BBC: Power Companies Being Turned Away for Cyber-Attack Insurance

Mar 3, 2014

Share this News

The BBC reported late last week about a troubling trend plaguing the nation's power companies: these are increasingly applying for insurance cover against cyber-attacks but are being turned away in large numbers.  According to the BBC, the main problem power companies are encountering is that insurance company audits that show their cyber defences are too weak, thus exposing underwriters to unreasonable risk. Lloyd's of London told the BBC that it has experienced a recent surge in the demand for cyber-attack cover among energy sector companies. No reason was given for the surge, but some believe increased threats from the cyber terrorism community are partly to blame.  Energy companies afraid of computer and infrastructure damage relating to a cyber-attack might be hoping to lean on insurance should a devastating attack occur.

Insufficient Security

When an energy company applies for cyber-attack cover, its current systems are audited in order to determine the level of risk that the insurance underwriter will be exposed to.  If current security measures are deemed insufficient, insurance cover will not be granted.  Unfortunately, the state of the power industry is one where insufficient security is the norm. According to the BBC, the biggest problem is with outdated software created to manage power utilities long before the Internet reached worldwide dominance.  One of the main pieces of management software now being used, known as Supervisory Control and Data Acquisition (SCADA), provides far too many loopholes for hackers thanks to insufficient networking defences.  Closing those loopholes is a nearly insurmountable task due to the age of the software. Making matters worse is the drive to link multiple power stations to a single, remote control centre via Internet connections.  Treated individually, security management would be fairly straightforward and highly successful.  Nevertheless, once Internet connections are involved, every power station linked to the system becomes vulnerable.  Until the energy sector can address these serious security concerns, getting insurance is going to be challenging.

A Larger Issue

In our minds, the insurance troubles being experienced by the energy sector leads to questions of a larger issue.  What is that larger issue?  It is one of similar security concerns across nearly every sector where companies and stakeholders are still using outdated software and hardware without the capability to defend against large-scale cyber-attacks.  In other words, this issue is not limited only to energy companies. While it's true the average data centre is more than equipped to handle even the most serious cyber-attacks, what about small companies with multiple locations connected to a central networking hub?  From the car repair chain to an attorney with multiple urban locations, any business or organisation that has not given serious consideration to upgrading computer systems could find itself at risk. The threat of cyber-attacks is no longer something of films and night-time television.  It is very real.  Any entity utilising Internet connections of any type needs to take it seriously if it wants to protect itself, insurance cover notwithstanding.


Source:  BBC –