Cyber-attacks: A question of when, not if, for the energy industry

In May, cyber risk in the energy sector received global attention following a ransomware attack that caused the shutdown of the largest fuel pipeline in the US. The increasing frequency of cyber threats means organizations cannot ignore the implications that even a single event can have on their operations, or the economic and social jeopardy it may pose. In 2019, 65% of energy organizations found it difficult to keep pace with evolving cyber risks.[1] Three years on, the 2021 Global Risks Report by the World Economic Forum and Marsh, found that cybersecurity failure remains a top risk in terms of both likelihood and impact.

The scale, sophistication, and severity of cyber-attacks continue to evolve, driven by nation states, criminals, terrorists, hacktivists, and insiders. Digitalization in the energy sector and greater reliance on operational technology (OT) data broadens the interface between IT and OT, creating a dramatically larger attack surface for potential hackers. These operational transformations create opportunities and risks that must balance the benefits of digitalization and the need for cybersecurity. At a whole of system level, the interconnectivity and complexity of energy sector value chains increases the susceptibility of critical infrastructure to malfunction or sabotage, with a potential ripple effect and cascading impact.

The Energy & Power Newsletter

July 2021 Energy & Power Newsletter considering the insurance trends over the last quarter.

Malicious actors often target energy companies through ransomware motivated by financial goals. However, the emerging risk profile is a shift towards cyber physical risk. The discovery of the Triton malware, which specifically aims to breach safety control systems, and attacks leading to physical plant damage such as the Stuxnet attacks, indicate the escalating threat. These types of attacks have the potential to result in large-scale property damage and/or loss of life.

Risk transfer is a critical consideration of any cyber risk management program, both for physical and non-physical impacts.

The cyber insurance market is in transition. The global cost associated with ransomware recovery is expected to exceed USD20 billion in 2021. Ransomware related losses have accelerated the deterioration of market conditions, and some leading cyber insurers are introducing coverage limitations, such as co-insurance on ransomware losses. Silent cyber exclusions are proving challenging due to the increase in residual risk retained on balance sheets. However, risk transfer options remain available for malicious cyber events, while the traditional property insurance markets are better placed to underwrite accidental and physical property damage.

A standard cyber insurance policy can cover the first-party costs of non-physical impacts arising out of confidentiality, availability, or integrity of data and technology. Cover is provided for loss of income and extra expenses to mitigate an income loss, data restoration to recreate the critical process information, and forensic investigation costs and expenses incurred in remediating and responding to a cyber event. Figure 1 below shows a full list of available coverages.

While organizations cannot eliminate cyber risk, they can proactively prepare for an attack. The steps organizations can take include:

Bring together key stakeholders including risk management; information security, both the operational and information technology teams; and treasury, finance and legal teams to ensure there is alignment in how you would manage an attack.  

  • Evaluate existing controls and address identified network and security vulnerabilities. The most common ransomware attack vectors in the first quarter of 2021 included remote desktop protocol (RDP) compromise and email phishing. Implementing appropriate controls can help to thwart an attack — or at least identify one before threat actors can move laterally within your network. For example, early identification can allow you to take operational technology offline once corporate networks are known to have been compromised, but before any industrial control systems are compromised.
  • Assess and test your cyber incident response plan, or develop a ransomware “playbook” of activities to respond to a threat. The plan should be re-evaluated following an incident.
  • Measure your organization’s cyber risk exposure in financial terms. This will help you prioritise the cyber risks presenting the greatest exposure to your balance sheet. This also enables you to evaluate the return on investment of cybersecurity products, as well as how much risk to retain or transfer.
  • Evaluate your entire insurance portfolio, including cyber insurance coverage, to assess whether the various programs are aligned. Verify that coverage includes various material costs incurred as a result of a ransomware attack, including an attack that leads to physical damage and/or bodily injury.

Effective preparation can help you build a cyber-resilient organization.

[1] Based on the 2019 Marsh Microsoft Global Cyber Risk Perception Survey. Read more Winning the Cyber Risk Challenge (

Related articles

Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983) (“Marsh”) arrange this insurance and is not the insurer. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). JGS is part of the Marsh group of companies. Any advice in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226827) which is a related entity of Marsh. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions. This website contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire a product, refer to the specific policy wordings and/or Product Disclosure Statements available from JLT Risk Solutions on request. Full information can be found in the JLT Risk Solutions Financial Services Guide.”