Takeaways

The staffs of the Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) in late August issued a joint white paper (White Paper) proposing to “name and shame” electric utilities violating NERC Critical Infrastructure Protection (CIP) Reliability Standards.
Comments on the White Paper indicate stakeholders are split on its merits, with some predicting that its approach will invite rather than prevent cyberattacks on the bulk power system.
The significant cybersecurity risks animating FERC/NERC’s name-and-shame proposal merit electric utilities taking a hard look to ensure they have adequate insurance coverage against cyberattacks.

On August 27, 2019, FERC and NERC staffs issued a Joint Staff White Paper on Notices of Penalty Pertaining to Violations of Critical Infrastructure Protection Reliability Standards. In that White Paper, FERC/NERC staffs propose departing from FERC’s historical practice of withholding most material details regarding CIP Reliability Standard violations.  FERC has recently  signaled an appetite to depart from that practice by disclosing the names of a handful of allegedly violating electric utilities in response to Freedom of Information Act (FOIA) requests.

FERC/NERC staff now recommend that exceptional practice become the rule. Specifically, the White Paper proposes that each CIP Notice of Penalty (CIP NOP) NERC submits to FERC for endorsement would consist of two documents:

  • A public cover sheet identifying certain material details—including the name of the electric utility, a high-level description of the specific CIP Reliability Standard violated, and the amount of penalty—for each violation; and
  • A confidential attachment providing other information regarding the violation, including detailed information on the facts surrounding the violation and mitigation actions taken by the electric utility.

(NERC itself does not directly impose penalties on registered entities, but instead issues CIP NOPs proposing penalties that are subsequently endorsed by FERC.) The White Paper assures that any change in practice adopted by NERC and FERC would be implemented on a going-forward basis to CIP NOPs submitted to FERC after adoption of the White Paper’s proposal.

FERC received over 80 comments on the White Paper before the end of the comment period on October 28. (Although the FERC Commissioners themselves did not vote to approve the White Paper, a majority of the Commission has publicly endorsed its approach.) Stakeholders may get another opportunity to comment on the White Paper’s proposals if FERC/NERC later decide to adopt them formally.

Striking a New Balance Between Transparency and Security

The White Paper responds to an “unprecedented” number of FOIA requests for information on alleged violations—many of them requesting the name of offending electric utilities. The White Paper suggests that FERC staff is having difficulty processing those FOIA requests in a consistent manner: FERC staff must comb through the contents of each CIP NOP to discriminate between information meriting confidentiality as Critical Energy Infrastructure Information (CEII) and information that can be released to the public. This time-consuming, subjective process has satisfied neither industry nor public advocacy groups.

The White Paper strikes a new balance between transparency and security. FERC/NERC staff contend that transparency would be improved by a new, public cover sheet containing enough information to assist the public in determining which electric utilities have robust compliance programs. Similarly, the new, confidential attachment would improve security by (1) reducing the potential for inadvertent release of sensitive information resulting from FERC staff’s case-by-case evaluation of CIP NOP contents in response to FOIA requests and (2) by requiring mitigation measures to be in place before NERC submits CIP NOPs to FERC for endorsement.

But Not Everyone Is Convinced the White Paper Strikes the Right Balance

Reaction to the White Paper was mixed. Some public advocacy groups and state government officials welcomed the White Paper as a first step in improving accountability of electric utilities for CIP Reliability Standard violations. In contrast, several electric utility trade associations and the U.S. Department of Energy called for FERC and NERC to avoid disclosing electric utilities’ names, lest highlighting utility-specific vulnerabilities in the bulk power system make it easier for hackers to plan and execute future cybersecurity attacks.

The White Paper Underscores the High Stakes Involved in Electric Utilities’ Insurance For Cyberattacks

The debate over the effectiveness of the White Paper’s name-and-shame approach in preventing cyberattacks on the bulk power system underscores the substantial cyber risks utilities face and, likewise, the importance of appropriate insurance for those cyber risks. Electric utilities should keep in mind a few key points with respect to coverage for cyber-related incidents:

  • Traditional insurance should not be counted on to cover losses resulting from cybersecurity attacks. A cyberattack on an electric utility can result in significant liability from many sources, including (inter alia) disclosure of sensitive customer or employee information, disruption of business operations from ransomware, and interruption of businesses dependent on supplied electricity. In response to these new and significant potential sources of liability, many insurers have added exclusions to traditional insurance policies that eliminate coverage for many cyber events. For example, physical damage to a utility’s generation, transmission, or distribution equipment or other property arising out of a cyberattack could fall within an uncovered “gap” between property coverage and cyber coverage. Coverage for physical damage stemming from a cyberattack is of critical importance to utilities, which are prime targets for cybercriminals and other bad actors looking to wreak havoc on the grid. Coverage is sometimes available for certain types of cyber incidents under traditional policies, but policyholders should not rely on traditional insurance as a sole risk mitigation strategy for these types of issues.
  • New insurance products could fill in coverage gaps for the fast-evolving cybersecurity threat. Some insurers have identified cybersecurity coverage gaps as a business opportunity for new insurance products. But the fast-evolving nature of the cybersecurity threat to electric utilities underscores the difficulty in designing cyber policy terms and conditions, setting limits and premiums, and adequately protecting the policyholders’ interests.
  • Cyber policies do not cover all things “cyber,” but rather contain several coverage grants, each of which provides coverage for different potential losses. Coverage grants may include the following:
  • First-Party (Policyholder) Loss Coverage. This may include coverage of (1) damage to property caused by a cyber incident, though coverage may be limited to intangible property such as lost data; (2) losses from interruption to business caused by a cyber incident; (3) losses caused by theft, extortion, or fraud arising out of a cyber incident; (4) costs to reconstruct or recover data lost in a cyber incident; or (5) costs incurred to investigate a cyber incident.
  • Third-Party Liability Coverage. This may include (1) defense and indemnity for claims by third-parties arising out of a cyber incident or (2) defense and indemnity for regulatory proceedings arising out of a cyber incident.
  • Policyholders should carefully review policy wordings and sub-limits necessary to ensure that coverage matches expectations. Because the cyber insurance market is still developing and constantly evolving, coverage grants tend to vary significantly between insurers, so policyholders need to compare wordings carefully. In particular, policyholders should carefully review sub-limits that may apply to specific coverages to ensure that the limits for a particular coverage matches your expectation and risk exposure. Additionally, policyholders should become familiar with the triggering event necessary for the specific coverages – for example, some policies provide regulatory coverage upon receipt of a subpoena or other similar document, whereas other policies provide coverage only once a more formal claim has been filed, which can be well after the insured has incurred substantial defense costs.
  • Cyber policies may provide reimbursement for defense costs incurred as part of a FERC or NERC investigation. While each claim needs to be reviewed individually, cyber insurance may provide valuable resources for responding to these investigations, if the investigation was triggered by a cyber incident (rather than a routine investigation or audit).

The White Paper’s proposed name-and-shame approach could also introduce a new wrinkle in negotiations between electric utilities and insurers over cyber coverage. Disclosure of a pattern of cybersecurity-related CIP violations by an electric utility may prompt regulators to demand the utility obtain robust cyber coverage. Similarly, a pattern of CIP violations by an electric utility may lead to insurers demanding higher premiums, offering smaller limits, imposing additional coverage limitations/exclusions, or refusing to insure a utility altogether.

Conclusion

Electric utilities are increasingly the target of cyberattacks. FERC/NERC’s White Paper is one response to that threat—but it could have secondary effects for risk management tools such as insurance products. Pillsbury’s experienced insurance coverage attorneys are available to assist corporate policyholders in the negotiation of cyber coverage or in connection with coverage claims arising out of cyber incidents. And Pillsbury’s energy regulatory attorneys are available to assist clients in monitoring relevant FERC dockets for changes in FERC/NERC’s practice regarding CIP NOPs and cybersecurity issues.

* Richard Mroz is managing director of Resolute Strategies LLC.