Daily GPI / Infrastructure

Energy Companies Seen Financially Vulnerable to Cyber-Attack

While the energy loss record in both the upstream and downstream oil and gas insurance markets during 2013 was no worse than average, the energy industry itself "might be sitting on an uninsured cyber-attack time bomb," according to a new report from Willis Group Holdings plc, a global risk advisor, insurance and reinsurance broker.

In the company's 94-page 2014 Energy Market Review, it found that theoretical insurance capacities in both the upstream and downstream oil and gas insurance markets have increased to the highest levels seen this century, thanks to heavily over-capitalized global (re)insurance markets combined with a glut of new capacity from nontraditional providers, such as pension funds, hedge funds and investment banks. These factors have "increased competitive pressures in the energy insurance market to unprecedented levels," Willis said.

Total theoretical upstream market capacity now stands at US$5.7 billion and the equivalent downstream total is now at US$4.6 billion, according to the report. Meanwhile, statistics from Lloyd’s of London suggest that the overall energy premium pool available to insurers may be reducing for both markets. Given these conditions, Willis said it expects it may take more than a run of catastrophic losses to provoke any significant capacity withdrawal from the energy sector.

On the upstream side, the Willis Energy Loss Database recorded only a handful of losses in excess of US$200 million, while on the downstream side, although there have been three serious incidents in Argentina, the United States and Canada, the loss record continues to improve.

With regards to the statement that the energy industry itself might be sitting on an uninsured cyber-attack time bomb, the report said that while insurance cover is readily available for non-catastrophic cyber-attack losses to data and intellectual property, it "can be much more challenging to access cover for a truly catastrophic event involving physical loss or damage or business interruption running into billions of dollars." Certain markets, however, have emerged recently with the appetite and capacity to provide energy companies with at least a degree of cyber-attack insurance cover, the report added.

Concerns of a cyber attack hitting energy infrastructure are growing within the insurance community, primarily due to the proliferation of the Internet.

With connectivity to the Internet becoming the norm for many industrial control systems used by the energy industry, Willis said it can state "that a major energy catastrophe -- on the same scale as Piper Alpha, Phillips Pasadena, Exxon Valdez or Deepwater Horizon, could indeed be caused by a cyber-attack." It added that coverage for such a loss is generally not currently provided by the energy insurance markets.

“With no obvious alternative investment opportunities emerging, and with interest rates around the world still low in relative terms, capital providers are likely to maintain their funds in the (re)insurance markets where they are currently deployed -- at least for the short term," said Alistair Rivers, global head of natural resources at Willis. "Energy market capacity is therefore likely to continue to be available, even if the sector falls into unprofitability.

"The difficulty with predicting how market conditions will turn out in the next few years is that this is the first time we have seen capital deployed in the insurance markets that is unlikely to be put off by short-term underwriting unprofitability. In previous market eras, we have always found that a major catastrophe or series of losses -- for example, Piper Alpha, 9/11 and the 2005 Gulf of Mexico hurricanes -- has led to a withdrawal of capacity and harder market conditions," Rivers said. "But now we think it will take more than a headline-grabbing loss to precipitate a withdrawal. Capital providers would have to find an alternative haven for their money if they are to withdraw from the insurance arena.”

Last summer, a study by the Council on Foreign Relations (CFR) found that cyber-attacks on the oil and gas industry ranging from espionage by foreign intelligence services to attempts to interrupt a company's physical operations were posing "an increasingly challenging problem for U.S. national security and economic competitiveness" (see Daily GPI, June 27, 2013). CFR analysts Blake Clayton and Adam Segal said that not only have the threats grown more sophisticated over time, making them more difficult to detect and defend against, but so too have the actors behind them, which have evolved from lone hackers with few resources to state-sponsored teams of programming experts.

In February 2013 President Obama signed an executive order to strengthen the cybersecurity of critical U.S. infrastructure by increasing information sharing and by jointly developing and implementing with industry partners a framework of cybersecurity practices (see Daily GPI, Feb. 14, 2013). Obama began considering an executive order aimed at protecting critical national infrastructure, including power plants and natural gas and crude pipelines, from cyber attacks, after the U.S. Congress failed to pass the Cybersecurity Act of 2012.

The order came just days after the Department of Energy (DOE) said a "cyber incident" at DOE headquarters in Washington, DC, in January targeted the agency's network "and resulted in the unauthorized disclosure of employee and contractor" information. No classified data was compromised by the cyber-attack, according to DOE. Federal Energy Regulatory Commission Chairman Jon Wellinghoff went on the record earlier this year saying that the risks from cyber security threats to generation and gas pipeline infrastructure are increasing.

Recent Articles by Alex Steis