Renewables are gaining popularity, but is their cyber resilience being guaranteed to ensure their victory?
Governments worldwide have ensured their national climate change strategies are clear. There must be an energy transition, one that sees significantly reduced use of fossil fuels, and a movement into alternative, greener sources, in line with global environmental, social and governance (ESG) targets. The Middle East is a key player in this global strategy, with renewable energy targets amongst various countries ranging between 15-50% of power generation in 2030 (1). The UAE, for example, is committing USD 163 billion as part of its decarbonization strategy, along with Saudi Arabia recently announcing it will double its previous investment intentions to more than USD 190 billion as part of “The Saudi Green Initiative” (2).
In the bid to keep up with fast growing demand, the pressure for cutting-edge innovation and rapid commercialization of technologies is being required. Cyber resilience, and managing the associated risks, must be embraced in the energy transition paradigm, to ensure a smarter, carbon-neutral future can be achieved and maintained. This will ensure the integrity of truly socially responsible change.
The technology behind current multi-million dollar energy projects worldwide is confidently addressing critical energy challenges, such as efficiency and decarbonization by utilizing more data analytics. The newer SCADA systems, provide smart fully integrated renewable solutions, however they introduce more vulnerabilities than traditional systems due to being increasingly digitally interconnected (greater attack surface) and reliant on embryonic software and hardware. In addition, the energy sector continues to face a variety of escalating cyber-attacks, from ransomware threats (Colonial Pipeline; 2021) to insider risks. The Ponemon Report found in 2022 that companies in the Middle East and Africa experience the most insider incidents globally (3). Despite increased threat levels, less than half of renewable energy firms surveyed in Saudi Arabia and the UAE in 2021 noted a cyber resilience strategy in place, with two-thirds of the IT executives stating they had postponed or cancelled a digital transformation initiative in the last year due to cyber risk (4).
With this is mind, all projects require careful risk assessment, and the insurance industry can help provide frontend risk control guidance to contribute to risk management knowledge, ultimately preventing unforeseen losses and importantly lead the response and management post a cyber incident occurring, an area they have vast experience in.
Often when trying to calculate the possible fallout from a cyber incident, property damage and ensuing loss is a top concern for the energy and power sector. This is, of course, a very real exposure with previous incidents indicating the potential for physical damage loss as a result of a successful hacking attempt (i.e. Steel Mill in Germany; 2014). There are more pressing exposures, however, that the sector needs to be considering that will directly impact a project’s success. The 2021 NetDiligence Report highlighted how costly business interruption (BI) costs following a non-physical damage cyber incident can be, with the BI share of overall claims being much higher than any other cause of loss (5), leading to loss of revenue for the industry should a cyber incident occur. If a project suffers a cyber incident, entities need to contemplate how much non-damage financial loss could be experienced with each day of downtime, from a variety of scenarios, and considering a plethora of costs. These include:
Forensic investigation costs
Costs for data/system restoration or rectification (often taking up to 3 months)
Extra expenses in finding alternative ways of keeping the project operational (i.e. alternative production sites, purchasing power on the spot market)
Possible ransom payment
Penalties for failing to supply the contractually agreed power supply
Regulatory mandate to shutdown operation
Resultant loss of income
Such losses could be picked up under a tailored cyber insurance policy. Questions over ownership and accountability of the operation introduce further challenges, whereby many of the SCADA technologies are installed, operated, and serviced by various third parties. Regardless of whether a third party is delivering the service, project developers bear a responsibility to drive security into their supply chain, to support an infrastructure that the public can trust.
The risk of mishandling a cyber event should also not be underestimated. Cyber insurance policies can grant invaluable support to entities by automatic and immediate access to pre-vetted, specialist response vendors (forensics, legal, PR) at the insurers’ discounted rates in the event of a cyber incident. Not only can this assist in the cost-effectiveness of the incident, but also the efficiency, having a direct positive impact on the ultimate BI claim. This will alleviate excessive involvement of higher management in such instances, minimizing further disruption to the business.
Ignorance is Bliss, Or Is It Potential Trouble?
Confidence and investment in the cyber security hygiene of a business is crucial to its success. Understanding, however, that it is unrealistic to guarantee that no gaps exist in an entity’s cybersecurity posture is also key to its success. Providing that, for example, holding an ISO27001 certification is sufficient to guaranteeing a project’s cyber security posture to lenders or investors is a near-miss to the realistic situation we find ourselves in. These audits are crucial, but not sufficient, as they do not actually advise on the minimum level of controls required to be in place, they simply ensure the controls chosen by the organization are implemented and effective. By cyber risk’s very nature, it is continuously evolving and there is only so much certainty an organization can have when mitigating against it. There will often be periods of time where an organization will be trying to keep pace with protecting itself, but gaps will inevitably surface. As a result, an entity can only ever be sure that a certain percentage of its vulnerabilities or exposures are protected against, and this is where a tailored insurance policy can act as a safety net for the percentage that can’t be confidently accounted for.
I’m Not in Charge of Security, Why Would I Be Held Liable?
The ultimate protection of the balance sheet will come down to the Directors and Officers of the company, not the cybersecurity department. Directors and Officers are now increasingly being seen to hold the personal responsibility to drive and endorse a cybersecurity risk management framework with a top-down approach, to ensure its applicability and effectiveness company-wide. In the event a cyber incident is successful against an organization and, as a result, there is a financial or reputational loss, there are increasing examples of executive leadership being held liable for the failure to address this current risk, through an effective risk management programme, or procurement of cyber insurance policy for additional financial protection.
Enabling a Smart, Green Future
Ultimately, insurers can play a pivotal role in providing specialist risk transfer knowledge to the power sector, bringing ample knowledge from a large pool of power risks that has helped develop minimum control standards, claims information, and mitigate risks along the energy value chain. Despite the rising cost of cyber insurance, a premium offsetting a multi-million-dollar loss will still be economic in providing peace of mind regarding balance sheet protection, directors and officers liability, customers, and partners. Given the low cyber insurance penetration in the region, should the power sector seriously consider insurance as an additional risk transfer and crisis management tool, there are significant benefits that the industry can gain including knowledge sharing, risk mitigation and management.
It will be important for entities to work with advisors who understand the various cyber solutions to ensure it is tailored to an entity’s businesses requirements, providing adequate balance sheet protection.