Cyber and the energy sector

By Sam Jobling Account Executive

T +44 20 7031 2499

Devastating impacts may be only a few clicks away. In May 2021, a ransomware attack forced Colonial, one of the US’ largest pipelines, to shut down its entire operations for days. It left tanks empty at gas stations all down the US East coast, from Virginia to Florida, and pushed average gas prices to their highest since 2014. In the aftermath, energy companies were ‘scrambling to buy more cyber insurance’, according to Reuters. We at Miller registered notably higher levels of client interest.

What happened at Colonial could happen to anyone. The hackers were after cash, not the pipeline which carries nearly half of the East Coast’s fuel supply, and a ransom was paid, but decrypting the system took time, and Colonial had decided to power-down their entire operation immediately – including the pipeline. The disruption to fuel supplies saw commentators referencing the OPEC oil crisis of 50 years ago. The widespread publicity brought ransomware exposures to the forefront.

Cyber insurance is not new to energy companies, but almost all that had cover before the Colonial attack bought policies that include only cyber property damage and ensuing business interruption. Such cover would not have responded to the Colonial loss, nor to any ransomware claim, since there was no physical damage to trigger the policy.

Cyber insurance is not new to energy companies, but almost all that had cover before the Colonial attack bought policies that include only cyber property damage and ensuing business interruption. Such cover would not have responded to the Colonial loss, nor to any ransomware claim, since there was no physical damage to trigger the policy.

Some, like Colonial, have speciality cyber insurance. It covers losses from cyber extortion, non-physical business interruption, digital asset restoration, and third-party claims. The policies also provide access to expert breach response services. The need for such cover is clear to all, but the amount of limit required is not so obvious.

Colonial Pipeline is widely reported to have purchased a USD15m cyber insurance policy. The ransom payment reportedly consumed c. USD4.5m of that (although some was subsequently recovered by authorities). But numerous other cyber-insuring clauses will also have been triggered by the attack, including, for example, business interruption, so it’s likely the Colonial’s loss will exceed policy limits.

The need for high limits was brought into sharper focus when putative class action suits were launched within weeks of the incident. They allege that Colonial’s negligence led to the ransomware attack. Those suits are still in the courts.

Energy companies seeking cyber insurance post-Colonial have several critical decisions to make.

First

It is imperative to determine what types of cover are needed. Off-the-shelf and modular products will meet the needs of most SMEs, but complex businesses in the energy sector are likely to require a bespoke cyber product which ensures all their potential exposures are covered, and that no gaps exist between cyber and other policies. A comprehensive first and third-party cyber policy, with voluntary-shutdown and failure to supply extensions could be one solution.

Second

Companies must calculate how much limit to buy based on scenario testing, and by establishing protocols on how to utilise the specialist services that come with cyber policies.

Miller’s depth of expertise spans the energy and cyber sectors in parallel. We work regularly with the world’s leading cyber underwriters to design comprehensive programmes to match the exposures facing energy companies. Our teams are here to help.