U.S. dams highlight protection gaps in cyber, flood insurance
Most of the 90,580 operational dams in the U.S. are not tightly regulated for cybersecurity, according to Aon and Guidewire Software.
Concerns about cyberattacks have not abated in recent months — and that’s unlikely to change going forward. While much of the recent news coverage has centered around hackers stealing personal data, there are other concerns on the horizon for the insurance industry.
What happens, for instance, if a cyberattack takes place at a hydroelectric dam? A joint whitepaper by Aon and Guidewire Software examines this scenario and what it would mean for the insurance industry if hackers opened the floodgates.
Related: Expert says technology alone cannot deter cyber risks
Understanding our nation’s dams
There are 90,580 dams in the U.S. They serve such purposes as irrigation, hydroelectric power, flood control and recreation. Ninety-three percent are owned and operated by state and local governments and private companies, meaning most U.S. dams are not tightly regulated for cybersecurity.
Many dams use automated control systems to obtain both real-time data and reaction to factors such as changes in water level or flow rates. Although some dams still rely solely on manual operations or electromechanical controls, many use a combination of sensors, automated controllers and computers to monitor and adjust water levels and flow.
The research indicates that while automation has its benefits, it comes with a certain number of risks. Hamid Firoozi, an Iranian national, highlighted such risks when he successfully breached the control system of a dam in Rye Brook, New York, in 2013.
Related: Iranians hacked from Wall Street to New York dam, U.S. says
A dam attack will send insurers reeling
If a hacker does infiltrate a dam’s control systems, the economic and societal impact will largely be determined by which dam is compromised. Aon and Guidewire analyzed the potential impacts of the scenarios at three U.S. dams, selected to reflect small, medium and large exposure value, respectively.
Residential and commercial properties will have very different insurance outcomes. Residential losses will flow almost entirely into the National Flood Insurance Program, with a negligible amount of risk covered by private flood policies. For commercial properties, results will differ between small businesses and large complex entities. Small businesses typically buy package policies that do not include flood protection; large businesses generally do obtain flood protection through their commercial property policies.
Combining residential and commercial losses, the report estimates a total insured loss impact ranging from $739 million to $9.7 billion, depending on the dam and intensity of the flooding.
Related: 5 flood insurance myths without an ounce of truth
Cyber insurance is full of leaks
Although cyber insurance products are growing quickly, they comprise less than 0.3% of the global property & casualty (P&C) market. The greater concern for the insurance industry is the potential “silent cyber” risk residing in traditional P&C policies.
Aon and Guidewire define “silent cyber” exposure as the potential for cyber risk to trigger losses on policies where coverage is unintentional, unpriced, or both. Flood policies have unintentional cyber risk because the proximate and covered cause on the policy would be the flood — not the cyberattack that causes the flood.
Insurers must consider how changing technologies can cause “established” perils such as flood to morph into new risks. Concerns about cyberattacks continue to trickle throughout the insurance industry, but what remains to be seen is if it is ready for a flood.
Related: Stormy seas ahead? Maritime industry unprepared for cyberattacks, survey says