Last month’s ransomware attack, which forced one of the US’ largest pipelines to shut down its entire operations, is unsurprisingly bringing the question of cyber insurance to the forefront of energy companies across the globe. Our Energy and Cyber specialists respectively, Adam Taylor and Tancred Lucy, discuss lessons learned and key coverage considerations.
Energy companies are ‘scrambling to buy more cyber insurance’, according to Reuters. Indeed, we at Miller have registered higher levels of interest from clients. What happened at Colonial could have happened to anyone. The hackers were after cash, not the pipeline, but the disruption occurred because the company decided to power-down their entire operation immediately, including the pipeline. The consequential disruption to fuel supplies saw consumer prices increased at the pump, and commentators referencing the OPEC oil crisis of 50 years ago. The widespread publicity has brought ransomware exposures to the forefront.
Cyber insurance is not new to energy companies. However, of those who have previously bought cover, almost all have only taken out policies that include cyber property damage and any ensuing business interruption. Such cover would not have responded to the Colonial loss, nor to any ransomware claim, since there was no physical damage to trigger the policy.
Some, like Colonial, purchase speciality cyber insurance, which would cover losses from cyber extortion, non-physical business interruption, digital asset restoration and third party claims, as well as provide access to expert breach response services. The question here is how much limit is enough? Colonial Pipeline is widely reported to have purchased a USD15 million cyber insurance policy. The ransom payment reportedly consumed c.USD4.5 million of that (although some may be subsequently recovered by authorities). However, with numerous cyber-insuring clauses that may have also been triggered by the Darkside attack, it is likely the Colonial’s loss will exceed policy limits. This is brought into sharper focus given a putative class action suit was launched within two weeks of the incident alleging that Colonial’s negligence led to the ransomware attack.
Energy companies seeking cyber insurance post-Colonial have several critical decisions to make. Firstly, it is imperative to determine what types of cover are needed. Off-the-shelf and modular products will meet the needs of most SMEs, but complex businesses in the energy sector are likely to require a bespoke cyber product which ensures all their potential exposures are covered, and that no gaps exist between cyber and other policies. A comprehensive first and third party cyber policy, with voluntary-shutdown and failure to supply extensions, for example, could be one solution. Next is calculating how much limit to buy based on scenario testing and establishing protocols on how to utilise the specialist services that come with policies.
Miller’s depth of expertise spans the energy and cyber sectors in parallel. We work regularly with the world’s leading cyber underwriters to design comprehensive programmes to match the exposures facing energy companies. Our teams are here to help.