Cyberattack insuranceEnergy companies slow to buy cyberdamage insurance
The U.S. oil industry will spend $1.87 billion on cybersecurity defense systems by 2018, but less than 20 percent of U.S. companies overall are covered for cyberdamages. “Imagine what could happen if a large refinery or petrochemical facility’s safety monitoring systems were hijacked near an urban area, or a subsea control module was no longer able to be controlled by the people who should be controlling it,” says one expert. “As we’ve all seen from Deepwater Horizon [the 2010 BP Gulf oil spill] those risks and damages can be astronomical. It requires an immediate response.”
U.S. energy companies employ some of the most advanced perimeter security systems to secure their facilities and field operations, but risk managers and chief security officers must be prepared to respond when network and control systems are infiltrated, because cyberattacks lead to billions of dollars in losses.
Physical breaches and accidents are limited to specific locations, but a cyberattack or cyber accident could affect control systems responsible for operations at multiple locations. “There’s no doubt that the speed with which response to a cyberattack can occur will have a significant impact on keeping the resulting damages low, said Glenn Legge, a partner at Houston law firm Legge, Farrow, Kimmitt, McGrath & Brown, who specializes in commercial litigation areas including energy and insurance coverage. The Houston Chronicle reports that for the past decade, the insurance industry has narrowed the kinds of cybersecurity damages covered under liability policies, as a result, most energy companies are underinsured and may find it difficult to recover financially after a major cyberattack.
The 2012 cyberattack on Saudi Aramco, which failed to impact production, prompted the oil and gas industry to review their insurance policies’ cyber coverage. Recent guidelines from the Department of Energy and DHS, urging critical industry firms to upgrade their safeguards to prevent cyberattacks, also brought to light the seriousness of cybersecurity. In response, insurance companies are setting exclusions under their cybersecurity policies. Since 2001, the Insurance Services Office, which calculates risk and develops insurance policy forms, has been working to narrow the coverage for losses from cyberattacks. “A company could have a very well-placed, well-secured and broad liability policy - property, third party claims, pollution, underground resources damages - but it may have a cyberrisk exclusion on top of it,” Legge said.
While no critical U.S. energy company has suffered a major cyberattack, London-based insurer Aonsays energy companies are at a serious risk for cyberattacks because hackers have only begun to target them in recent years. Many energy companies are thus just beginning to develop adequate cybersecurity. ABI Researchpredicts that the U.S. oil industry will spend $1.87 billion on cybersecurity defense systems by 2018, but less than 20 percent of U.S. companies overall are covered for cyberdamages. “Imagine what could happen if a large refinery or petrochemical facility’s safety monitoring systems were hijacked near an urban area, or a subsea control module was no longer able to be controlled by the people who should be controlling it,” Legge said, “as we’ve all seen from Deepwater Horizon [the 2010 BP Gulf oil spill] those risks and damages can be astronomical. It requires an immediate response.”
Legge believes that more information sharing will help create a better understanding of the risk energy companies face from cyberattacks and what insurers should include in their liability policies. “An underwriter in the London market said, ‘We want to provide insurance coverage, but insurance coverage is not a replacement for security.’ I think that’s a very apt and correct statement,” Legge said.
