system, and because of that dependence, criminals assume, perhaps with reason, that the pressure to cave in to ransom demands would be intense.
Another risk is the age of our power grid. The US’s energy infrastructure is vast and requires constant maintenance and upkeep. It is also very expensive to update.
So, the parts that continue to work are usually kept in service even if they are well overdue to be replaced. Some components of our nation’s energy infrastructure are quite old and have been in service for up to 40 or 50 years.
That age doesn’t just pose a risk for physically breaking down. It also means that there are parts that remain vulnerable to hacking by bad actors.
With a patchwork of systems and controls, the electric grid is susceptible and has weaknesses.
While money is a strong motivator for criminal behavior, energy and other key infrastructure industries, such as water supply systems and telecommunications, are targets for nation-state actors.
These attackers have the support of governments, are well-funded, and their objectives may be different than the standard cybercriminal. Shutting off power through a coordinated cyberattack by a state actor may be designed to disrupt normal day-to-day activities and instill fear.
Because energy companies can serve thousands to millions of customers, a cyberattack on even a small company can have far-reaching effects.
Components of a strong cybersecurity program
Because there are many points of weakness within the nation’s energy systems, energy companies must have strong safeguards in place.
An important step is employee training. Energy companies should institute digital safety and security training for everyone in the company with access to an email address or access to digital devices.
Phishing and spear-phishing are frequently paths to ransomware and malware attacks, and these tactics are becoming increasingly sophisticated. The use of AI to generate audio clips that mimic the voices of key personnel in efforts to trick employees into disclosing vital information, such as bank accounts and passwords, is no longer a far-fetched notion.
As threats change and bad actors adapt, training must be revised and updated.
Updating software and hardware systems and implementing patches as soon as they are published are additional steps to take. Security systems should be robust and routinely tested. And, having the right insurance products in place can protect your energy company if you do fall victim to a cyberattack.
What does cyber insurance cover?
There are several key components of a cyber insurance policy, which is designed to help your business if there is a covered event. Policies may vary from one provider to the next, but some typical offerings are:
Liability coverage – This covers property damage and bodily harm that results from a cybersecurity event. For instance, if a cyberintruder installs malware that damages key equipment, causing it to break or malfunction, this coverage is designed to help an energy company recoup the costs of repairing or replacing that equipment.
Pollution coverage – For any pollution event caused by a cybersecurity breach. For example, if a cyber incident causes a system malfunction that leads to a toxic release or spill, the cleanup costs would be covered.
Control systems coverage – This coverage is designed to specifically assist manufacturing and industrial companies that use specialized hardware and software for industrial controls, also known as SCADA (supervisory control and data acquisition). Because these systems are designed for real-time monitoring of highly specialized infrastructure, using networked data and computers, cyberattacks can cause a great deal of damage.
Ransom and extortion – Cybercriminals frequently choose targets with the objective of getting a big payout. Ransomware is usually spread through links in phishing emails or texts, or when an individual visits a compromised website. Once deployed, the victim’s files are encrypted, and an entire company can be locked out of their systems, with offers of restoring the system once a ransom is paid. Although many cyber insurance policies cover ransom and extortion, there are typically certain conditions that must be met, including the insurer’s approval.
Business interruption coverage – A cybersecurity event at an energy company has the potential to disrupt the normal course of operations, so business interruption coverage would protect the company from the financial losses associated with the event.
Other types of cyber insurance coverages that may be in your policy could include:
- Public relations work and associated reputational management expenses
- Breach notification costs
- Data restoration
- Expert advice and repairs
- Legal expertise
How much does cyber insurance cost?
Like other forms of insurance, cyber insurance premiums are tied to risk. Because cyber risks have been growing, premiums have been rising. This is especially true with ransom payouts, which can increase the cost of providing cyber insurance.
However, cyber insurance is an increasingly important coverage to carry. To learn more about cyber insurance, how much it costs, and what is covered, contact the experts at Rate Insurance. With access to a wide range of commercial insurance providers, they can help find the right policy to protect your energy company.
Get your free consultation today
Disclaimer:
All information provided in this publication is for informational and educational purposes only, and in no way is any of the content contained herein to be construed as financial, investment, or legal advice or instruction. Rate Insurance does not guarantee the quality, accuracy, completeness or timelines of the information in this publication. While efforts are made to verify the information provided, the information should not be assumed to be error free. Some information in the publication may have been provided by third parties and has not necessarily been verified by Rate Insurance. Rate Insurance, its affiliates and subsidiaries do not assume any liability for the information contained herein, be it direct, indirect, consequential, special, or exemplary, or other damages whatsoever and howsoever caused, arising out of or in connection with the use of this publication or in reliance on the information, including any personal or pecuniary loss, whether the action is in contract, tort (including negligence) or other tortious action.
