The Sky Isn’t Falling, But the Internet Might

The potential for a cyber attack on the domestic power grid gives insurers new pause, as the Feds scramble to improve its infrastructure.

Insurance Networking News, December 9, 2011

Pat Speer

Experts say thanks to a dearth of Federal support, it isn’t a stretch to imagine a power grid cyber attack that takes out the Internet, grinding communications and businesses to a halt in the process.

The Federal government's General Accounting Office (GAO) and the Massachusetts Institute of Technology didn’t officially compare notes, but easily could have based on their research conclusions concerning U.S. power systems. Both organizations point to a power grid system that is vulnerable to attack by cyber criminals, a catastrophe that causes insurers selling business interruption coverage to cringe.

The broader GAO report, “Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination,” examined threats to federal information technology (IT) infrastructure and systems, which the report says continues to grow in number and sophistication.

The report looked at the health of cybersecurity programs in eight Federal departments, and found their respective efforts to be irregular. In other words, the scale and scope of cybersecurity is not well-defined, departments are deficient in setting expectations and milestones, and training requirements are inconsistent. The report calls for more coordination among departments and tighter planning overall.

The MIT report hails a similar call, but more specifically on the power grids that fuel the Federal departments’ ability to function, and suggests that a single Federal organization be made responsible for cybersecurity in all Federal departments and agencies. This report also calls for a stronger Federal role in cross-state transmission planning. The IEEE Standards Association asserts that the most recent national energy act already gave the Federal Energy Regulatory Commission (FERC) enhanced authority to bolster key transmission corridors, and reports evidence of transmission actually getting built when the task is properly addressed.

Insurers have a huge stake in cyber attacks, whether to the power grid itself or to its distributed systems. A report issued this week by Standard & Poor’s, “Ten Years Later, Terrorism Exposure Remains an Issue for U.S. Insurance Companies,” notes that isolated terrorist attacks--those that occur in particular places such as New York or other large cities—would mean less exposure to the insurance industry as a whole.

And although the federal terrorism insurance backstop (The Terrorism Risk and Insurance Act) provides coverage for insurers that participate in the program, a massive loss, such as that posed by cybersecurity criminals hoping to damage the power grid, would be a different matter. S&P estimates that with a given insurer’s deductible, it could amount to more than one year’s worth of an insurer’s earnings.

A loss of that size, in capital erosion terms, would probably equal more than 10 percent, and “would likely” cause S&P to issue a rating action on the insurer. This dire warning relates to the cyber attack’s “contagion factor on the macroeconomic level,” which would result in insurers’ reserve and investment incomes being affected.

Indeed, in a world that is becoming an increasingly insecure place to do business, commercial lines insurers must be up to task when it comes to risk assessment and mitigation against business interruption of any kind.

Linda Conrad, director of strategic business risk at Zurich Global Corp. who leads the supply chain group in the U.S. for Zurich NA, believes that any improvements to the power grid will benefit all stakeholders. At Zurich, however, the power grid is but one risk being tracked.

“We conduct gap analysis around business continuity plans—usually around a crisis situation,” she told Insurance Networking News, “and we start with that analysis to help the client understand how to be more proactive against certain types of risk.”

For more information on related topics, visit the following channels:

• Enterprise Technologies
• Insurance Network
• Risk Management