Global cyber losses have increased exponentially in the last five years and are set to continue rising to an estimated $6 trillion next year, a 1400% increase since 2015.
As the reliance of the renewable energy sector on digital technology and monitoring systems has increased during the global lockdown, we spoke to GCube Senior Analyst Geoffrey Taunton-Collins for his take on some of the main messages for GCube’s insureds.
Compared to ‘Nat Cat’ risks there has been little conversation in the renewables insurance market around cyber threats. Could you tell us the impact cyber risks have had on projects in recent years?
Much like ‘Nat Cat’ events cyber-risks have increased in regularity and severity over the last few years, but at an exponentially faster rate due to the growth in digital technologies. Within the renewable energy industry we’ve seen major utilities and energy firms repeatedly coming under attack from malicious software which have targeted communications and control systems.
Cyber-attacks in the renewable energy space have been under-reported, but from our private conversations with renewable energy stakeholders we know that the true scale of the problem is greater than meets the eye. As the sector continues to expand and operate on increasingly integrated systems and online networks owners remain at high risk of cyber-attacks and ransomware.
The numbers substantiate this. Global losses due to cyber-risks were estimated to be over $2 trillion in 2019 compared to $150bn from natural catastrophe losses. Cyber security and cyber coverage in many industries, including renewables, has not kept pace, and many projects are still under-protected despite the increase in risk. In 2019, the global cyber insurance market was only worth approximately $5bn compared to the global natural catastrophe insurance market which was worth over $140bn.
Has the coronavirus impacted the level of cyber risk for the renewable energy sector?
Not directly, but renewable energy companies which have relied more heavily on digital systems for tasks such as performance monitoring, financial reporting, and communications during the lockdown will have increased their vulnerability to cyber threats. This is especially true for projects which continue to operate on open networks or unprotected intranet sites and lack more sophisticated cyber risk mitigation measures.
It is telling that since the lockdown began, we have seen an increase in interest from a number of independent power producers – including Eolenerg and Molly Wind Ltd – for cover which can mitigate financial exposure to non-damage events such as cyber-attacks. Though cyber-attacks remain a relatively low-incidence risk, financial losses when an incident does occur can be very high, particularly given that one attack can shut down an entire project.
What are the most common cyber threats that a renewable energy asset owner may encounter?
There are a number of relatively common cyber threats to a renewable energy project. For example, ransomware and other forms of extortion occur fairly frequently, where hackers encrypt data, often with military grade algorithms, and demand a large financial payoff to restore your data. This situation has impacted multiple renewable energy projects including French tidal project Sabella in 2016 and Norsk Hydro in 2019. In many instances, companies have chosen not to pay the ransom and instead replace their computer systems, but this can take weeks to fully recover from and potentially result in additional incremental losses.
Another example is the attack on sPower in 2019 which was a result of a security breach in the form of a denial-of service attack which left them blind to half a GW of operational assets – though this can also be caused by administrative error as was the case with TSB in 2019.
How can Insureds protect themselves from cyber risks?
Not all cyber risks come from external sources. Many cyber losses are down to basic administrative error such as accidental data deletion or hardware loss. These are easier to prevent than external hacking and insureds should incorporate IT security best practices such as the installation of backup and recovery software. Though this may sound obvious its vital that renewable energy firms don’t overlook these basic steps as internal errors have the potential to cause just as much financial or reputational damage.
That being said, renewable energy projects are particularly vulnerable to two main external cyber risks: ransomware and the corruption of SCADA data. Depending on the nature of the data breach these can result in losses ranging from data restoration costs to liability claims and business interruption as a result of project downtime.
GCube is prepared to pay ransoms quickly in cases where hackers threaten to publish sensitive data or block access to project management systems. But investment in front-line data protection software such as firewalls and antivirus and malware detection is key to mitigating the risk of incidents occurring in the long-term.
Sophisticated cyber-attacks can still breach front-line data protection software however and to ensure that data is fully protected insureds should also consider investing in cyber insurance which can provide cover for loss of revenue and incidental expenses.
What kind of losses are covered by GCube’s Cyber Risk product?
Our first-in-market cyber risk product is designed specifically to financially safeguard insureds worldwide from cyber-attacks on proprietary or third-party IT or OT (operational technology) systems. As different projects have different exposures our cover can be tailored to meet Insureds’ needs and offers high financial capacity for any one project or risk along with self-insured retention.
Our cyber risk product is available globally and provides Insureds with cover for loss of revenue across a range of non-damage event circumstances, including:
– Non-damage events leading to Business Interruption and Contingent Business Interruption
– Ransomware and cyber extortion
– Digital asset destruction – including loss of use or theft of SCADA data
– Incident Response Expenses