Special Series: Managing Insurance Risks Takes On Greater Significance With Natural Disasters, Cyber Attacks - Part One

Per member requests, the American Public Power Association presents this in-depth Public Power Current newsletter series on managing insurance risks. Thank you to the utility systems and industry experts for their contributions about what is happening in the insurance market that is affecting policy coverage and prices (Part 1); types of “best practices” utilities can utilize to minimize their exposure (Part 2); and what potential alternatives may be available to help in a challenging insurance market (Part 3). 

Risks to utility operations are rising and with them the cost of insurance is rising too.

In this environment, it can be difficult for a public power utility to retain essential insurance coverage while containing costs. The fact of the matter is that insurance companies have had to make large payouts to customers who have suffered massive losses.

Losses from natural disaster hit $133 billion in 2017, a historic high, according to the Insurance Information Institute. That year saw a deadly combination of hurricanes – Harvey, Maria and Irma – as well as costly California wildfires. Losses due to natural catastrophe fell in 2018 and 2019, but rose again in 2020, hitting $74.4 billion, an 88 percent increase from $39.6 billion of losses in 2019.

In 2020, the most costly losses came from storms and cyclones, which accounted for about 75 percent of the $119 billion in losses, followed by wildfires, accounting for nearly 20 percent of losses, and flooding, which accounted for 4 percent of losses, according to the Insurance Information Institute.

Insurance company SwissRe ranked 2020 as the fifth costliest year on record since 1970 for the insurance industry with global losses totaling $83 billion. The losses were driven by a record number of severe convective storms (thunderstorms with tornadoes, floods and hail) and wildfires in the United States. Those and other secondary events around the world accounted for 70 percent of the $76 billion of insured losses from natural catastrophes, the institute said.

In order to recapitalize after those losses, insurance companies have a few options that are not necessarily exclusive of each other. They can increase the premiums they charge customers, or they can raise the bar in terms of which entities they will insure.

“Insurance carriers have been affected by storms and claim payouts for their insureds, social inflation, and record setting verdicts,” Ryan Weber, vice president at Marsh USA, said. Pricing has increased the past 15 consecutive quarters, he noted.

The good news, Weber said, is that there were signs in the second quarter that the market could be adjusting in insureds’ favor for coverage lines such as property and liability. “Cyber liability pricing appears to be heading in the wrong direction, however, due to the severity and frequency of the recent cyber breaches in 2021,” Weber said.

The cyber ransomware attack on Colonial Pipeline in the U.S. earlier this year, as well as other ransomware attacks, has resulted in increased attention to the risk insurance market. Colonial Pipeline is the largest refined products pipeline in the United States, transporting more than 100 million gallons of fuel daily to meet the energy needs of consumers from Houston, Texas to the New York Harbor.

In May 2021, the Government Accountability Office (GAO) issued a report on cyber insurance. It said that key trends in the current market for cyber insurance include the following:

• Increasing take-up: data from a global insurance broker indicate its clients’ take-up rate (proportion of existing clients electing coverage) for cyber insurance rose from 26 percent in 2016 to 47 percent in 2020.
• Price increases: industry sources said higher prices have coincided with increased demand and higher insurer costs from more frequent and severe cyberattacks. “In a recent survey of insurance brokers, more than half of respondents’ clients saw prices go up 10–30 percent in late 2020,” the report said.
• Lower coverage limits: industry representatives told GAO the growing number of cyberattacks led insurers to reduce coverage limits for some industry sectors, such as healthcare and education.
• Cyber-specific policies: insurers increasingly have offered policies specific to cyber risk, rather than including that risk in packages with other coverage. This shift reflects a desire for more clarity on what is covered and for higher cyber-specific coverage limits.

Meanwhile, in a recent podcast, CAC Specialty’s Adam Lantrip addressed the current cyber insurance market, recent ransomware events, and some tips for coordinating insurance and the technology and legal venders who assist companies in responding to attacks.

CAC Specialty is a specialty insurance brokerage firm.

“Where things are going is clients are going to have to demonstrate a much higher baseline level of security in order to qualify for coverage,” said Lantrip on the podcast. Lantrip is CAC’s senior vice president for professional liability and cyber practice leader.

A year and a half ago, “we could have taken just about any company into the marketplace with whatever their controls were and probably been able to get them a pretty good option from somebody in the insurance marketplace,” Lantrip said.

“Today, we’re seeing clients that we would objectively think are generally pretty good risks but they’re answering ‘no’ to one or two or three very specific questions about their security posture and those ‘no’ responses” are resulting in an automatic refusal “from a huge section of the marketplace.” When that happens, “the ability to get coverage starts to shrink.”

A robust cybersecurity insurance market could help reduce the number of successful cyberattacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection, notes the U.S Cybersecurity and Infrastructure Security Agency (CISA), which is part of the Department of Homeland Security.

“Many companies forego available policies, however, citing as rationales the perceived high cost of those policies, confusion about what they cover, and uncertainty that their organizations will suffer a cyberattack,” in recent years CISA says. CISA has engaged key stakeholders to address this emerging cyber risk area.

Since 2012, CISA has engaged academia, infrastructure owners and operators, insurers, chief information security officers (CISOs), risk managers, and others to find ways to expand the cybersecurity insurance market’s ability to address this emerging cyber risk area. More broadly, CISA has sought input from these same stakeholders on the market’s potential to encourage businesses to improve their cybersecurity in return for more coverage at more affordable rates. 

CISA is currently facilitating dialogue with CISOs, Chief Security Officers, and insurers about how a cyber incident data repository could foster both the identification of emerging cybersecurity best practices across sectors and the development of new cybersecurity insurance policies that “reward” businesses for adopting and enforcing those best practices.

In Part 2, tomorrow, we will explore some of the “best practices” utilities have undertaken to minimize their exposure to higher insurance rates.

APPA Resources

APPA has numerous member resources available to help risk managers.

• APPA’s September 19-22 Business & Financial Conference will include a dedicated Risk Management & Insurance track – including a newly added presentation on cyber insurance and ransomware attacks.
• APPA hosts an interactive risk management group listserv to obtain and share relevant information.
• APPA will soon be issuing a first-ever member survey to solicit information on risk assessment and insurance coverage. Survey responses will be requested by September 30.  Results will be summarized and made available free of charge to APPA members.
• APPA hosts a security topic page on our website with a number of free resources linked in the sidebar for download. Members can also join the Cybersecurity Defense Community and take advantage of APPA’s partnership with Axio360.