Cyber insurers are taking a proactive approach that could shape the security posture of the US water sector, but many public water systems remain at risk amid meager cybersecurity regulations from federal agencies.
The water infrastructure has been hit with cyberattacks in recent years, including a data breach disclosed this month by
These utilities, however, lack formal cybersecurity standards and have struggled to shore up digital protections. As industry groups and government officials aim to bolster the water sector’s cyber protections, insurance companies have emerged as potential partners.
By taking a hands-on approach to cyber risk that involves testing existing systems and helping policyholders address shortcomings, insurers said they are helping spread the risk and improve resilience. But cyber experts caution that insurers’ impact could be limited, partly due to the water sector’s unique challenges.
“Cyber insurance is a tool to improve our resilience. It’s not the solution, right?” said Sezaneh Seymour, head of regulatory risk and policy at cyber carrier Coalition Inc. “It’s got to be more complex than that, but in the absence of other things available, it is a really meaningful tool.”
‘Doors Unlocked’
The Environmental Protection Agency last year issued a plan that would have required all drinking water systems to check their vulnerability to cybersecurity threats. A federal appeals court suspended it after states headed by conservatives said the agency was overstepping, and the EPA withdrew it.
Since then, federal agencies have issued guidance—and warnings—but no legally binding requirements to protect drinking water systems from cybercriminals.
Attacks discovered in recent years don’t yet indicate that hackers are specifically targeting the sector, but those water systems have proven to be especially vulnerable, cybersecurity professionals said.
Hackers are “jiggling on door handles; they’re seeing what’s locked and unlocked,” said Ron Fabela, strategic adviser to cybersecurity firm Xona Systems. “They’re not really targeting anyone, and what they’re happening to find is that the smaller, less-funded utilities—population three to five thousand—are the ones that leave their doors unlocked.”
Unlike many other critical infrastructure entities, the water sector is extremely fragmented, with at least 150,000 utilities spread throughout the country.
Smaller systems serve as few as just dozens of customers, meaning they operate with low budgets that often don’t account for cybersecurity. A May alert from the EPA found over 70% of systems inspected since September 2023 violated the Safe Drinking Water Act’s requirements to develop risk assessments and emergency response plans.
Attacks haven’t yet caused major operational disruptions, but this could change as hackers get more sophisticated, cyber professionals said.
“It’s just a matter of time before a determined adversary bypasses the safety functions that have kept systems, people, and the environment safe thus far,” said Jennifer Lyn Walker, the director of infrastructure cyber defense at WaterISAC, a security resource for the water and wastewater sector.
Cyber Insurance Steps In
Many cyber insurers—such as
“Modern insurers recognize that digital risk doesn’t behave like a lot of other traditional losses that insurance experiences, like flood, fire, things like that,” Seymour said. “You can’t move your house out of the path of a hurricane, but you can do the digital equivalent of that with cyber insurance.”
Insurers bring technical expertise, conduct reviews of applicants’ cybersecurity infrastructure, and work with policyholders to improve resilience and respond to attacks in real time. By taking on the risk of potential breaches, carriers bear a financial stake in strengthening customers’ cyber posture.
“As long as the right risk management strategy is in place, as long as the right cyber risk posture is in place, if the client is willing to take additional steps to harden their overall security posture,” there will be carriers willing to cover higher-risk policyholders like water utilities, said David Derigiotis, president of brokerage and head of insurance at Flow Specialty.
As more entities seek insurance to protect against cyber risk, cybersecurity improvements carriers demand could help decrease the actual risk.
Seymour said Coalition was able to reduce vulnerabilities of water entities it covered by over 90% in six months through risk pooling.
Governments are starting to pay attention, she added. “Increasingly, you have bureaucrats at the state, federal, and international level that recognize that cyber insurance can drive resilience.”
‘Pivotal Time’
Insurers’ ability to shape cybersecurity resilience across the water sector may ultimately be limited, cybersecurity professionals warn.
Cyber insurance has relatively low market penetration, and organizations seeking coverage are probably already conscious of investing in cybersecurity, said David White, president of Axio Global Inc., a cyber risk management firm.
“The big question from an industry perspective is, how do those larger utilities that have funded cybersecurity programs and are buying cyber insurance, how do we have them serve as a flywheel effect to start bringing along all the really small utilities who haven’t even passed ‘go’ yet?” White said. “They’re not in the first square of the cybersecurity game.”
Despite a growing appetite from insurers to cover cyber risk, many entities—especially in the water sector—still can’t obtain coverage, WaterISAC’s Walker said.
The lack of resources and knowledge about risk means “they’re not going to meet the minimum qualifications to get cyber insurance,” she said.
The operational systems many utilities rely on are over a decade old, cyber professionals said, meaning they’re slower to update due to cost burdens and technical capabilities.
“As we start replacing those systems that are outdated and becoming more connected, is that going to be done in a safe manner?” Walker said. “We’re at a pivotal time.”
To contact the reporters on this story:
To contact the editor responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.