A massive data breach into Target’s computer systems last year claimed millions of customer credit card numbers, a CEO’s job and $148 million so far to clean up the mess.
If hackers ever manage to hit an oil and gas company with a major cyberattack — compromising key systems at a deep-water platform or an oil refinery — losses could dwarf the retailer’s tab.
Yet most U.S. energy companies have to scrape together a collection of insurance policies to protect themselves against property, environmental and other damages from cyber-attacks that could run into the billions of dollars.
For the past decade the insurance industry has narrowed the kinds of cybersecurity damages it covers under liability policies, even as U.S. officials are pushing companies to obtain coverage so they can fund quick responses to security breaches, said Glenn Legge, a partner at Houston law firm Legge, Farrow, Kimmitt, McGrath & Brown, who specializes in commercial litigation areas including energy and insurance coverage.
“Imagine what could happen if a large refinery or petrochemical facility’s safety monitoring systems were hijacked near an urban area, or a subsea control module was no longer able to be controlled by the people who should be controlling it,” Legge said. “As we’ve all seen from Deepwater Horizon, those risks and damages can be astronomical. It requires an immediate response.”
That deadly 2010 blowout and oil spill in the Gulf of Mexico was an accident, but London-based insurer Aon says energy companies are at particular risk for cyberattacks because hackers only began targeting them in recent years, so many are just beginning to develop effective security.
ABI Research forecasts that the oil industry will pay $1.9 billion on cybersecurity defense systems by 2018. But less than a fifth of U.S. companies overall are covered for cyberdamages.
General cybersecurity policies cover privacy breaches and other data-related claims, but attacks that cause property or pollution damage from an oil and gas company’s facilities typically fall in a gray area under different property damage policies.
Legge spoke with the Houston Chronicle about recent developments in the cybersecurity insurance market and how the oil industry and the insurance industry might come closer together on cybersecurity policies. Excerpts, condensed and edited for clarity:
Q: Why is cybersecurity insurance becoming a bigger issue for oil and gas companies?
A: Perhaps this is just the new normal. Upstream, midstream and downstream companies are all increasing their reliance on what has been called big data.
There’s also an increased reliance upon remote production monitoring and controls, as they’re looking at shale production throughout South Texas or North Dakota and deep-water exploration. Managing and protecting this has become a real challenge.
There’s no doubt that the speed with which response to a cyberattack can occur will have a significant impact on keeping the resulting damages low. It’s just like responding to a blowout. The sooner you find an effective means to cap that blowout, the sooner you can reduce the damages.
Q: When did energy companies start paying more attention to potential cyberattacks?
A: We saw that in 2012 when Saudi Aramco was subjected to a virus that affected thousands of its facilities overseas. Fortunately, none of the production safeguards were impacted, but the fact that the energy industry experienced a very real cyberattack got the attention of the companies and their insurers.
Then this year the U.S. government issued an executive order telling U.S. industries that we need to have a heightened degree of vigilance and safeguards against cyberattacks. The Department of Energy also released guidelines for the oil and gas industry on cybersecurity.
Almost contemporaneously, we’ve got an insurance industry association in the United States coming out with enhanced exclusions under their policies for such risks.
Q: Aren’t insurers skeptical of energy companies’ cyberdefenses?
A: To be fair, I think we’ve seen a fast-paced response by the oil and gas industry, with respect to an information-sharing group they formed this year. It’s an organization where they can share what they are doing to guard against cyberattacks. There have been attempts by the Insurance Services Office (an organization that calculates risk and develops insurance policy forms) since 2001 to further narrow the coverage for losses resulting from a cyberattack. A company could have a very well-placed, well-secured and broad liability policy — property, third party claims, pollution, underground resources damages — but it may have a cyberrisk exclusion on top of it.
Q: From your perspective, what’s the answer here?
A: I can’t tell you what the playbook is, but I would expect to see the energy sector continue to increase the level of sophistication and technology they’re using to guard against cyberattacks. That’s reflected in directives by the Department of Homeland Security and the Department of Energy. The gap will be narrowed as the insurance industry keeps abreast of those developments. An underwriter in the London market said, “We want to provide insurance coverage, but insurance coverage is not a replacement for security.” I think that’s a very apt and correct statement.