Strong Cyber Security Resilience To Ensure

                                         A Smart, Green Future


                 By Zainab Khatib, VP MENA Cyber & Technology Practice - LOCKTON
          Renewables are gaining popularity, but is their cyber               Such losses could be picked up under a tailored
          resilience being guaranteed to ensure their victory?                cyber insurance policy.  Questions over ownership
          Governments worldwide have ensured their national                   and accountability of the operation introduce further
          climate change strategies are clear.  There must be                 challenges, whereby many of the SCADA technolo-
          an energy transition, one that sees significantly                   gies are installed, operated, and serviced by various
          reduced use of fossil fuels, and a movement into                    third parties.  Regardless of whether a third party is
          alternative, greener sources, in line with global envi-             delivering the service, project developers bear a
          ronmental, social and governance (ESG) targets.                     responsibility to drive security into their supply chain,
          The Middle East is a key player in this global strate-              to support an infrastructure that the public can trust.
          gy, with renewable energy targets amongst various                   The risk of mis-handling a cyber event should also
          countries ranging between 15-50% of power genera-                   not be underestimated.  Cyber insurance policies can
          tion in 20301.  The UAE, for example, is committing                 grant invaluable support to entities by automatic and
          USD 163 billion as part of its decarbonization strate-              immediate access to pre-vetted, specialist response
          gy, along with Saudi Arabia recently announcing it                  vendors (forensics, legal, PR) at the insurers’ dis-
          will double its previous investment intentions to more              counted rates in the event of a cyber incident.  Not
          than USD 190 billion as part of “The Saudi Green                    only can this assist in the cost-effectiveness of the
          Initiative”2.                                       incident, but also the efficiency, having a direct positive impact on the ultimate
          In the bid to keep up with fast growing demand, the pressure for cutting-edge  BI claim.  This will alleviate excessive involvement of higher management in
          innovation and rapid commercialization of technologies is being required.  such instances, minimizing further disruption to the business.
          Cyber resilience, and managing the associated risks, must be embraced in the
          energy transition paradigm, to ensure a smarter, carbon-neutral future can be  Ignorance is Bliss, Or Is It Potential Trouble?
          achieved and maintained.  This will ensure the integrity of truly socially respon-  Confidence and investment in the cyber security hygiene of a business is cru-
          sible change.                                       cial to its success.  Understanding, however, that it is unrealistic to guarantee
                                                              that no gaps exist in an entity’s cybersecurity posture is also key to its success.
                           Unplanned Fallout                  Providing that, for example, holding an ISO27001 certification is sufficient to
          The technology behind current multi-million dollar energy projects worldwide is  guaranteeing a project’s cyber security posture to lenders or investors is a
          confidently addressing critical energy challenges, such as efficiency and decar-  near-miss to the realistic situation we find ourselves in.  These audits are cru-
          bonization by utilizing more data analytics.  The newer SCADA systems, pro-  cial, but not sufficient, as they do not actually advise on the minimum level of
          vide smart fully integrated renewable solutions, however they introduce more  controls required to be in place, they simply ensure the controls chosen by the
          vulnerabilities than traditional systems due to being increasingly digitally inter-  organization are implemented and effective.  By cyber risk’s very nature, it is
          connected (greater attack surface) and reliant on embryonic software and hard-  continuously evolving and there is only so much certainty an organization can
          ware.  In addition, the energy sector continues to face a variety of escalating  have when mitigating against it.  There will often be periods of time where an
          cyber-attacks, from ransomware threats (Colonial Pipeline; 2021) to insider  organization will be trying to keep pace with protecting itself, but gaps will
          risks.  The Ponemon Report found in 2022 that companies in the Middle East  inevitably surface.  As a result, an entity can only ever be sure that a certain
          and Africa experience the most insider incidents globally3.  Despite increased  percentage of its vulnerabilities or exposures are protected against, and this is
          threat levels, less than half of renewable energy firms surveyed in Saudi Arabia  where a tailored insurance policy can act as a safety net for the percentage that
          and the UAE in 2021 noted a cyber resilience strategy in place, with two-thirds  can’t be confidently accounted for.
          of the IT executives stating they had postponed or cancelled a digital transfor-
          mation initiative in the last year due to cyber risk4.  I’m Not in Charge of Security, Why Would I Be Held Liable?
          With this is mind, all projects require careful risk assessment, and the insur-  The ultimate protection of the balance sheet will come down to the Directors
          ance industry can help provide frontend risk control guidance to contribute to  and Officers of the company, not the cybersecurity department.  Directors and
          risk management knowledge, ultimately preventing unforeseen losses and  Officers are now increasingly being seen to hold the personal responsibility to
          importantly lead the response and management post a cyber incident occur-  drive and endorse a cybersecurity risk management framework with a top-
          ring, an area they have vast experience in.         down approach, to ensure its applicability and effectiveness company-wide.  In
          Often when trying to calculate the possible fallout from a cyber incident, prop-  the event a cyber incident is successful against an organization and, as a
          erty damage and ensuing loss is a top concern for the energy and power sec-  result, there is a financial or reputational loss, there are increasing examples of
          tor.  This is, of course, a very real exposure with previous incidents indicating  executive leadership being held liable for the failure to address this current risk,
          the potential for physical damage loss as a result of a successful hacking  through an effective risk management programme, or procurement of cyber
          attempt (i.e. Steel Mill in Germany; 2014).  There are more pressing exposures,  insurance policy for additional financial protection.
          however, that the sector needs to be considering that will directly impact a pro-
          ject’s success.  The 2021 NetDiligence Report highlighted how costly business  Enabling a Smart, Green Future
          interruption (BI) costs following a non-physical damage cyber incident can be,  Ultimately, insurers can play a pivotal role in providing specialist risk transfer
          with the BI share of overall claims being much higher than any other cause of  knowledge to the power sector, bringing ample knowledge from a large pool of
          loss5, leading to loss of revenue for the industry should a cyber incident occur.  power risks that has helped develop minimum control standards, claims infor-
          If a project suffers a cyber incident, entities need to contemplate how much  mation, and mitigate risks along the energy value chain.   Despite the rising
          non-damage financial loss could be experienced with each day of downtime,  cost of cyber insurance, a premium offsetting a multi-million-dollar loss will still
          from a variety of scenarios, and considering a plethora of costs.  These include:  be economic in providing peace of mind regarding balance sheet protection,
          * Forensic investigation costs                      directors and officers liability, customers, and partners.  Given the low cyber
          * Costs for data/system restoration or rectification (often taking up to 3 months)  insurance penetration in the region, should the power sector seriously consid-
          * Extra expenses in finding alternative ways of keeping the project operational  er insurance as an additional risk transfer and crisis management tool, there
          (i.e. alternative production sites, purchasing power on the spot market)  are significant benefits that the industry can gain including knowledge sharing,
          * Possible ransom payment                           risk mitigation and management.
          * Penalties for failing to supply the contractually agreed power supply  It will be important for entities to work with advisors who understand the vari-
          * Regulatory mandate to shutdown operation          ous cyber solutions to ensure it is tailored to an entity’s businesses require-
          * Resultant loss of income                          ments, providing adequate balance sheet protection.

          49                                                                AL BA Y AN ECONOMIC MAG - ISSUE 608 - JULY   2022