The Washington Post reported Friday that Russian hackers had penetrated the U.S. utility grid through Burlington Electric, a Vermont utility. Although the utility later clarified that the attacked computer was not connected to the grid and that the connection to Russia was not confirmed, hundreds of news sources picked up the story, demonstrating the widespread concern over cyber intrusions into our electric grid.
The United States electricity grid is critically important to our lives. The “grid” is vulnerable to not only weather-related power outages but also to cyber attacks, because controllers and sensors across the grid are connected to the internet – the “Internet of Things.” A shutdown in service by a utility by a cyber attack could produce dire economic consequences to both small and large businesses. It is therefore essential that firms try to manage this business interruption risk, and because the risk is outside of a firm’s control, insurance is the best tool to use.
Cyber Attacks on Utilities – Frequency and Potential Impact
Electric utilities experienced a spike in cyberattacks in 2016, according to a survey by Tripwire, a cyber security firm. Seventy-five percent of the information technology workers surveyed reported that their companies in the oil, natural gas and electricity sectors had experienced at least one successful cyberattack in the past twelve months, meaning intruders were able to breach one or more firewalls or other protections.
Cyber hackers have been successful in shutting down electric utilities. Fireeye, another digital security firm, reported that in December 2015, Russian-nexus actors caused blackouts in several regions in Ukraine. The hackers used malware to disable “industrial control systems” at several Ukrainian utilities; these systems act as the intermediary between computers and the switches that distribute electricity. These systems – the pathways in the Internet of Things − guide trains as they speed down the track, control water supply valves at treatment plants, and mix chemicals at factories.
Impact of an Attack on the U.S. Electricity Grid
A cyber attack on the United States electricity grid could result in both property damage at the utility and significantly impact its customers. As they did in the Ukraine, hackers can use malware to take control of electric generators, causing them to overload and burn out and resulting in fires and explosions. Alternatively, the malware can simply cause the generators to shut down. Regardless whether a cyber attack results in property damage, the losses could be in the billions. A 2014 Federal Energy Regulatory Commission analysis revealed that successful attacks on just nine of 55,000 U.S. power-grid substations could cause nationwide blackouts for weeks, if not months.
Insuring Against Cyber Attacks on Utilities
Coverage Available Under Traditional Property Policies
Business interruption (“BI”) coverage protects against lost profits resulting from property damage to the insured’s property. Standard property insurance policies also include coverage for lost profits arising from a covered event at an up-stream supplier. This is called “contingent” BI coverage. Many policies also include “service interruption” coverage, which is a type of contingent BI insurance insuring lost profits arising from damage to an electric utility’s property causing an interruption in the utility’s service.
Coverage under traditional property insurance policies for lost profits arising from a cyber attack on a utility may be limited. Standard property insurance policies require direct physical loss to covered property. Many courts have held that damage to data is not a “direct physical loss.” Moreover, property policies typically exclude coverage for losses arising from the destruction of electronic data. A variety of Courts have found that losses restricted to data itself are not “direct physical loss” or “physical damage to tangible property” within the various policies’ coverage provisions. Therefore, unless the cyber attack on the utility causes an explosion or a fire – physical loss to property – standard property insurance policies may will not provide coverage for lost profits arising from a utility shut down.
Coverage Available Under Cyber Policies
Because traditional property policies may not provide BI coverage for a cyber attack on an electric utility, policyholders should consider cyber insurance. Cyber insurance policies provide coverage for a variety of cyber risks, including the type of malware that a hacker might use to attack an electric utility. Recently, many carriers have broadened cyber insurance offerings to include contingent BI coverage that would protect against lost profits arising from a utility shut down initiated by a hacker. Because breaches to the U.S. electrical grid pose such a widespread risk, however, insurers typically limit this coverage in a number of ways. These limitations include reducing the duration of the coverage, setting waiting periods of up to 60 days before the coverage applies and adding exclusions.
One key exclusion that could apply to an attack on a utility is the terrorism exclusion. These exclusions bar coverage for losses arising from acts committed “for political, religious, ideological or similar purposes including the intention to influence any government and/or to put the public, or any section of the public, in fear.” There is little doubt that an attack on the U.S. electrical grid would generate intense focus on the source of the attack and whether it had a political, religious, or ideological purpose. Insurers therefore will look to bar coverage for BI claims arising from a utility shut down.
Businesses should carefully evaluate their existing property insurance policy to determine whether they offer coverage for lost income arising from the interruption of electrical power arising from a cyber attack on a utility. Coverage under traditional policies may be limited, however. Insureds also should review their cyber insurance policy to assess the scope of BI coverage offered there. Even if the policy provides such coverage, it is important to review the applicable sublimit, duration of coverage, waiting period, and exclusions to assess how broad the coverage truly is. If the coverage limitations are significant, keep in mind that in in today’s cyber insurance market, many policy terms are negotiable. Working with counsel and your insurance broker, businesses may be able to negotiate changes to the carrier’s proposed language to expand the coverage available for this very important, and potentially catastrophic risk.