An Electrifying Threat
Energy and the natural resources industry face especially grim cyber threats.
“If there is a cyber attack, you can’t see or touch that attacker so your ability to quickly respond may or may not be successful,” said Norma Krayem, a senior policy adviser at the Patton Boggs law firm and co-chair of the firm’s homeland security, defense and technology transfer practice group.
“I think the likelihood of such an attack absolutely exists,” she said. “I think the question becomes more about who, when and why.”
According to Symantec, a data security company, the energy sector “has become a major focus for targeted attacks and is now among the top five most targeted sectors worldwide.”
The threats may come from competitive spying, corporate espionage, cyber criminals, hacktivism, disgruntled employees and state-sponsored disruptions, it said.
A bad result doesn’t even necessarily have to begin with bad intent, said Cliff Lancaster, senior risk analyst at Hartford Steam Boiler Inspection and Insurance Co. (HSB).
At the Davis–Besse Nuclear Power Station in Ohio, for example, the network became infected with a worm that shut it down for five hours in 2003 because a software consultant had created a shortcut for his own convenience that bypassed the firewall, he said.
Possible Widespread Devastation
As security measures increase, employees and vendors may be ever more tempted to bypass procedures, just to more easily get their work done.
Between July 2012 and June 2013, 16 percent of all cyber attacks each day targeted companies in the energy sector, according to Symantec. Only the government or public sector had more targeted attacks.
And should the energy delivery system be disrupted, that threatens the country’s finance, transportation, health care, water supply and emergency services systems — all of which depend on reliable energy.
– Norma Krayem, senior policy adviser, Patton Boggs
Electric grid vulnerabilities that lead to power disruptions are estimated to cost the U.S. economy between $119 billion to $188 billion each year, according to a 2013 report on grid vulnerability by Rep. Edward J. Markey, D-Mass., and Rep. Henry A. Waxman, D-Calif.
“Power disruptions today generally do not lead to insured losses,” said Robert Hartwig, president of the Insurance Information Institute.
“However, it seems only a matter of time before a major cyber attack leads to the type of damage covered by standard property and liability policies,” he said.
“As we look at what hackers have been able to do in terms of infiltrating presumed secure systems — even entities like the Department of Defense — it seems there must be vulnerabilities in the systems associated with major infrastructure in this country, whether it’s electric, water, transportation or communications.”
Complex Risk Management
The degree to which computer technology and networking are integral to the energy sector in an operational sense makes it a particularly complex risk-management challenge, said John Kerns, executive managing director of Beecher Carlson Financial Services.
“There was a question posed to us by a client earlier this year: What if there were a denial-of-service attack or virus that shut down the gas pipelines coming into Chicago in the middle of winter. Homes went cold and people went to the hospital or even died. There was no physical damage, but clearly there was a serious impact, and loss,” he said.
The challenges are not confined to traditional energy markets either, said Charles Long, vice president of renewable energy and green technology at William Gallagher Associates. “Many computers are covered under a basic commercial package, and wind farms have separate coverage. If there is a lightning strike, that is surely covered. If data just failed, that can be covered by E&O, but data corruption or a virus, that kind of thing is very much still under consideration.”
Fred Podolsky, executive vice president, executive risk, Alliant Insurance Services, said that “only a small fraction,” maybe 10 percent of U.S. based utility companies have bought cover, and most of the policies that have been purchased relate to data breach exposures.
Some companies, however, have “woken up and are looking for cover” to help them repair their power-generation network and computer systems should they be damaged, or to protect them from other service interruption or customer liability issues, he said.
But many utilities refuse to provide underwriters with sufficient information to get the coverage they need, he said.
The main reason? “It’s just a pure confidentiality concern. IT folks are just so fearful to release any information to anyone having to do with their security procedures, though pressure is building from risk management and others in the C-suite to address these exposures,” Podolsky said.
While protecting the actual control systems of energy companies is a high priority that is audited by the federal government, the smart grid — that measures and creates a more efficient distribution of electricity based on use — is vulnerable, said HSB’s Lancaster.
If false data were injected into that system, it could potentially cause turbine generators to speed up when they shouldn’t. “If you can get it spinning at the wrong speed,” he said, “it can just shake itself to death.”
Once a turbine or transformer is damaged, there is a limited amount of replacement equipment.
And once a turbine or transformer is damaged, there is a limited amount of replacement equipment, he said. “If you are able to damage many pieces of equipment at once, it would take a lot of time to fix it because you have to build and rebuild lots of equipment,” Lancaster said.
Krayem said the connectivity of entities that distribute electric power, for example, means there could be “cascading failures” throughout the country.
“You have this patchwork of systems that are being cobbled together, a lot of them are legacy systems, and they are not necessarily all at the same level of security,” she said.
According to KPMG, which cited data from the U.S. Department of Homeland Security, the “constant barrage of cyber attacks” on water and energy companies “usually take the form of cyber espionage or denial-of-service attacks against industrial-control systems.”
Inadequate Security Controls
The consultancy also noted that a survey by The Centre for Strategic and International Studies in 2010, found that critical infrastructure, including power grids, industrial control networks and oil refineries “are not adequately prepared to defend themselves.”
Video: Dissecting Stuxnet
The most famous of all attacks on an energy system occurred in Iran when unknown forces — believed to be the United States and Israel — created the Stuxnet worm, specially designed to target Iran’s specific industrial control system and reprogram it so that the nuclear centrifuges spun out of control and damaged themselves while the displays indicated normal functioning.
Most notably, Stuxnet spread using a USB drive, infecting networks that were unreachable by the Internet.
Another disturbing attack occurred in 2012, when a cyber attack hit Saudi Aramco, one of the largest oil producers in the world. The disruption, which continued for two weeks, disabled more than 30,000 of the company’s workstations.
The virus, later named “Shamoon,” was the first significant cyber attack on a commercial target to cause real damage. It is also the most destructive attack the private sector has experienced to date, said Malcolm Marshall, global leader for information protection at KPMG, based in London.
Marshall said that “one senior oil-industry executive to whom I spoke shortly after the Shamoon incident told me, ‘Well, there goes our worst-case scenario.’ ”
That same month, Rasgas, in Qatar, was hit by the same virus and forced to bring its entire network off line.
In 2011, hackers were able to install malware and “evidence of a sophisticated threat actor” was found in the U.S. energy sector, according to the U.S. Government Accountability Office.
An Active Market
Marshall noted that, in the aggregate, the global oil and gas industry “is effectively self-insured, but cyber security is an active and growing commercial market, especially in the U.S. It seems likely that will become an economic necessity.”
Kerns at Beecher Carlson said, “We are seeing multiple policies responding to these threats. Those include dedicated cyber policies, D&O coverage, and in the energy sector, even general liability policies are responding.”
That said, he added that “the insurance market is looking aggressively at cyber risk, and is putting on new exemptions, restrictions, and limits. The gray areas are still some GL, bodily injury, and third-party injury. Mostly, we are seeing GL carriers not willing to pick up many risks. That leaves owners and brokers to see what the cyber market is willing to do.
“There is capacity to address business interruption, but we are having to press on bodily injury and property damage as they relate to cyber,” he said.
Complete coverage on the inevitable cyber threat:
Risk managers are waking up to the reality that the cyber risk landscape has changed.
Cyber: The New CAT. It’s not a matter of if, but when. Cyber risk is a foundation-level exposure that must be viewed with the same gravity as a company’s property, liability or workers’ comp risks.
Critical Condition. The proliferation of medical devices creates a host of scary risks for the beleaguered health care industry.
Disabled Autos. It’s alarmingly easy for a hacker to take control of a driverless vehicle, tampering with braking systems or scrambling the GPS.
Unmanned Risk. The dark side of remote-controlled drones, which have already been hacked — by students.
Brokers List Legislative Priorities
You don’t have to spend your days watching C-SPAN to know that insurance issues are taking a prominent role on Capitol Hill lately.
“I don’t think I’ve ever seen the parochial interest [the insurance industry] holds having risen to the national priority that is the current environment,” said Joel Wood, senior vice president of government affairs for The Council of Insurance Agents & Brokers. “Agents have a lot of skin in the game.”
With the passage of the flood insurance bill, many agents are breathing a sigh of relief that the specter of massive rate increases won’t become a reality. However, several other pending issues could have weighty consequences for the insurance industry at large, and agents in particular.
The Affordable Care Act
“The independent agents are small business owners that are being impacted greatly by the implementation of health care reform,” said Mike Becker, executive vice president and CEO of the National Association of Professional Insurance Agents (PIA).
“We’ve been incredibly loud advocates for the agent, ensuring that they’re able to participate, should they desire to do so, and they’re fairly and justly compensated for doing so, whether they’re participating in the traditional market or through an exchange,” he said.
PIA is currently asking members to find cosponsors for H.R. 2328, the Access to Professional Health Insurance Advisors Act, introduced by U.S. Reps. Mike Rogers (R-MI) and John Barrow (D-GA), to ensure that agent compensation is not disadvantaged by implementation of the ACA.
Wood pointed out that the current political climate during mid-year elections may make it difficult to achieve much change on the legislative end, so the CIAB is focusing more on regulatory issues related to health care.
“The pieces we’ve been engaged on are with respect to issues that impact ERISA [Employee Retirement Income Security Act] with the Department of Labor, to testifying on the wellness provisions, to working with the various agencies on trying to develop the right kind of nondiscrimination rule that has yet to come forward and the auto-enrollment rules that have yet to come forward.
“There are a million moving parts on the Affordable Care Act, and we try to engage on all of that impact our clients,” Wood said.
Another issue that is top of mind for agents is renewal of the Terrorism Risk Insurance Act (TRIA), which is set to expire at the end of the year.
“Almost every major commercial policy today has a rider on it that says that post-Dec. 31st 2014, terrorism coverage will not be in place depending upon the outcome of this debate,” Wood stated.
“It’s a product that’s not easily accessible in the private market without the terrorism risk and insurance program,” said Becker. “We support those programs and we’re going to be advocating for its passage.”
The CIAB is also focusing on the Foreign Account Tax Compliance Act, which is designed to prevent tax evasion in transactions with offshore companies.
“We have unsuccessfully argued to the IRS that we should be exempted from implementation and reporting requirements on commercial insurance transactions,” Wood said. “Now, we’re moving to the implementation side and it’s going to be a burden both on the brokers and on their clients.
“Theoretically this sounds pretty simple, but there are unanswered questions. What is Lloyd’s of London, for example? Is that one insurance company or is it 200 companies, or is it 20,000 syndicates?”
To that end, CIAB is seeking clarification within the rules so that it can become a clearinghouse to help international insurers to comply with FATCA.
One of PIA’s biggest concerns involves federal regulation of insurance.
“We don’t think that there’s any further reason for federal regulation in this sphere,” said Jon Gentile, PIA national director of federal affairs.
“The insurance industry historically has been regulated at the state level. One of the things that came out of the financial crisis was that state regulation did, in fact, work and it worked well. We just want to make sure that our members are up on the Hill letting members of Congress know that state-based regulation does work well and has been for some time.”
However, the CIAB views this issue through a different lens.
“We think that it’s almost an embarrassment that our industry’s regulation is so fragmented when it comes to international trade,” said Wood. “We’re surprised at the degree to which some state insurance regulators have taken umbrage at the obvious role, as asserted in Dodd Frank for the Federal Insurance Office, to participate in reflecting U.S. goals in global talks.
“It’s a national business,” he said. “There has been a huge amount of consolidation. All the trend lines are going further in that direction.”
Wood also said that CIAB is advocating for passage of the National Association of Registered Agents and Brokers Reform Act that is designed to streamline interstate insurance licensing.
“It was big disappointment on not getting it [added as a rider to] the flood legislation. Shame on us, if we can’t get that to the finish line this year,” he said.
What Is Insurance Innovation?
Truly innovative insurance solutions are delivered in real time, as the needs of businesses change and the nature of risk evolves.
Lexington Insurance exemplifies this approach to innovation. Creative products driven by speed to market are at the core of the insurer’s culture, reputation and strategic direction, according to Matthew Power, executive vice president and head of strategic development at Lexington, an AIG Company and the leading U.S.-based surplus lines insurer.
“The excess and surplus lines sector is in a growth mode due, in no small part, to the speed at which our insureds’ underlying business models are changing,” Power said. “Tomorrow’s winning companies are those being built upon true breakthrough innovation, with a strong focus on agility and speed to market.”
To boost its innovation potential, for example, Lexington has launched a new crowdsourcing strategy. The company’s “Innovation Boot Camps” bring people together from the U.S., Canada, Bermuda and London in a series of engagements focused on identifying potential waves of change and market needs on the coverage horizon.
“Employees work in teams to determine how insurance can play a vital role in increasing the success odds of new markets and customers,” Power said. “That means anticipating needs and quickly delivering programs to meet them.”
An example: Working in tandem with the AIG Science team – another collaboration focused on innovation – Lexington is looking to offer an advanced high-tech seating system in the truck cabs of some of its long-haul trucking customers. The goal is to reduce driver injury and fatigue-based accidents.
“Our professionals serving the healthcare market average more than twenty years of industry experience. That includes attorneys and clinicians combining in a defense-oriented claims approach and collaborating with insureds in this fast-moving market segment. At Lexington, our relentless focus on innovation enables us to take on the risk so our clients can take on the opportunities.”
– Matthew Power, Executive Vice President and Head of Regional Development, Lexington Insurance Company
Power explained that exciting growth areas such as robotics, nanotechnology and driverless cars, among others, require highly customized commercial insurance solutions that often can be delivered only by excess and surplus lines underwriters.
“Being non-admitted, our freedom of rate and form allows us to be nimble, and that’s very important to our clients,” he said. “We have an established track record of reacting quickly to trends and market needs.”
Lexington is a leading provider of personal lines coverage for the excess and surplus lines industry and, as Power explains, the company’s suite of product offerings has continued to evolve in the wake of changing customer needs. “Our personal lines team has developed a robust product offering that considers issues like sustainable building, energy efficiency, and cyber liability.”
Most recently the company launched Evacuation Response, a specialty coverage designed to reimburse Lexington personal lines customers for costs associated with government mandated evacuations. “These evacuation scenarios have becoming increasingly commonplace in the wake of recent extreme weather events, and this coverage protects insured families against the associated costs of transportation and temporary housing.
The company also has followed the emerging cap and trade legislation in California, which has created an active carbon trading market throughout the state. “Our new Carbon ODS product provides real property protection for sequestered ozone depleting substances, while our CarbonCover Design Confirm product insures those engineering firms actively verifying and valuing active trades.” Lexington has also begun to insure new Carbon Registries as they are established in markets across the country.
Lexington has also developed a number of new product offerings within the Healthcare space. The Affordable Care Act has brought an increased focus on the continuum of care and clinical patient safety. In response, Lexington has created special programs for a wide range of entities, as the fast-changing healthcare industry includes a range of specialized services, including home healthcare, imaging centers (X-ray, MRI, PET–CT scans), EMT/ambulances, medical laboratories, outpatient primary care/urgent care centers, ambulatory surgery centers and Medical rehabilitation facilities.
“The excess and surplus lines sector is in growth mode due, in no small part, to the speed at which our insureds’ underlying business models are changing,” Power said.
Apart from its coverage flexibility, Lexington offers this segment monthly webcasts, bi-monthly conference calls and newsletters on key risk issues and educational topics. It also provides on-site risk consultation (for qualifying accounts), access to RiskTool, Lexington’s web-based healthcare risk management and patient safety resource, and a technical staff consisting of more than 60 members dedicated solely to healthcare-related claims.
“Our professionals serving the healthcare market average more than twenty years of industry experience,” Power said. “That includes attorneys and clinicians combining in a defense-oriented claims approach and collaborating with insureds in this fast-moving market segment.”
Power concluded, “At Lexington, our relentless focus on innovation enables us to take on the risk so our clients can take on the opportunities.”