2016 Most Dangerous Emerging Risks

Cyber Grid Attack: A Cascading Impact

The aggregated impact of a cyber attack on the U.S. power grid could cause huge economic losses and upheaval. 
By: | April 4, 2016 • 8 min read

SCENARIO: The hackers used a range of tactics to gain access to the U.S. electric grid system without alerting security teams — targeting laptops and personal electronic devices of key personnel, conducting phishing attacks, hacking remote access systems and physically intruding on network monitoring locations.

Advertisement




Months later, they systematically disabled safety systems that would prevent power generators from being desynchronized. They sent control signals to open and close the generator’s rotating circuit breakers in quick succession.

This used the inertia of the generator itself to force out of sync the bearings of 50 generators. They had hoped to destroy 100.

The generators began to smoke and burn. Some were partially destroyed. One gas turbine facility exploded from the generator fire. Operators shut down even the uncontaminated generators until the cause of the damage was determined.

The cascading impact of the cyber attack stuns the nation. Engineers have no definitive explanation for the damage, which plunges 15 Northeastern states and Washington, D.C. into darkness, leaving 93 million people without power.

Back-up generators at hospitals, public facilities and some companies remain available for essential services. Phones, internet, ATMs, street lights, subway cars, gas stations, water systems, manufacturers, and just about everything else goes down. Communications systems are mostly unavailable, except for 911.

No one immediately knows the scope of the infection. Or whether it will reoccur.

VIDEO: Media reports highlight the vulnerability of the U.S. power grid.

ANALYSIS: This “Business Blackout” scenario by the University of Cambridge Centre for Risk Studies and Lloyd’s of London suggests a range of $61 billion to $223 billion in economic losses, depending on the number of impacted generators and whether it took two, three or four weeks to restore 90 percent of the power.

Nick Beecroft, emerging risks and research manager, Lloyd’s of London

Nick Beecroft, emerging risks and research manager, Lloyd’s of London

“This is a real risk management issue facing the power sector around the world right now,” said Nick Beecroft, emerging risks and research manager, Lloyd’s of London, who worked on the “Business Blackout” project.

But even more, he said, it is a risk that “all of society has to confront as more and more of our infrastructure and economy become connected to digital networks.”

Such an attack “would disrupt businesses spanning the entire economy.” In the scenario, it takes several months and up to three years for the economy to fully revert to the GDP levels prior to the attack.

One insurance executive who asked to remain anonymous said it’s impossible to calculate the cascading impact of a cyber attack on the power grid.

“The honest answer is we don’t know,” the executive said. “It’s difficult to say if this is a one-in-100-year event or a one-in-10-year event. How do we know it won’t happen tomorrow or twice in a week? That’s the scary part for us.”

“Cyber is definitely the most dangerous emerging risk. The digital infrastructure was not designed to protect against bad guys.” —Andrew Coburn, senior vice president, RMS; director of the advisory board at the Cambridge Centre for Risk Studies

In 2003, overgrown tree limbs short-circuited sagging transmission lines amid hot weather in Ohio that had already strained generating capacity. Combined with human error, the result was a blackout of eight states and part of Canada for 36 hours, affecting 50 million people.

“I think that shows how interconnected the power grid is,” said Jamie Bouloux, president, cyber practice, Ryan Specialty.

Utilities Are “Under Constant Attack”

Advertisement




Recently, North Korea was accused of hacking a nuclear operator in South Korea; Russia was accused of shutting down Ukraine’s power grid for up to six hours in a sophisticated cyber attack that left up to 230,000 residents in the dark; and Israel’s electric authority successfully fought off a hacking attempt.

“The utilities, energy and infrastructure industries — petroleum, gas, electric power, nuclear, renewable, telecoms, water and sewage — are under constant attack,” said Kevin Kalinich, national cyber leader, Aon Risk Solutions.

The “poster child” for sophisticated nation-state hacks is Stuxnet, where unnamed hackers generally believed to be the United States and Israel introduced malware into Iran’s industrial control systems, causing nuclear centrifuges to spin out of control and damage themselves even while displays indicated normal functioning.

Joe Weiss, managing director of Applied Control Solutions

Joe Weiss, managing director of Applied Control Solutions

The controllers used in Iran are the same as those used in U.S. military systems, power plants, water systems, transportation, manufacturing and other commercial and industrial enterprises, said cyber security expert Joe Weiss, managing director of Applied Control Solutions.

“There are only 10 to 15 vendors [of control systems] worldwide and they supply every industry.”

And they are vulnerable, he said.

“It is possible to compromise the power grid via a cyber attack. Depending on the attack, it is possible to bring the grid down for nine to 18 months. This is existential to the United States.

“Nation-states are actively targeting our critical infrastructure and actively trying to compromise control systems,” Weiss said. “We know that.

“Not much is being done and the cyber insurance world needs to understand the cyber risks to these critical control systems.”

Security Has Increased

Utilities have been working to better secure infrastructure, including the grid and their distribution and transmission networks, said Gary Gresham, senior vice president, power practice, Aon Global Power.

In 2012, $14 billion was spent to shore up grid reliability and redundancy. That’s compared to about $5 billion spent in 2003.

R4-16p35-36_1CCyberrev.inddUtilities and power generators are also working in conjunction with local law enforcement, Homeland Security and the FBI to share information on the types of attacks seen.

But the utility industry is more advanced in protecting their systems and sharing information than other sectors of the country, including transportation, communications, industrial and manufacturing, which also rely on industrial control systems, Gresham said.

Tim Francis, enterprise cyber lead, Travelers

Tim Francis, enterprise cyber lead, Travelers

Tim Francis, enterprise cyber lead, Travelers, noted that insurers and the private sector have dealt with the threat of data breaches for a while, but are “just beginning the journey” on threats to industrial control systems.

For businesses, it may come down to a question of size and scale, said Bouloux.

“Ultimately, if you are a big enough business, you should be able to marginalize the exposure due to a power outage,” he said.

Experts often compare the impact of a power grid hack to the damage and losses resulting from large natural disasters such as Katrina and Sandy, but Bouloux said 9/11 might be a better model for understanding the economic impact such an event could have on the insurance industry, if it was found to be an act of terrorism.

Commercial claims in the New York area alone were varied and complicated — amounting to about $40 billion, of which an estimated $27 billion was paid in claims associated with business interruption, liability and property damage (other than damage to the World Trade Center buildings), he said.

As a single, isolated act of terrorism, it calls into question Lloyd’s estimated insured losses from the 15-state blackout scenario of $21.4 billion to $71.1 billion.

The cascading impact of a cyber attack complicates the picture for insurers.

Andrew Coburn, senior vice president, RMS

Andrew Coburn, senior vice president, RMS

“They need to look at how many insureds’ policies they have that have certain coverages on them,” said Andrew Coburn, senior vice president, RMS, and director of the advisory board at the Cambridge Centre for Risk Studies.

“About 12 classes of insurance lines were impacted in the scenario,” he said.

The formula to determine potential losses is complex, often depending on whether companies have “supplier’s extension coverage,” which may have ambiguous wording relating to perils.

To come up with a potential loss, the insurance companies need to work through how long each insured is impacted — which could range from one to four weeks or more — and then take into account deductibles, limits and sublimits, Coburn said.

“We spent the past couple of months working with insurance companies to apply this to their book as a stress test scenario,” he said. “It’s not the easiest one for them.”

Risk Mitigation

Regardless of whether a power outage is due to a natural event or a cyber attack, companies need to prepare in similar ways, Francis said.

They need back-up continuity plans, plans for employees working offsite, and they

Jamie Bouloux, president, cyber practice, Ryan Specialty

Jamie Bouloux, president, cyber practice, Ryan Specialty

need to talk to their broker and insurer prior to any such event to determine what is covered and what gaps exist.

Experts said coverage is available to cover most exposures related to a power-grid attack, but one policy alone will probably be insufficient. For example, power

outages are generally not covered by insurance policies — such as for property coverage — unless there is physical damage.

When planning for continuity, risk managers should look at the electric grid and ensure they have facilities in other grids so those facilities would not be affected, Bouloux said.

Effective mitigation requires an ongoing review of potential exposures from an enterprise risk management perspective, said Gresham.

Risk managers must continually review and update processes and practices to ensure the organization is as resilient as possible and operations have redundancy.

Aon’s Kalinich said it’s possible for insureds to identify and quantify their business interruption losses on a micro level. “The bigger question,” he said, “is the macro level aggregated risk of grid-type exposures” for insurance companies.

“For us, it’s not an academic exercise,” Beecroft of Lloyd’s said. “It’s a real challenge for the industry. We have to be able to pay out claims.

Gary Gresham, senior vice president, power practice, Aon Global Power.

Gary Gresham, senior vice president, power practice, Aon Global Power

“We recognize that there is a large degree of ambiguity and uncertainty about whether or not existing insurance covers would respond in the event of a cyber event.”

Managing the risk requires a partnership of government, insurance and business, he said. “We can’t just accept the vulnerability and throw our hands up. We can manage to make life difficult for hackers, but we can’t reduce the risk to zero.”

“Cyber,” said Coburn, “is definitely the most dangerous emerging risk. The digital infrastructure was not designed to protect against bad guys. It was designed to be efficient. … What is society willing to spend to make that threat go away?” &

BlackBar

2016’s Most Dangerous Emerging Risks

brokenbridgeThe Fractured Future Infrastructure in disrepair, power grids at risk, rampant misinformation and genetic tinkering — is our world coming apart at the seams?

01b_cover_story_crackCrumbling Infrastructure: Day of Reckoning Our health and economy are increasingly exposed to a long-documented but ignored risk.

01d_cover_story_vaccineFragmented Voice of Authority: Experts Can Speak but Who’s Listening? Myopic decision-making fostered by self-selected information sources results in societal and economic harm.

01e_cover_story_dnaGene Editing: The Devil’s in the DNA Biotechnology breakthroughs can provide great benefits to society, but the risks can’t be ignored.

Anne Freedman is managing editor of Risk & Insurance. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Insurtech

Kiss Your Annual Renewal Goodbye; On-Demand Insurance Challenges the Traditional Policy

Gig workers' unique insurance needs drive delivery of on-demand coverage.
By: | September 14, 2018 • 6 min read

The gig economy is growing. Nearly six million Americans, or 3.8 percent of the U.S. workforce, now have “contingent” work arrangements, with a further 10.6 million in categories such as independent contractors, on-call workers or temporary help agency staff and for-contract firms, often with well-known names such as Uber, Lyft and Airbnb.

Scott Walchek, founding chairman and CEO, Trōv

The number of Americans owning a drone is also increasing — one recent survey suggested as much as one in 12 of the population — sparking vigorous debate on how regulation should apply to where and when the devices operate.

Add to this other 21st century societal changes, such as consumers’ appetite for other electronic gadgets and the advent of autonomous vehicles. It’s clear that the cover offered by the annually renewable traditional insurance policy is often not fit for purpose. Helped by the sophistication of insurance technology, the response has been an expanding range of ‘on-demand’ covers.

The term ‘on-demand’ is open to various interpretations. For Scott Walchek, founding chairman and CEO of pioneering on-demand insurance platform Trōv, it’s about “giving people agency over the items they own and enabling them to turn on insurance cover whenever they want for whatever they want — often for just a single item.”

Advertisement




“On-demand represents a whole new behavior and attitude towards insurance, which for years has very much been a case of ‘get it and forget it,’ ” said Walchek.

Trōv’s mobile app enables users to insure just a single item, such as a laptop, whenever they wish and to also select the period of cover required. When ready to buy insurance, they then snap a picture of the sales receipt or product code of the item they want covered.

Welcoming Trōv: A New On-Demand Arrival

While Walchek, who set up Trōv in 2012, stressed it’s a technology company and not an insurance company, it has attracted industry giants such as AXA and Munich Re as partners. Trōv began the U.S. roll-out of its on-demand personal property products this summer by launching in Arizona, having already established itself in Australia and the United Kingdom.

“Australia and the UK were great testing grounds, thanks to their single regulatory authorities,” said Walchek. “Trōv is already approved in 45 states, and we expect to complete the process in all by November.

“On-demand products have a particular appeal to millennials who love the idea of having control via their smart devices and have embraced the concept of an unbundling of experiences: 75 percent of our users are in the 18 to 35 age group.” – Scott Walchek, founding chairman and CEO, Trōv

“On-demand products have a particular appeal to millennials who love the idea of having control via their smart devices and have embraced the concept of an unbundling of experiences: 75 percent of our users are in the 18 to 35 age group,” he added.

“But a mass of tectonic societal shifts is also impacting older generations — on-demand cover fits the new ways in which they work, particularly the ‘untethered’ who aren’t always in the same workplace or using the same device. So we see on-demand going into societal lifestyle changes.”

Wooing Baby Boomers

In addition to its backing for Trōv, across the Atlantic, AXA has partnered with Insurtech start-up By Miles, launching a pay-as-you-go car insurance policy in the UK. The product is promoted as low-cost car insurance for drivers who travel no more than 140 miles per week, or 7,000 miles annually.

“Due to the growing need for these products, companies such as Marmalade — cover for learner drivers — and Cuvva — cover for part-time drivers — have also increased in popularity, and we expect to see more enter the market in the near future,” said AXA UK’s head of telematics, Katy Simpson.

Simpson confirmed that the new products’ initial appeal is to younger motorists, who are more regular users of new technology, while older drivers are warier about sharing too much personal information. However, she expects this to change as on-demand products become more prevalent.

“Looking at mileage-based insurance, such as By Miles specifically, it’s actually older generations who are most likely to save money, as the use of their vehicles tends to decline. Our job is therefore to not only create more customer-centric products but also highlight their benefits to everyone.”

Another Insurtech ready to partner with long-established names is New York-based Slice Labs, which in the UK is working with Legal & General to enter the homeshare insurance market, recently announcing that XL Catlin will use its insurance cloud services platform to create the world’s first on-demand cyber insurance solution.

“For our cyber product, we were looking for a partner on the fintech side, which dovetailed perfectly with what Slice was trying to do,” said John Coletti, head of XL Catlin’s cyber insurance team.

“The premise of selling cyber insurance to small businesses needs a platform such as that provided by Slice — we can get to customers in a discrete, seamless manner, and the partnership offers potential to open up other products.”

Slice Labs’ CEO Tim Attia added: “You can roll up on-demand cover in many different areas, ranging from contract workers to vacation rentals.

“The next leap forward will be provided by the new economy, which will create a range of new risks for on-demand insurance to respond to. McKinsey forecasts that by 2025, ecosystems will account for 30 percent of global premium revenue.

Advertisement




“When you’re a start-up, you can innovate and question long-held assumptions, but you don’t have the scale that an insurer can provide,” said Attia. “Our platform works well in getting new products out to the market and is scalable.”

Slice Labs is now reviewing the emerging markets, which aren’t hampered by “old, outdated infrastructures,” and plans to test the water via a hackathon in southeast Asia.

Collaboration Vs Competition

Insurtech-insurer collaborations suggest that the industry noted the banking sector’s experience, which names the tech disruptors before deciding partnerships, made greater sense commercially.

“It’s an interesting correlation,” said Slice’s managing director for marketing, Emily Kosick.

“I believe the trend worth calling out is that the window for insurers to innovate is much shorter, thanks to the banking sector’s efforts to offer omni-channel banking, incorporating mobile devices and, more recently, intelligent assistants like Alexa for personal banking.

“Banks have bought into the value of these technology partnerships but had the benefit of consumer expectations changing slowly with them. This compares to insurers who are in an ever-increasing on-demand world where the risk is high for laggards to be left behind.”

As with fintechs in banking, Insurtechs initially focused on the retail segment, with 75 percent of business in personal lines and the remainder in the commercial segment.

“Banks have bought into the value of these technology partnerships but had the benefit of consumer expectations changing slowly with them. This compares to insurers who are in an ever-increasing on-demand world where the risk is high for laggards to be left behind.” — Emily Kosick, managing director, marketing, Slice

Those proportions may be set to change, with innovations such as digital commercial insurance brokerage Embroker’s recent launch of the first digital D&O liability insurance policy, designed for venture capital-backed tech start-ups and reinsured by Munich Re.

Embroker said coverage that formerly took weeks to obtain is now available instantly.

“We focus on three main issues in developing new digital business — what is the customer’s pain point, what is the expense ratio and does it lend itself to algorithmic underwriting?” said CEO Matt Miller. “Workers’ compensation is another obvious class of insurance that can benefit from this approach.”

Jason Griswold, co-founder and chief operating officer of Insurtech REIN, highlighted further opportunities: “I’d add a third category to personal and business lines and that’s business-to-business-to-consumer. It’s there we see the biggest opportunities for partnering with major ecosystems generating large numbers of insureds and also big volumes of data.”

For now, insurers are accommodating Insurtech disruption. Will that change?

Advertisement




“Insurtechs have focused on products that regulators can understand easily and for which there is clear existing legislation, with consumer protection and insurer solvency the two issues of paramount importance,” noted Shawn Hanson, litigation partner at law firm Akin Gump.

“In time, we could see the disruptors partner with reinsurers rather than primary carriers. Another possibility is the likes of Amazon, Alphabet, Facebook and Apple, with their massive balance sheets, deciding to link up with a reinsurer,” he said.

“You can imagine one of them finding a good Insurtech and buying it, much as Amazon’s purchase of Whole Foods gave it entry into the retail sector.” &

Graham Buck is a UK-based writer and has contributed to Risk & Insurance® since 1998. He can be reached at riskletters.com.