In today’s cyber risk climate, water and wastewater utilities operators have discovered they are especially susceptible to cyber threats. The Oldsmar incident of 2021, in which hackers attempted to compromise the Florida town’s main water treatment plant, emphasized just how vulnerable this sector is. Such cyber-physical attacks on under-resourced critical infrastructure organizations have accelerated the growing need for cyber risk insurance. In 2021, insurers paid out significant claims due to ransomware attacks and are now requiring water utilities to meet more stringent cybersecurity requirements. Resources such as those made available by the American Water Works Association (AWWA), which assess the maturity of water and wastewater cybersecurity programs, can serve as a valuable first step for these organizations to build better cyber resilience despite underfunding or understaffing. When developing a cybersecurity program, a measured balance of technology and insurance is pivotal to success. In this article, we walk through the cyber insurance problems water utilities are currently facing, why it’s imperative these issues are addressed and discuss what actions will improve cyber insurability.
The challenge of cyber insurance
Many smaller state and local organizations have limited resources, and the resources they do have are prioritized around performing their core functions (i.e., maintaining citizens’ access to clean water), not for cybersecurity. Yet, in 2022 there’s increased demand for cyber insurance after the many high-profile ransomware attacks of the past few years, and many organizations have realized the need to supplement their technology controls with risk transfer mechanisms like cyber insurance. Pre-COVID, a cyber insurance policy was typically attainable via a simple questionnaire application. At present, however, the exigent ransomware climate has complicated the process for insurers, as they cannot afford to be as lenient as yesteryear. Underwriting a cyber insurance policy exposes insurers to greater risk than it has in the past, and water utilities face more stringent cybersecurity requirements to qualify. These requirements include secure access management programs for protecting administrative credentials with privileged accounts, as well as endpoint detection and response tools. VP of Digital Infrastructure and Security at American Water, Nick Santillo, spoke recently at the National Association of Water Companies (NAWC) conference, saying “There are a lot of companies that have gone through renewals and ended up either becoming uninsurable or implementing some new controls just to get to the point of being insurable.” When we consider the cyber threat landscape in recent years and look towards the future, we can safely assume that insurance premiums will only continue to skyrocket.
Water utilities in the US are a major part of the macro critical infrastructure sector. There are over 52,000 drinking water and 16,000 wastewater systems in the United States. Over 80 percent of the US population receives potable water from these systems, and 75 percent of the US population has its sanitary sewage treated by these wastewater systems. The inability to deliver these services would be devastating. Insurance in any industry exists as a means to transfer risks that businesses can’t accept or are unable to mitigate through compulsory controls, and the need to financially insure critical assets like water and wastewater organizations from cyber-attacks is not optional. With the expanding digitization of our world, insurers increasingly require improved visibility into policyholders’ cyber programs and a better approach to modelling the impact of potential cyber events. So, what is the solution?
Maturity assessments and quantified risk scenarios
We’ve mentioned that the AWWA provides resources, including assessment tools, for these water and wastewater organizations to shore up their cybersecurity programs. A cyber risk assessment enables you to see how your cybersecurity program is performing and where your gaps are. Knowing the gaps in your program makes it easier to start brainstorming the cyber risk scenarios to which you are more susceptible. Additionally, we recommend a comprehensive view of quantified risk scenarios, which can help prioritize the cybersecurity initiatives that will lead to the most meaningful risk reduction. A quantified ransomware attack scenario reveals which controls may be necessary to reduce the impact range if an event occurs. For insurers, a cybersecurity assessment only provides a snapshot in time and is only one part of the solution they need to certify insurability. Cyber risk quantification completes the picture, giving insight into improvements and initiatives that should be prioritized within the program. With cyber risk assessment and cyber risk quantification, water utilities and other critical infrastructure organizations can choose the most cost-effective way to not only document their cybersecurity program for insurers, but also select which improvements best reduce risk using information broken down into financial terms.