More water companies are finding they are uninsurable as ransomware attacks against the sector grow, water utility and association executives said Wednesday.
Insurers are increasingly requiring water utilities to meet stringent cybersecurity requirements to even consider insuring them, said Nick Santillo, the vice president for digital infrastructure and security at American Water, a public utility. These requirements include a strong secure access management program for protecting administrative credentials with privileged accounts, as well as endpoint detection and response tools.
“There are a lot of companies that have gone through their renewals and ended up either becoming uninsurable or have implemented some new controls in order just to get to the point of being insurable,” Santillo told an audience of water company executives gathered in Washington, D.C. for a National Association of Water Companies (NAWC) conference.
The scope of what insurers are covering is also narrowing as costs go up, said Kevin Morley, the manager of federal relations at the American Water Works Association.
CEOs of major insurance companies said last year that cyber insurance premiums sector-wide had spiked dramatically, with AIG’s chief executive saying rates increased by 40% while Chubb CEO Evan Greenberg said his company’s rates were increasing sharply yet still didn’t properly capture the risk posed by a major cyber event.
Ransomware is driving most of the cyber insurance woes, accounting for 75% of all cyber insurance claims in the summer of 2021 compared to 55% in 2016, according to the credit ratings agency AM Best.
Adding to the difficulty of assessing the risks the water sector faces from ransomware is the fact that some water companies don’t report ransomware incidents, said Elke Sobieraj, the director for critical infrastructure cybersecurity at the White House’s National Security Council.
“We just don’t know what we don’t know,” Sobieraj said in an interview with CyberScoop. “A water utility could be attacked and not report it to the FBI, especially if it’s a smaller entity.”
Sobieraj said the White House is focused on liability protection so that water companies feel they can report to the EPA, CISA or the FBI and “understand they are protected, their name won’t be out there that they had an incident.”
She hailed the passage of a cyber incident reporting bill in March, which requires critical infrastructure entities like water companies to report incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency within 72 hours.
The insurance crisis the water sector faces is being discussed in water company boardrooms nationwide, said Rob Powelson, the president and CEO of NAWC.
“The insurance markets can’t sustain paying for these ransomware attacks over time,” Powelson said. “Your average ransomware attack is running between $5 to $8 million … What if you have four of them within one fiscal year? How can an insurer in good conscience be able to make those payments?”
Powelson said it is likely inevitable that the costs of ransomware attacks and insuring against them will be passed on to consumers over time, particularly since many water companies are supported by private investors.
He said the water sector in particular faces difficulty even tracking how large a problem ransomware is because of fragmentation. There are 51,000 drinking water systems nationwide, he said, compared to 3,200 electric distribution companies. An estimated 85% of water companies are municipal, and many are very small.
Powelson said he was pleased the insurance industry participated in a cybersecurity summit the White House convened in the summer.
“It was important because that is something that is kind of a looming issue that could have a profound impact,” he said.