Energy Firms Unprotected for Major Cyber Events: Willis

April 15, 2014

Energy companies have no insurance against major cyber attacks, reinsurance broker Willis said, likening the threat to a “time bomb” that could cost the industry billions of dollars.

Willis highlighted the industry’s vulnerability to cyber threats in its annual review of the energy sector’s insurance market, which called on insurers to find a way to provide cover.

“A major energy catastrophe – on the same scale as … Exxon Valdez or Deepwater Horizon – could be caused by a cyber attack, and, crucially, that cover for such a loss is generally not currently provided by the energy insurance market,” the insurance broker said.

Most insurance products currently available will cover minor things such as data losses or downtime caused by IT issues, but not major events like explosions at multiple facilities triggered remotely by hackers, Willis said.

It said the lack of coverage stemmed from a clause included in most energy sector insurance agreements over the past 10 years that explicitly excludes loss or damage caused by software, viruses or other malicious computer code.

“There can be little doubt that the removal of this exclusion would be the most effective way for coverage to be provided to the energy industry,” it said.

But the exclusion clause has remained because cyber security is not well-understood by the insurance industry, making it difficult to design comprehensive products. Additionally, problems lie with how insurers agree to cover damage to multiple plants or platforms caused by a single attack.

The issue is attracting more attention after high-profile events including Stuxnet – a virus that afflicted a uranium enrichment facility in Iran – and Shamoon – a virus linked to cyber assaults on energy firms in Saudi Arabia and Qatar in 2012.

Technology now allows entire oil and gas networks to be operated remotely, but connecting that infrastructure via the internet has also opened the door for hackers and computer viruses to target anything from refineries to pipelines.

The effects of such attacks can range from viruses spreading across a network of household smart electric meters to hackers triggering oil spills or explosions.

Britain estimates that cyber security breaches cost UK energy firms around 400 million pounds ($664 million) annually. The U.S. Department of Homeland Security said over 40 percent of attacks on the United States’ critical infrastructure assets were aimed at the energy industry in the year to September 2012.

Research firm ABI estimates that global cyber security spending by the industry on critical oil and gas infrastructure will reach $1.87 billion by 2018.

Willis also said companies are also coming under pressure from shareholders and the government to beef up cyber defences, a trend that could lead to the introduction of regulatory requirements aimed at protecting key infrastructure.

“While many in the energy industry may not see regulation as the answer to the problem of cyber-attacks, it remains a strong possibility that energy companies will increasingly be accountable for demonstrating that they have taken every possible step to counter this threat,” it added.

($1 = 0.6020 British Pounds) (Editing by Jane Merriman)