Putting a premium on utility cybersecurity

Insurance companies have no trouble setting premiums for their clients’ car insurance policies. The massive data available about car models, driver age and more makes gauging the average cost of a car accident relatively easy.

But insuring public utilities against losses from cybercrime is quite different.

“Cyber risk is posing challenges to insurance companies because the nature of the risk is not known, and there is no sufficient data collection to support effective statistical analysis,” says Wei Wei, an associate professor of mathematical sciences in the College of Letters & Science. “To make it worse, cyber risk events could cluster and bring a disaster to insurance companies.”

Wei specializes in actuarial science, which leverages mathematical techniques for prediction and risk assessment. Uncertainty about the potential payoff is a reason electric utilities have been slow to invest in cybersecurity efforts, because the latest measures wouldn’t guarantee complete protection. Meanwhile, the threat grows daily, as utilities become increasingly reliant upon streaming operational data to the internet.

Researchers Wei Wei and Lingfeng Wang stand in front of a power plant.
Researchers Wei Wei (left) and Lingfeng Wang are exploring ways to insure public utilities against damages from cybercrime. (UWM Photo/Troye Fox)

Wei and Lingfeng Wang, a professor of electrical engineering and computer science in the College of Engineering & Applied Science, are helping utility companies shore up their efforts. With funding from the National Science Foundation, they’re researching ways to quantify potential losses caused by cyberattacks and build a structure for premiums without the benefit of historical information. Their work confirms that cyber risk events, and thus related losses, can cluster. For example, they’ve found that two utility grids that are physically separated can both be exposed to losses from common cyber threats.

Wang and his students have examined current cybersecurity measures and quantified the effects of a wide range of hacking scenarios. They constructed a probabilistic model that assigns monetary value to damages across the scenarios, and Wei applied actuarial techniques to calculate premiums.

“Cyberinsurance premiums will be high for those with low cybersecurity performance audits, based on our novel actuarial models,” says Wang, who develops quantitative models to evaluate and mitigate emerging risks in public infrastructure. “Conversely, utilities with high cybersecurity efforts will enjoy low premiums.”