Search
Policyholder PulsePublished on:
How the “Name-and-Shame Game” Highlights the Need of Electric Utilities for Appropriate Cyber Insurance
In late August, the Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) issued a joint white paper proposing a “name-and-shame” approach to electric utilities that failing to meet NERC Critical Infrastructure Protection (CIP) Reliability Standards. The standards represent a baseline for protecting against cyber-attacks on critical infrastructures. FERC and NERC propose to depart from the historical practice of withholding most material details regarding CIP Reliability Standard violations, and instead to start disclosing the names of allegedly violating electric utilities in response to Freedom of Information Act requests—“naming and shaming them.” This development underscores the substantial cyber risks utilities face and, likewise, the importance of appropriate insurance for those risks.
Colleagues Matthew G. Jeweler, Cassie Lentchner, Robert B. Ross and Brendan Hogan (along with Richard Mroz , managing director of Resolute Strategies LLC) examine the proposal more closely in “Name-and-Shame Proposal of Electric Regulators Highlights Need for Cyber Insurance.” They also outline a few key points electric utilities should keep in mind with respect to securing the right kinds of insurance coverage for cyber-related incidents.
Packed stadiums? Check.
A data breach may cost a company millions in recovery and liability damages, but rarely does a breach force a company into bankruptcy. However, a months-long data breach at American Medical Collection Agency (AMCA) in 2018-2019 did just that, forcing its parent company, Retrieval-Master Creditors Bureau Inc., into Chapter 11 bankruptcy. AMCA has not stated whether it had cyber insurance, but the situation presented by this breach and bankruptcy filing serves as a cautionary tale for those without adequate cyber insurance coverage—or any at all.
Experts are full of advice about the importance of designing and implementing a robust cyber breach response plan. They opine frequently on its key components, such as identifying the roles and responsibilities of the response team, steps for investigating and containing the breach, internal and external communications regarding the breach and the response, and applicable legal requirements. For the most part, however, their advice focuses on the information-technology aspects of the plan, with some attention given to the roles of senior management and the legal department. But few commentators offer tips on one of the most consequential components of a cyber response plan: insurance.
Have $57 million (or more) to spare? You’re going to need it if you run afoul of the EU’s General Data Protection Regulation (GDPR) without cyber insurance.
Even when you’ve done your utmost to secure your organization’s cybersecurity—you’ve followed the advice of all the experts, you’ve checked all the boxes—you still may have an Achilles’ heel. Your cybersecurity is only as strong as its weakest point, which is often a vendor or supplier. In this context, a vendor could be anything from a cloud service provider, data processor, or IT engineer to an HR consultant, accounting firm, or health care benefits manager, while a supplier could be a key provider of manufacturing components or raw materials.
On insurance coverage issues, sometimes the boat seems to be listing in the wrong direction. For example, insurers have long tilted the decks to avoid coverage for “spoofing” attacks and similar kinds of email fraud by throwing their weight behind arguments that such transactions do not involve a “direct loss” from the use of company computers to implement a fraudulent scheme, which they claim their policies require. But in the first half of July, not one, but two federal appellate decisions—
and the internet to carry out much more complex schemes. The insurance industry has attempted to keep up with the technological evolution in the coverage it provides, but insurers have also used unclear policy language and the complexity and individualized nature of today’s fraudulent schemes to avoid covering the resulting losses. A slew of courts over the past few years have decided whether crime policies—particularly those with a computer fraud coverage component—cover complex, technology-related fraudulent schemes. The Eleventh Circuit recently joined the fray and ruled that computer fraud coverage did not apply to a policyholder’s $11 million loss.
Artificial Intelligence (AI) is a hot topic in industries from manufacturing to the medical profession. Developments in the last