According to Nick Santillo, vice president of digital infrastructure and security at American Water, insurers are increasingly requiring water utilities to meet stringent cybersecurity requirements before even considering insuring them. A strong secure access management program for protecting administrative credentials with privileged accounts, as well as endpoint detection and response tools, are among the requirements.
"There are a lot of companies that have gone through renewals and ended up either becoming uninsurable or implementing some new controls just to get to the point of being insurable," Santillo told a gathering of water company executives in Washington, D.C. for a National Association of Water Companies (NAWC) conference.
According to Kevin Morley, manager of federal relations at the American Water Works Association, the scope of what insurers cover is also narrowing as costs rise.
Last year, the CEOs of major insurance companies said that cyber insurance premiums had skyrocketed across the industry, with AIG's chief executive saying rates had increased by 40%, and Chubb CEO Evan Greenberg saying his company's rates were rising sharply but still didn't adequately capture the risk posed by a major cyber event.
According to the credit ratings agency AM Best, ransomware is driving the majority of cyber insurance woes, accounting for 75% of all cyber insurance claims in the summer of 2021, up from 55% in 2016.
The fact that some water companies do not report ransomware incidents complicates assessing the risks the water sector faces from ransomware, according to Elke Sobieraj, director of critical infrastructure cybersecurity at the White House's National Security Council.
"We just don't know what we don't know," Sobieraj explained to CyberScoop. "A water utility may be attacked and not report it to the FBI, particularly if it is a smaller entity."
Sobieraj stated that the White House is focused on liability protection so that water companies can report incidents to the EPA, CISA, or FBI and "understand they are protected, their name will not be out there that they had an incident."
She applauded the March passage of a cyber incident reporting bill, which requires critical infrastructure entities such as water utilities to report incidents to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency within 72 hours.
According to Rob Powelson, president and CEO of NAWC, the water sector's insurance crisis is being discussed in water company boardrooms across the country.
"The insurance markets can't afford to pay for these ransomware attacks indefinitely," Powelson said. "The average ransomware attack costs between $5 and $8 million... What if you have four in a single fiscal year? "How can an insurer make those payments in good conscience?"
Powelson believes that the costs of ransomware attacks and insurance against them will inevitably be passed on to consumers over time, especially since many water companies are backed by private investors.
He claims that because of fragmentation, the water sector, in particular, has difficulty even determining the scope of the ransomware problem. According to him, there are 51,000 drinking water systems in the United States, compared to 3,200 electric distribution companies. Municipal water companies account for approximately 85 percent of all water companies, with many being very small.
Powelson expressed gratitude for the insurance industry's participation in a summer cybersecurity summit hosted by the White House.
"It was important because that is a looming issue that could have a profound impact," he explained.