Cyber attack is a growing threat to the financial health of community solar projects.
The growth of distributed energy resources (DER) has made large scale renewable energy projects more vulnerable to cyber attack… In the event of a cyber attack, in addition to lost revenue, community solar projects can also involve the breach of personally identifiable information (PII) which triggers costly compliance with new data privacy laws.
New consumer protection laws place significant burden on community solar developers to notify consumers of the breach, or even a potential breach, or face fines.
The good news is that cyber liability policies can provide monetary and technical support for community solar developers… Indeed, cyber coverage can reduce the cost of a data breach by $160,000, as described below.
Community solar developers should know the five cyber liability cost factors and require both 1st and 3rd party cyber liability to protect their solar projects, assets and customer data.
Expansion of Distributed Energy Resources (DER)
A recent Smart Electric Power Alliance (SEPA) article noted that distributed energy resources (DERs) – such as microgrids, smart meters, intelligent devices, commercial and residential rooftop solar and battery energy storage systems – are making the grid more vulnerable to cyber attack.
The growth of DERs broadens the “attack surface” of the smart grid giving hackers more ways to enter the network, access data and control physical assets.
Community solar projects can be “soft” targets for ransomware and collecting private consumer data…
As described below, cyber attacks on the grid are becoming more common and can be potentially severe.
How Common Is Cyber Attack On The Grid?
The Ponemon Institute IBM Security report mentioned below indicates that the causes of data breach are attributed to the following security factors:
- 51% due to malicious attack
- 25% due to system glitches
- 24% due to human error
These potentially overlapping factors make it difficult to protect our grid. The following are some examples of cyber attacks on distributed energy resources, renewable energy assets and the grid:
- In the spring of 2019, hackers hit Sustainable Power Group, (aka “sPower”) one of the largest renewable energy developers in the U.S., with a denial of service attack. Hackers attacked an unpatched firewall from Cisco Systems gaining access to sPower’s infrastructure…The attack disrupted communications with sPower’s solar and wind installations leaving the company unable to communicate with its assets. While sPower was able to keep the attack from escalating, such attacks create potential large exposures such as property damage, physical injury, or death.
- In 2017, William Westerhof found 17 cyber vulnerabilities in commercial solar inverters allowing a hacker to alter the flow of direct and/or indirect current on a large scale. And some solar industry professionals are concerned that 47% of solar inverters are manufactured in China by companies such as Huawei. Huawei has been under scrutiny by the U.S. government as being an agent of China’s efforts to hack U.S. technology infrastructure.
- In December 2015 Russian hackers attacked Ukraine’s energy infrastructure gaining unprecedented control of the country’s utility systems. The attack left approximately 20% of Kiev, over 250,000 people, with no power. The Russian attack on Ukraine also included a coordinated denial of service attack on the customer service call-centers to prevent customers from gaining information about the status of the power outage.
- Solar operations and maintenance (O+M) providers and other system vendors can be a weak link in cyber security. While it was not a community solar attack, the proximate cause of the 2013 Target breach, one of the largest in history, was a hack on their HVAC vendor. Hackers accessed a list of Target’s maintenance vendors through the company’s “supplier portal” and sent phishing emails to each. According to Krebs on Security, one of the employees at Fazio Mechanical, a heating, ventilation and air conditioning (HVAC) vendor who worked for Target, clicked on a phishing email which downloaded a trojan software on Fazio’s computers. Because Target’s payments system network was not properly segmented from Target’s external network, hackers gained access and breached 400 million customer records. The hack was not detected for weeks.
Grid security is more important than ever and efforts are being made to standardize DER and solar equipment – such as solar inverters – through the IEEE Standard 1547-2018.
However, if your community solar business was shut down involuntarily by a cyber attack and lost revenue, would you be able to pay for the costs of breach compliance and recover your lost business income?
Cyber Insurance Reduces Cost of Cyber Attack
New data privacy and consumer protection laws such as the California Consumer Privacy Act (CCPA) and the New York SHIELD Act are expensive to comply with because they require community solar developers to notify affected customers in the event of a cyber attack.
The cost of a data breach in 2019 varies by country.
According to the Ponemon Institute, the U.S. is the most expensive country for cleaning up a data breach – at $8,190,000 per breach.1
The Ponemon Institute and IBM Security estimate that the global average is $3,920,000 across all countries in the study.
As can be seen from the chart below, several risk management strategies can be put in place to reduce the cost of a breach. For example, the report notes that having proper insurance protection can reduce the cost of a breach by $160,000.
Other items that can significantly reduce the cost of a cyber breach include formation of the IR (incident response) team, and use of security analytics.
All of these risk reduction strategies can be implemented in partnership with a knowledgeable insurance broker who helps assess exposures and build a cyber risk management process with a cyber liability insurance carrier.
The Cost of Cyber Liability Insurance
To determine the potential cost of cyber liability insurance for your business, consider two factors:
- Your operations exposure.
- The amount of coverage you want.
Evaluate your project operations exposure considering the following questions:
- Revenue: What is the size of your business? For instance a business that has over 1,000,000 customers and $10,000,000 in revenue will have greater exposure than a startup with $750,000 in revenue and 5 customers.
- Data: What type of data is collected and stored? NIST defines personally identifiable information (PII) as information that can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.).
- Encryption: How is your data treated throughout your operation? Is all your data encrypted while in transit and at rest?
- Access: Who has access to consumer and network data? As mentioned above, the more people who have access to your network and data, the greater the chance your data is at risk.
- Training: What security training protocols are in place for employees and vendors to avoid cyber risks? A study by the Ponemon Institute found that employee phishing email awareness training has a huge return on investment for companies that invest in it. As mentioned above, it could have saved Target millions of dollars to have trained their HVAC vendors about phishing emails.
- Security: How is your network and data segmented (and compartmentalized) across the operation?
- Past incidents: Has your business experienced any cyber incidents in the past?
Amount of Coverage and Retention:
Evaluate the amount of coverage and retention you want considering the following questions:
- Coverage: What coverage limit do you require? Cyber liability limits often start at $1,000,000 for 3rd party coverages such as for network security liability, regulatory defense and penalties, multimedia content liability and PCI fines and assessments. Cyber liability limits for 1st party coverages such as for breach response, crisis management and public relations costs, cyber extortion (i.e. ransomware), digital asset restoration and business interruption and extra expenses.
- Retentions: What retention do you require? Retention is a self-insured limit of insurance, similar to a deductible. Retentions can range from $2,500-$10,000 and up.
- Endorsements: Coverage endorsements can increase or decrease coverage. Check your cyber liability endorsements for coverage for bodily injury and property damage for 1st and 3rd parties.
No two cyber liability policies are the same… So caveat emptor.2 There is a correlation between a policy with a lower price and a policy with less coverage.
For small to medium sized businesses ($1,000,000 to $50,000,000 in revenue) the cost of cyber liability insurance ranges from less than $1,000 to $20,000 in premium per year and up.
Larger organizations (over $1 billion in revenue) premiums of $100,000 and higher are not uncommon.
However, as having cyber liability insurance can reduce the cost of a data breach or other hacking event, the premiums are a fraction of the cost of the alternative when it comes to protecting your business’s financial health and reputation.
Do You Think Cyber Liability Insurance Is Worth It?
For community solar developers having cyber liability insurance can reduce the cost of a breach by as much as $160,000.
The alternative to having cyber insurance is to set aside millions of dollars in retained earnings to pay for the costs associated with addressing a 1st or 3rd party cyber breach.
Unfortunately many community solar developers are unaware that they are at risk… Or to make matters worse, they rely on IT or product vendors to ensure them their networks and systems are secure… But they have not thoroughly read through their vendor agreements for proper indemnification and risk transfer. Vendor agreements usually include hold harmless language which is in favor of the vendor, not the client.
Then a cyber breach happens.
You could be sleeping better at night knowing you have insurance that would decrease the amount of work you have to do and protect your bottom line in the event of a breach.
- According to a report by the Ponemon Institute and IBM Security.
- Read your insurance policy - or have your broker do it for you.