Connect with us

Hi, what are you looking for?


Cyber Insurance

Cyber Attack on Power Grid Could Top $1 Trillion in Damage: Report

Cyberattack Against Power Grid

Cyberattack Against Power Grid

In the advent of a major cyber-attack against the United States power grid, people could conceivably die as health and safety systems fail, business come to a standstill, and transportation networks stop working. An insurance company calculated such an attack would cause between $243 billion to more than $1 trillion in economic damage.

Lloyd’s and the Cambridge Centre for Risk Studies at University of Cambridge Judge Business School examined the implications of a fictional attack where adversaries damaged 50 generators supplying power to the electrical grid and caused a blackout across 15 states along the East Coast and Washington D.C. and affected 93 million people. Lloyd’s produced the Business Blackout report to help insurance underwriters understand how cyberattacks impact insurance and risk.

“As insurers, we need to think about these sorts of complex and interconnected risks and ensure that we provide innovative and comprehensive cyber insurance to protect businesses and governments,” said Tom bolt, director of performance management at Lloyd’s.

Lloyd’s took the calculations a step further to calculate the amount the insurance industry would have to pay out in claims in the advent of a major cyber-attack. Lloyd’s estimated an attack on the U.S. power grid affecting most of the East Coast would result in claims estimated at $21.4 billion. The amount of claims paid by the insurance industry would jump to $71.1 billion in the most extreme version of the scenario.

Lloyd’s identified six primary categories of insurance claims in its report. Power generation companies would likely file claims for property damage to generators, business interruptions as a result of not being able to sell electricity, and costs incurred from incident response and regulatory fines. Power companies may try to recover a proportion of the losses incurred by filing claims against partner companies’ liability insurance policies. Businesses who lost power may file claims to recover losses stemming from property damage, such as perishable cold storage, business interruption, the inability to comply with existing regulations. Homeowners could also conceivably file claims for property damage under contents insurance.

Companies indirectly affected by the blackout can also be due for insurance payments, for business interruption or supply chain disruptions. Companies with inadequate contingency plans may generate claims under their directors’ and officers’ liability insurance, Lloyd’s noted in the report. The final category covered specialty covers, such as event cancellations.

Many organizations believe their existing insurance would cover cyber-attacks than is likely to be the case, Bolt wrote in the report. Understanding the impact of severe events is one of the key requirements for insurers to develop cyber risk coverage.

Advertisement. Scroll to continue reading.

The scenario is plausible, but extreme, and falls under the kind of situations insurance companies consider when developing risk models, the company said. This poses a number of complex challenges for insurers, which would need to be addressed if insurers are to more accurately assess cyber risk and develop new cyber insurance products, the report said.

Lloyd’s exercise, while interesting, gives insurance companies a starting point in understanding what kind of claims they will have to cover. Companies are looking to insurance companies to cover the cost of data breaches, and in many cases, insurance companies are pushing back. For example, California healthcare provider Cottage Health System filed a claim with its insurance company after a misconfigured server exposed tens of thousands of patients’ files on the Internet. The insurer, Columbia Casualty, denied the claims because a clause in the policy indicating Cottage Health System failed to follow “minimum required practices.” The insurer noted the healthcare company “stored medical records on a system that was fully accessible to the Internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the internet.” As a result, the claim wasn’t valid.

More insurance companies are developing models and ways to assess risk for cyber-attacks, Jeremiah Grossman, founder of White Hat Security, told SecurityWeek during RSA Conference in April. This will have an impact on overall security. Pegging specific dollar amounts to cybersecurity and understanding what kind of coverage are provided by insurance policies would give organizations a clearer view of what constitutes risk. If nothing else, organizations will be more motivated to take certain steps to secure their data and infrastructure once they know what insurance will cover or not cover.

“This scenario shows the huge impact and havoc that could result from a major cyber attack on the US,” Bolt said. “The reality is that the modern, digital, and interconnected world creates the conditions for significant damage, and we know there are hostile actors with the skills and desire

Related: Learn More at the 2015 ICS Cyber Security Conference

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

CISO Strategy

The question for 2023 and beyond is whether the cyberinsurance industry can make a profit without destroying its market.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Cyber Insurance

Court says insurers must pay Merck for losses related to the Russia-linked NotPetya cyberattack.

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.