Skip to main content
Article

CyNat: A new and innovative cyber insurance product for the Power & Utilities sector

Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)
N/A

By Myles Milner | June 23, 2021

CyNat is a tailored, flexible and industry-specific cyber risk transfer proposition for companies operating in the Power & Utility and Renewable Energy sectors.

A dynamic risk environment

Everyone has memories of when the lights went out, the water stopped flowing and the boilers stopped warming. Even now, parts of our world suffer debilitating power cuts, together with water and gas shortages; this is being driven by several factors, including aging grid systems, natural events and geopolitics. A UK power cut in August of 2019 saw one million people lose access to power1; in this instance a series of events, triggered by a lightning strike on a power line, led to a loss of power input to the grid, and a forced response by technology to protect the integrity of the system. It can be said that the grid’s technology did what it was meant to do; that is, close parts of the grid system to rebalance and avoid consequential damage to the network and further afield. A blackout was the result.

What this has given us is a stark reminder of the role that the Power & Utilities sector plays to enable us to get on with our day to day lives. Without power, our industry cannot function; without gas, our houses will not be heated; without water, our personal and commercial thirst can’t be quenched. It’s the critical infrastructure that needs to operate - or we slow to a standstill. Technology is being advanced and deployed to improve the reliability of these systems, but in the shadow of such progress like digitalization, sits an evolving risk issue that dominates many risk manager, board and even government concerns - cyber risk.

The sector has seen an increasing exposure to cyber-attacks. The merging of technology, process and people increasing the attack surface on both the micro and macro level. It is estimated that utilities worldwide will collectively spend nearly US$ 247 billion on energy IT and cyber security software from 2019 through 20282. At the same time, the threat continues to evolve and adapt, outpacing our ability to protect against it. Cyber is a unique peril in that it can move from system to system, from nation to nation, in ways businesses have not had to deal with before with perils such as fire or flood; it’s a product of our digitally connected world and there is no going back.

Recent events demonstrate this cyber vulnerability, from the cross-industry impact of the SolarWinds breach3 to the sector-specific Ukraine power grid attack and the Florida water plant4 incident, signaling a new epoch of digital warfare.

So far, we have focused on the malicious attack type cyber incident; you could be specifically targeted, or even impacted due to a random distribution and get caught as collateral damage. But a business could also fall victim to a non-malicious incident such as human error or technical failure. This nuance is being addressed by the insurance markets differently.

These incidents can lead to first party losses and claims for compensation from third parties, as well as regulatory action. Each is possible of causing long term reputational damage should it not be managed in the right manner. Cyber is a board level issue and, regardless of the cause, such incidents can have a significant impact.

The insurance industry has a unique role to play in addressing this issue. It provides a platform for not just traditional risk transfer, but also knowledge sharing and access to specialist solutions and advice. Willis Towers Watson has recognised this issue and seeks to address it head on - even at a time when the market is at its most challenging.

These new risk issues demand new thinking

Just as the threat grows, insurance cover is now being often excluded from many traditional lines of business to address the silent cyber issue5. The sector further recognises other exposures and ancillary costs, such as non-damage Business Interruption and incident response costs, that would not have been covered under the traditional Property and Liability insurance forms which could become an issue for insurance buyers; historically, insurance buyers have approached cyber as an optional extra to their risk management strategy, and now it must be viewed as a core business need. The risk is just too large and volatile (and impacts too much on boardroom accountability) for businesses to solely retain the risk.

Utilising our own research and understanding, Willis Towers Watson has identified a clear demand and need in the Power & Utilities industry for a new insurance solution. Our approach is premised on relevant cover, customer choice and simplicity, all packaged together with industry focus and expertise. From cover to placement to claims, all should be delivered with greater clarity.

The need for an industry focused approach

Cyber insurance should be bespoke and customized to the buyer and their specific sub-sector. But much still can be done to de-mystify the solutions in the market; the way to do this is by removing complexity and improving clarity. Willis Towers Watson has successfully championed this with award winning products for the Aviation and Marine sectors in 2017 and 2020; now we are applying and adapting this model to the Power & Utilities sector.

CyNat: A new solution

CyNat is a new, innovative product designed to address this sector need. Developed and delivered by Power & Utilities and Cyber experts, it has been designed with the following at its core:

  1. Clear and simple policy language, drafted from the policyholder’s rather than insurers’ perspective
  2. Industry-relevant and broad cover
  3. Customer choice (you pay only for what your business needs; not for what insurers think generic businesses need)
  4. Coordinated insurance capacity, attracting support from several leading insurance markets to increase the limits available and to promote competitive pricing
  5. Industry expertise across the Power & Utilities and Cyber sectors

What CyNat covers

CyNat has been built to address the following exposures plus more, in a modular manner:

  1. Loss of revenue, whether caused by a cyber-attack or human error, on both IT & OT systems
  2. Physical damage to plant, machinery and assets caused by cyber-attack
  3. Replacement utility/service
  4. Regulatory exposures under cyber security legislation (e.g. NIS Directive) and industry specific regulation (e.g. NERC CIP) as well as data protection legislation (e.g. GDPR)
  5. Third party property damage, bodily injury and environmental liability
  6. Emergency incident response to ransomware attacks and data breaches etc.
  7. Reputational harm loss and mitigation
  8. Supply chain vulnerabilities

Choosing the CyNat approach

Cyber insurance requires an industry focused approach that:

  • addresses a growing exposure and insurance gap for the industry;
  • simplifies the cyber product design and delivery;
  • reduces ambiguity in the event of a claim; and
  • enhances the customer experience throughout the process.

In CyNat, Willis Towers Watson has designed a solution to do just that.

Footnotes

1 https://www.drax.com/energy-policy/britains-blackout/#chapter-1

2 https://energycentral.com/c/iu/navigant-electric-utilities-spend-247-billion-it-cybersecurity-through-2028

3 https://www.willistowerswatson.com/en-GB/Insights/2021/01/client-alert-solarwinds-cyber-incident

4 https://www.forbes.com/sites/leemathews/2021/02/15/florida-water-plant-hackers-exploited-old-software-and-poor-password-habits/?sh=150d254334ed

5 https://willistowerswatson.turtl.co/story/power-market-review-2020/page/14/1

Author

Global Renewable Energy I Account Director & Broker
Natural Resources

Related Solutions

Contact Us