Energy Companies May Be Even More Exposed to Cyber Risks Than They Expect
For those in the oil and gas and power generation industry, it should come as little surprise that cyber-attacks were a major concern of most of those attending the National Oil Companies Conference in Dubai earlier this year. But what may come as a surprise is the fact that most traditional energy insurance policies exclude cyber exposures from coverage.
Even more alarming: Four-in-five oil and gas companies said their organizations had seen an increase in the number of successful cyber-attacks over the past year, according to a recent survey from digital security firm Tripwire. Furthermore, according to the US Department of Homeland Security, the energy sector was second only to critical manufacturing in cyber-attacks in 2015, experiencing 15.5% of incidents responded to by its Industrial Control Systems Cyber Emergency Response Team.
The number of headline-grabbing losses may have been few in this sector thus far, but it still remains one of the most targeted, attracting politically and financially motivated hackers.
A cyber-attack on an energy company could cause:
- Exposure of intellectual property.
- Reputational damage.
- Disruption to operations.
Mitigating the Risk
In the face of this growing threat, there are several steps you should consider to help mitigate the risk, including:
- Countering threats from within the organization: This can include background checks of staff and contractors or additional training.
- Identifying vulnerabilities: Ensure antivirus software is in place and up-to-date, remove obsolete and unsupported software, and control use of removable media such as USB drives.
- Establishing a contingency plan: Back-up procedures can reduce the risk of costly denial-of- service disruptions. And don’t forget: Business continuity and disaster recovery plans need to be tested regularly.
- Carefully considering risk transfer solutions: This could include looking at insurance coverage for such risks.
The insurance market for cyber energy risks is growing exponentially to offer higher limits and more relevant coverage. Although many traditional energy policies exclude cyber, policies have evolved to provide coverage for the “gap” created by cyber exclusions.
At the moment, the purchasing of cyber coverage is limited in the energy sector, in part due to strained finances in the oil and gas sector and a lack of understanding of the risk. But ignoring risk transfer methods could lead to severe disruptions and losses in the future.
Energy companies have, so far, exhibited a varied level of response to this threat, it is expected that as the sector becomes subject to more risk management scrutiny, risk transfer will increasingly be seen as a necessity — especially as more cyber insurance products become available and the risk continues to grow.