The power and utilities sector, like other industries, is trending toward greater online connectivity, particularly in North America with the rise of the use of “internet of things” devices, but that trend introduces cyber vulnerabilities from a wide swath of actors such as nation states, hacktivists and organized crimes.

“Assume you will be breached,” Paul Mee, New York-based Americas cyber partner with Oliver Wyman, said at a United States Energy Association briefing in Washington, D.C. “Cyber threats are stronger than ever before. Make sure that you’re in a position whereby you’re prepared for the worst.”

“While this is a story of increasing vulnerability, we shouldn’t look at it as a negative thing,” said Matthew McCabe, New York-based senior vice president and U.S. critical infrastructure cyber leader with Marsh L.L.C. “It’s just a natural consequence. There certainly is a great deal of productivity and increased safety and greater compliance with regulation that is possible from the promulgation of this technology, but the outcrop of that is dealing with the technology risk that results.”

Threats have been advanced and persistent against the energy sector for years, he said, citing a Triton malware attack that sought control of safety systems designed to prevent a disaster in Saudi Arabia and a Russian cyber attack disclosed by the U.S. Department of Homeland Security in March.

“We don’t want to oversensationalize things … but I do think we have to take this with a level of seriousness for what they represent,” Mr. McCabe said.

“If we’re looking at that original equation of vulnerabilities, threats and consequences, we’re now at the point of the threats actually succeeding to gain access to control systems in the United States,” he continued, adding that there have likely been additional successful breaches that have been classified.

Worldwide spending on security-related hardware, software and services is forecast to reach $119.9 billion in 2021, compared to $83.5 billion in 2017, an increase of 10.3% over 2016, according to an October 2017 report by International Data Corp. in Framingham, Massachusetts.

“When other organizations are spending that money, you don’t want to be the weakest gazelle in the pack,” Mr. Mee said.

Companies are doing their due diligence on protecting their assets and that’s absolutely completely appropriate,” Mr. McCabe said.

“There’s no use in trying to insure something that you know you’re going to lose, he said.

“Cyber is a race without a finish line,” Mr. McCabe continued. “Your diligence is never done. What insurance is there for is to back up that unknown risk.”

Insurers underwrite the exposure, but have limited their risks through terms and conditions, Mr. McCabe said. About 30 insurers participate in cyber risk coverage, but there are fewer than 10 insurers writing the bulk of cyber coverage for the energy sector, with limits for power utilities securing limits anywhere from $100 million to $200 million.

“I’m not aware of an incident that could take down the (insurance) industry,” he said in response to a question about whether the private sector would stop writing coverage.

The speakers were asked about the government’s role in covering the cyber risk from an insurance perspective. On Dec. 27, 2016, the U.S. Treasury Department issued guidance that clarified that stand-alone cyber liability insurance policies are included under TRIA, which requires insurers to make available terrorism risk insurance for commercial property and casualty losses resulting from certified acts of terrorism.

“I think by the government bringing cyber insurance into TRIA, they were saying ‘you don’t necessarily need the support for cyber insurance now,” Mr. McCabe said. “However, the government did recognize the escalation of threat and the potential that this could become an incident if there was a widespread catastrophic systemic cyber attack either through targeting vulnerabilities that were replete in the environment or somehow directly targeting a supply chain that had many consequences.”