In late August, the Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) issued a joint white paper proposing a “name-and-shame” approach to electric utilities that failing to meet NERC Critical Infrastructure Protection (CIP) Reliability Standards. The standards represent a baseline for protecting against cyber-attacks on critical infrastructures. FERC and NERC propose to depart from the historical practice of withholding most material details regarding CIP Reliability Standard violations, and instead to start disclosing the names of allegedly violating electric utilities in response to Freedom of Information Act requests—“naming and shaming them.” This development underscores the substantial cyber risks utilities face and, likewise, the importance of appropriate insurance for those risks.
Colleague Brendan Hogan (along with Richard Mroz , managing director of Resolute Strategies LLC) examines the proposal more closely in “Name-and-Shame Proposal of Electric Regulators Highlights Need for Cyber Insurance.” He also outlines a few key points electric utilities should keep in mind with respect to securing the right kinds of insurance coverage for cyber-related incidents.