Ransomware risks can render water utilities uninsurable. Here’s what they need to do.

Ransomware attacks have skyrocketed in the last five years, with the total number of attacks higher in 2021 than the last five years combined[1]. While ransomware is up across all sectors, utilities are increasingly seen as good targets by cyber criminals with the threat of cutting off power or water.

The water sector in particular has seen a surge of cybersecurity breaches. Last week a UK water utility reported that it was a victim of an attack, and there was also a high profile attack in Florida last year. Water utilities are particularly vulnerable due to a drought of IT and cyber security specialists and uncertainty in their technical capability to improve their cyber security.

Now, insurers for water utilities are requiring new and very stringent cyber security standards as a condition of coverage, leaving these companies under the gun to meet these standards or risk being uninsured. Specifically, new requirements include strong secure access management programs and also endpoint detection and response tools.

“Insurers have set a new high bar for cyber security and cyber resilience for water utility companies. Instituting advanced cyber capabilities is no small feat – many utilities may find themselves struggling to comply,” said Charlie Jacco, Principal, Cyber Security Services at KPMG.

In January, The White House, Environmental Protection Agency (EPA) and Cybersecurity and Infrastructure Security Agency (CISA) rolled out a 100-day plan to improve cybersecurity for water utilities, but it’s unclear how much progress companies are making or how quickly they have been able to adapt.

According to Brad Raiford, Director of Cyber Security at KPMG, water utilities have underspent on cyber security relative to other industries, opting to focus on process safety and operational, backed by the knowledge that insurance policies will bail them out in the event of an attack. Now as insurers push back, the utilities are forced to raise their cyber security capabilities to a much higher standard.

“There has been a definite shift – utilities need to be future focused - thinking forward - incorporating resiliency concepts that will help them prevent, withstand, and recover from a cyber-attack,” said Raiford.

KPMG advises water utilities to consider cyber resilience as integral to business continuity strategies. “Enterprise-grade cyber resilience is the augmentation of business continuity with leading preventative and detective functions, exercised cyber response capabilities, and high velocity recovery mechanisms, providing confidence in the face of a seemingly inevitable attack” said Charlie Jacco, Principal, Advisory at KPMG.

Beyond the immediate benefits of improved cyber security posture and reduced exposure of critical infrastructure, cyber resilience helps mitigate financial loss and reputational damage – primary drivers for seeking out insurance policies.

Specifically, examine and catalog the systems and services that matter most, design risk-proportionate controls and procedures for critical assets, and match cyber operations tuning to protect against undesirable actions (internal, external, intentional or accidental) to the pace of the threat landscape.


[1]Verizon Business 2022 Data Breach Investigations Report (2022 DBIR): 2022-data-breach-investigations-report-dbir.pdf (verizon.com)


Media Contact:

Melanie Malluk Batley

Melanie Malluk Batley

Associate Director, Corporate Communications, KPMG US

+1 201-307-8217





Charles A. Jacco

Charles A. Jacco

Principal, Cyber Security, KPMG US

+1 212-954-1949
Brad Raiford

Brad Raiford

Director Advisory, Cyber Security Services, KPMG US

+1 832-527-5624

Related content