74 E L E C T R I C P E R S P E C T I V E S

Cybersecurity. Cyberterrorism. Cyberperil. One can hardly escape the dire warnings. The

White House, in a recent cybersecurity Executive Order, stated: “The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and eco-nomic security of the United States de-pends on the reliable functioning of the Nation’s critical infrastructure in the face

of such threats.” Elected officials, witnesses before Congress, op-eds from retired intel-ligence special-ists, all sound the drumbeat of the cyber threat.

The cyber threats facing electric utilities were the subject of specifi c testimony before Congress

by Gregory C. Wilshusen, director of information security issues for the General Accounting Offi ce. Wilshusen’s testimony, captured in “Cybersecurity: Challenges in Securing the Electricity Grid” (United States Government Ac-countability Offi ce), included the fol-lowing observation: “cybersecurity and industry experts have expressed con-cern that, if not implemented securely, modernized electricity grid systems will be vulnerable to attacks that could result in widespread loss of electrical services

Even with appropriate

clearances, a utility still may

receive only general

information concerning a

potential threat.

LEGAL

Preserving Cyber Insurance Coverage By J. Wylie Donald, Esq. and Jennifer Black Strutt, Esq.

J. Wylie Donald, Esq. is a partner at McCarter & Eng-lish, LLP in the fi rm’s Insurance Coverage Group. He counsels only policyholders and has recovered mil-lions of dollars, by settlement or judgment, on behalf of policyholder clients. Jennifer Black Strutt, Esq. is an associate in the Insurance Coverage Group as well. The views expressed herein are those of the authors.

essential to maintaining our national economy and security.”

Unsurprisingly, the in-dustry has responded. Electric utilities are instituting better technology, better coordination with law enforcement, better training, and better insurance—to be specifi c, cybersecurity insurance. Unfortunately, the reports required of a utility in order to receive cover-age under its cybersecurity insurance policy may not be consistent with the realities of information distribution in the real world.

Improving Critical Infrastructure CybersecurityThe Obama Administration has ac-knowledged the importance of securing critical infrastructure from cyber threats and last February issued Executive Order 13636—Improving Critical Infrastructure Cybersecurity (the “Cy-bersecurity Order”), which establishes a voluntary set of security standards for critical infrastructure industries, such as electric utilities. Among other things, the order directs the Executive Branch to increase the volume, timeliness, and quality of cyber threat information shar-ing in order to further develop a public-private partnership.

One of the primary objectives of the order is the dissemination of notifi ca-tions to critical infrastructure entities that they may be the targets of cyber threats. However, it is unclear what

information will be provided to an entity pursuant to the order. Dr. Andy Ozment, the White House director for cyberse-curity, provided comments at the Armed Forces Communications & Electronics Association’s 4th Annual Cybersecurity Symposium that offered little guid-ance. Ozment indicated that, although the government recognizes the need to broadly share information, “information sharing is complicated for the govern-ment.” ent. y

he in-

toecuritynately the

dee

shme

ined.

y the

me

While sharing information can pre-vent the realization of certain threats, sharing the same information too broadly may provide the sources of the cyber threats (hackers, cyberactivists, criminals, corporate spies, and foreign intelligence services) the opportunity to modify their behavior. Thus, indiscrimi-nate dissemination of information may make it even harder to prevent a cyber attack.

Indiscriminate dissemination can be controlled with security clearances. However, as Ozment advised, the government “can’t give a clearance to everybody who needs to understand cybersecurity and operate to defend their critical infrastructure.” Even with appropriate clearances, a utility still may receive only general information concerning a potential threat. Instead of the details necessary to prepare for and prevent a crippling cyber attack, a utility might fi nd itself the recipient of a vague notifi cation that lacks the specifi city necessary to take concrete actions to

S E P T E M B E R / O C T O B E R 2 013 75

turn away the attack. In addition, the utility may meet the security require-ments to receive classifi ed reports, but those reports may be restricted from dissemination outside the organization. Failure to abide by those restrictions could result in severe penalties or even imprisonment.

One can understand the concerns of the Department of Homeland Security (DHS) or the Department of Justice (DOJ) with regard to the protection of classi-fi ed information. But what happens to the targeted utility if the security threat becomes an actual attack? As noted earlier, prudent utilities use a defense in depth (technology, communication, and training) capped by insurance. Thus, in many cases, the utility will be able to defeat the attack with few or no ill ef-fects. However, as a matter of statistics, some utilities will fi nd all their defenses unsuccessful. In those cases, an insur-ance policy may be available to take the sting out of the attack.

But that policy will not be available if the insurance company concludes the utility failed to give timely notice, which

may be a real risk in the context of cyber-security.

Cybersecurity Insurance Requires NoticeA simple defi nition of cybersecurity insurance is a contract that covers losses arising from com-puter or network-based incidents. This could include physical damage to equipment, third-party liability claims, business interruption, and even reputational losses. Cyber-security insurance has been around for several years, but this area of coverage is still developing.

To address the current scope of coverage and the possibilities for the future, DHS’s National Protection and Programs Directorate (NPPD) convened a Cybersecurity Insurance Workshop in

Arlington, VA, in Octo-ber 2012 for represen-tatives of government, academia, insurers, information technol-ogy, corporate risk management, and critical infrastruc-ture, including electric utilities. In November 2012, NPPD issued a Readout Report that identifi ed the

types of cyber risks that may be insured, including regulatory responses, network damage, and liability and costs arising out of data breaches, among others.

The Readout Report questioned whether most policies will cover physi-cal damage from supervisory control and data acquisition (SCADA) system attacks but noted that utilities typically insure SCADA systems under standalone cyber policies, and that any physical damage resulting from a successful attack on a SCADA system should be

“

IS OUR HIGHEST PRIORITY, FAMILY REMAINS OUR FOUNDATION,

AND THE INTEGRITY THAT DEFINED JOHN WRIGHT’S WAY OF

DOING BUSINESS KEEPS ON.” - SCOTT D. PACKARD, CHAIRMAN & CEO

“

SAFETY

1.800.882.1216 WRIGHTTREE.COM WRIGHT TREE SERVICE. ALWAYS THE WRIGHT CHOICE.

SINCE 1933. EMPLOYEE OWNED.

f nce ers om-ed

age arty

i t ti

Arbetaai

types of cyber risksi l di l t

76 E L E C T R I C P E R S P E C T I V E S

Edison Electric Institute is pleased to announce that The YGS Group is our new partner for Electric Perspectives’ media sales, available to support your marketing and advertising strategy for the remainder of 2013 and into 2014 planning.

When you want to talk visibility and market presence through Edison Electric Institute, call your YGS sales representative.

theYGSgroup.com

A FRESH START

HEATHER TROAST Account Executive 800.501.9571 x124 Heather.Troast@theygsgroup.com

MARSHALL BOOMER Account Executive 800.501.9571 x123 Marshall.Boomer@theygsgroup.com

covered by a traditional policy of property cover-age. The Readout Report also discussed the chal-lenges in fi nding insurance coverage for business interruption and cyber di-sasters, such as those that might be caused by critical infrastructure failure, ter-rorism, or war.

Additionally, NPPD con-vened a cyber-risk roundtable in May 2013 in which insurance carriers and critical infrastructure owners/operators comprised a majority of the partici-pants. That meeting focused on a topic that had repeatedly arisen in the prior workshop and in feedback received after the publication of the Readout Report: How to build more effective cyber-risk cultures as a prerequisite to a stronger and more responsive fi rst-party insur-ance market (for example, developing

coverage for direct loss arising from business interruption, destruction of data and property, and reputational harm result-ing from cyber risk).

Over 50 different carri-ers offer cyber coverages as either standalone policies or as enhance-ments to other standard policies. Limits in some

cases can exceed $100 million, al-though many policies are much smaller. Coverage is “claims-made,” meaning the policyholder must report a covered claim to the insurer within the policy period or an extended reporting period (if applicable). The requirement that a policyholder provide timely, written no-tice of the claim is usually a condition precedent to coverage.

Policies also may ask the policy-holder to provide notice of circum-stances likely to give rise to a claim. Often, a “notice of circumstances” is

optional, but, on occasion insurers have argued (and courts have found) that a notice of circumstances is required for coverage. Under a notice of circum-stances requirement, a utility faced with a cyber threat, for example, may be expected to provide written notice that describes the circumstances of the threat and the consequences that may result, identifi es the potential claimants, and explains how the utility learned of such circumstances. Court decisions have penalized policyholders that fail to provide suffi cient detail concerning the potential claim. Once this informa-tion has been provided to the insurer, a claim that later arises from those cir-cumstances will be covered under that policy. This may be of signifi cant benefi t to the utility because future exclusions or other limitations of coverage, such as higher deductibles or lower limits, will not apply to that claim.

Court decisions have

penalized policy- holders that fail

to provide suffi cient detail concerning the potential claim.

S E P T E M B E R / O C T O B E R 2 013 77

Consideration of a Prior Cyber AdvisoryLet’s take the notice of circumstances out of the vacuum and consider this insurance requirement in the context of a warning that the North American Electric Reliability Corporation (NERC) issued in February 2011. Specifi cally, NERC issued an unclassifi ed “Advisory to Industry” concerning the “increase in coordinated covert cyber attacks target-ing global oil, energy, and petrochemi-cal companies, dubbed ‘Night Dragon.’” The Night Dragon attacks started in November 2009 and compromised sev-eral oil and gas companies. According to security fi rm McAfee, Night Dragon attacks are “designed to steal sensitive data from targeted organizations. Unlike opportunistic attacks, the perpetrators appear to be sophisticated, highly orga-nized, and motivated in their pursuits.”

The advisory, “Night Dragon Specifi c Protection Measures For Consider-ation,” instructed chief security offi cers, information security offi cers, and industrial control system engineers to search their systems for three different command and control programs. If one or more programs were found on an entity’s system, the advisory warned that the entity’s system was compromised.

For More Information please contact:

The World’s Most Efficient High-Capacity Low-Sag Conductor

®

Proven Reliability at Over 250 Projects Worldwide

ACCC® is a registered trademark of CTC Global Corporation

2026 McGaw AvenueIrvine, CA 92614 USAPhone: +1 (949) 428-8500Web: www.ctcglobal.com E-Mail: support@ctcglobal.com

orld’s Most Efficient High-Capacity

®

Would NERC’s Night Dragon ad-visory require a utility to provide a notice of circumstances? The answer to that question depends on the lan-guage of the utility’s cyber policy. The responsible individual or committee

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

The Night Dragon attacks started in 2009 and are designed to steal sensitive data from targeted organizations.

123r

f

at the utility would have to consider that language as well as the specifi c facts of the advisory as applied to the utility. Assuming the utility has no information suggesting its systems were compromised, it is likely that the advisory would not provide the basis for reporting a notice of circumstances to an insurer. However, if the utility detects evidence of Night Dragon on its system, careful consideration of the notice of circumstances requirements might be in order. Indeed, an insurer may argue that the utility is in a position to provide the following required information:

Circumstances of the threat: The presence of Night Dragon on the poli-cyholder’s system, indicating that the system is compromised and susceptible to further compromise.

Identity of potential claimants: The specifi c identity of potential claimants is unknown, but may include, among oth-ers, commercial customers, bulk power purchasers or sellers, private individu-als, vendors and contractors—in short,

78 E L E C T R I C P E R S P E C T I V E S

anyone with proprietary or confi dential information on the utility’s system. It may also include government regula-tors.

Consequences that may result: The theft and/or compromise of sensitive information possessed by the utility including, without limitation, private personal information, operation details, shared proprietary information, and fi -nancial data. The data breach may result in a fi rst-party loss and/or third-party loss.

How the policyholder learned of the circumstance: NERC advisory regarding Night Dragon.

In sum, using the Night Dragon advi-sory as an example, there may be suffi -cient information for a utility to provide a notice of circumstances to its insurer, even if some of the responses (such as identity of claimants and potential con-sequences) lack specifi c detail.

Pole & Tower Maintenance• Pole Inspection & Treatment

• Pole Restoration & Upgrading

• Below-Grade Corrosion Inspection & Repair

Field Surveys & Audits• Network Inventory

• Joint-Use Attachment Survey

• Visual Code Violation, Reliability, Safety Audit

Osmose knows PolesExperience • Commitment • Innovation

716.319.3423 • osmoseutilities.com • poleinfo@osmose.com

With more than 75 years of diverse experience as a foundation, Osmose proudly serves America’s utilities as they manage aging infrastructure and build tomorrow’s intelligent utility.

A Trusted Name in Utilities Services since 1934

Make-Ready Services• Pole Loading & Clearance Analysis

• Pole Replacement Design

Compliance ChallengesAs a result of the Cybersecurity Order, utilities may receive more frequent warnings from the federal government regarding potential cyber threats. If and when a utility receives such a warning, the utility must determine whether (and if so, how) to provide notice to its insurer.

If the government provides specifi c infor-mation about the threat, the utility—theoreti-cally—should be able to provide the level of detail required by its insurer for a notice of circumstances. In practice, however, the utility may be restricted from doing so. It is very possible that the govern-ment’s notifi cation will be classifi ed, and the transmission of such informa-tion to anyone who does not have a security clearance may result in fi nes and imprisonment. Obviously, if the

utility possesses this information but does not provide the insurer with a notice of circumstances as the policy may require, the utility risks having its subsequent claim denied. Even if

the notice of circum-stances is not manda-tory under the policy, the utility’s failure to provide written notice of circumstances may subject the utility to a future denial of a subsequent claim. For example, if the claim arises after the policy has been renewed,

the insurer may deny the claim based on the “known loss” doctrine and will argue that any subsequent loss was not by chance, which is a fundamental requirement of insurance. Furthermore, even if some detail is provided, such as is the case with the Night Dragon

Identify a person or committee

responsible for reviewing the

insurance program and determining

what kind of notice is required.

S E P T E M B E R / O C T O B E R 2 013 79

INDEX TO ADVERTISERSAES Corporation . . . . . . . . . . . . . . . . . . . . . . 9

AMEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

American Electric Power . . . . . . . . . . . . . . . . 2

Asplundh Brush Control Co. . . . . . . . . . 15, 17

Booz & Company. . . . . . . . . . . . . . . . . Cover 2

CTC Global . . . . . . . . . . . . . . . . . . . . . . . . . 77

Duke-American Transmission Company . . . . . . . . . . . . . . . . 33

Elster Group . . . . . . . . . . . . . . . . . . . . . . . . 25

Falcon Steel Company. . . . . . . . . . . . . . . . . 49

Figmore Technology . . . . . . . . . . . . . . . . . . 73

GeoDigital International, Inc. . . . . . . . . . . . . 7

HDR, Inc.. . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Hubbell Power Systems, Inc. . . . . . . . . . . . . 31

Hughes Brothers Inc. . . . . . . . . . . . . . . . . . . 46

Michels Corporation . . . . . . . . . . . . . . . . . . 51

Osmose Utilities Services, Inc. . . . . . . . . . . 78

Pace Global . . . . . . . . . . . . . . . . . . . . . Cover 3

Pike Electric. . . . . . . . . . . . . . . . . . . . . . . . . 34

POWER Engineers . . . . . . . . . . . . . . . . . . . . 37

Quanta Services. . . . . . . . . . . . . . . . . . Cover 4

Renewable Energy Systems Americas, Inc. . . . . . . . . . . . . . . . . . . . . . . . 13

S&C Electric Company . . . . . . . . . . . . . . . . 45

Sabre Tubular Structures . . . . . . . . . . . . . . . 47

Sargent & Lundy . . . . . . . . . . . . . . . . . . . . . . 1

SPIDA Software . . . . . . . . . . . . . . . . . . . . . . . 5

The StressCrete Group. . . . . . . . . . . . . . . . . 40

Tallman Equipment Company . . . . . . . . . . . 42

Valmont Newmark . . . . . . . . . . . . . . . . . . . . 41

Wright Tree Service . . . . . . . . . . . . . . . . . . . 75

The YGS Group . . . . . . . . . . . . . . . . . . . . . . 76

advisory, the utility still may be unable to provide specifi c responses to all of the insurer’s requests concerning the notice of circumstances.

It is more likely that the government will provide an unclassifi ed (vague) warning of a cyber threat, in which case the utility may be further inhibited from providing a notice of circumstances. In-deed, it is likely that a vague report from the government will not provide the utility with enough detail to comply with the policy’s requirements or adequately describe the circumstances of the po-tential threat, the likely consequences, or the expected claimants. As a result, the notice of circumstances—the carrier may assert—would not be suffi cient to trigger coverage under the policy when the claim ultimately comes in. Addition-ally, the utility should expect that the insurer will consider any cyber threat disclosed in the notice of circumstances during policy renewal. Specifi cally, the insurer may add new exclusions, reduce the limits, raise the deductible,

or increase the premium based upon the possible threat. If the incomplete notice of circumstances is insuffi cient to trigger coverage for a subsequent claim but causes the insurer to provide more limited future coverage at a higher price, the utility is harmed without any benefi t.

In sum, the utility may be in a dif-fi cult position, regardless of whether the government’s report is classifi ed or unclassifi ed and whether the policy’s request for a notice of circumstances is optional or required for coverage.

What Happens Next?Governmental authorities are, presum-ably, in the process of disseminating reports pursuant to the Cybersecurity Order. Electric utilities need to be prepared, and the fi rst step should be to prepare a plan. Identify a person or committee responsible for reviewing the insurance program and determining what kind of notice is required under each policy. This person or group should also be responsible for review-ing all reports (with due regard to se-curity clearances) from the government and deciding the course of action.

Government Cyber Threat Notice

Utilities may request that coverage afforded under their policies is consistent with the following draft language:

Any classifi ed cyber threat notice received from the federal government shall be referred to the Insured’s Facility Security Offi cer, who shall communicate with his clearance contacts within the government for permission to disclose all or some of the notice to Insurer. Any information withheld on the basis of classifi cation requirements shall not be used under any circumstances as a basis for any action by the Insurer to the prejudice of the Insured, including any assertion of late notice or failure to cooper-ate. Notwithstanding the above, should that withheld information be obtained by the Insured from a non-classifi ed source, then all of the rights and responsibilities of the Policy shall apply.

Any non-classifi ed cyber threat notice received from the federal government may be provided to the Insurer. If the Insurer treats the communication as a notice of cir-cumstances suffi cient to trigger coverage for a subsequent claim under the policy, the Insured shall be entitled to all rights and obligations fl owing from acceptance by the Insurer of such a notice of circumstances. If the Insurer treats the communication as a notice of circumstances insuffi cient to trigger coverage for a subsequent claim under the policy, the Insurer shall take no action as a result of such notice (including no ac-tion to adjust for the Policy or any renewal policy rates, deductibles, coverage, or any other term or condition).

Additionally, and of equal impor-tance, utilities should initiate a dialogue with their insurance providers. There may be a long-term benefi t to clarifying the policies’ notice requirements. For example, that the insurer will not require the reporting of classifi ed information and will agree that an insuffi cient notice of circumstances will not affect current or future coverage. (See the sidebar, “Government Cyber Threat Notice.”)

Finally, there is ongoing discussion among DOJ, DHS, and the Offi ce of the Director of National Intelligence con-cerning the issue of cybersecurity insur-ance. Electric utilities should continue to participate in the discussion, includ-ing advocating for the policyholders’ viewpoint. ◆