marsh
In May, cyber risk in the energy sector received global attention following a ransomware attack that caused the shutdown of the largest fuel pipeline in the US. The increasing frequency of cyber threats means organizations cannot ignore the implications that even a single event can have on their operations, or the economic and social jeopardy it may pose. In 2019, 65% of energy organizations found it difficult to keep pace with evolving cyber risks.[1] Three years on, the 2021 Global Risks Report by the World Economic Forum and Marsh, found that cybersecurity failure remains a top risk in terms of both likelihood and impact.
The scale, sophistication, and severity of cyber-attacks continue to evolve, driven by nation states, criminals, terrorists, hacktivists, and insiders. Digitalization in the energy sector and greater reliance on operational technology (OT) data broadens the interface between IT and OT, creating a dramatically larger attack surface for potential hackers. These operational transformations create opportunities and risks that must balance the benefits of digitalization and the need for cybersecurity. At a whole of system level, the interconnectivity and complexity of energy sector value chains increases the susceptibility of critical infrastructure to malfunction or sabotage, with a potential ripple effect and cascading impact.
Malicious actors often target energy companies through ransomware motivated by financial goals. However, the emerging risk profile is a shift towards cyber physical risk. The discovery of the Triton malware, which specifically aims to breach safety control systems, and attacks leading to physical plant damage such as the Stuxnet attacks, indicate the escalating threat. These types of attacks have the potential to result in large-scale property damage and/or loss of life.
Risk transfer is a critical consideration of any cyber risk management program, both for physical and non-physical impacts.
The cyber insurance market is in transition. The global cost associated with ransomware recovery is expected to exceed USD20 billion in 2021. Ransomware related losses have accelerated the deterioration of market conditions, and some leading cyber insurers are introducing coverage limitations, such as co-insurance on ransomware losses. Silent cyber exclusions are proving challenging due to the increase in residual risk retained on balance sheets. However, risk transfer options remain available for malicious cyber events, while the traditional property insurance markets are better placed to underwrite accidental and physical property damage.
A standard cyber insurance policy can cover the first-party costs of non-physical impacts arising out of confidentiality, availability, or integrity of data and technology. Cover is provided for loss of income and extra expenses to mitigate an income loss, data restoration to recreate the critical process information, and forensic investigation costs and expenses incurred in remediating and responding to a cyber event. Figure 1 below shows a full list of available coverages.
While organizations cannot eliminate cyber risk, they can proactively prepare for an attack. The steps organizations can take include:
Bring together key stakeholders including risk management; information security, both the operational and information technology teams; and treasury, finance and legal teams to ensure there is alignment in how you would manage an attack.
Effective preparation can help you build a cyber-resilient organization.
[1] Based on the 2019 Marsh Microsoft Global Cyber Risk Perception Survey. Read more Winning the Cyber Risk Challenge (mmc.com)