11 October, 2017
The energy sector is undergoing a major digital transformation. In a drive to innovate and cultivate market share, onshore and offshore companies are making increased use of internet-connected systems, cyber infrastructure and digital technologies. This has reduced costs, improved efficiencies and streamlined operations; all boosting the potential bottom-line. With these benefits, the energy digital revolution is here to stay.
New Challenges
With changing industry comes new challenges, and for insurers, this means new risk. Of particular concern to the energy industry is the growing potential for cyber threats to manifest into physical damage, or damage to the surrounding environment. In 2012, Saudi Aramco's computer system was crippled by the "Shamoon" virus, resulting in 85% of its hardware being destroyed. In 2014, hackers attacked the network of a German steel mill, causing massive damage to its manufacturing processes and physical infrastructure. In 2015, Korea Hydro and Nuclear Power Co was targeted by hackers intent on causing nuclear reactors to malfunction, and in the Ukraine a hack affected three power distribution companies, causing outages to 80,000 customers. Just this week, Symantec warned that there has been an increase in the number of cyber-attacks on US/EURO energy companies this year, reinforcing the reality that the sophistication and volume of cyber-attacks is increasing annually.
Tentative Offerings
Despite the increasing need for insurance protection from such threats, underwriting of cyber risk has started tentatively. By 2018, it is estimated that oil and gas companies will spend USD 1.87 billion on cyber security and protection, but demand for cyber protection currently far outstrips supply. Where offered, energy cyber insurance usually takes one of two forms:
1. Standalone Cyber Cover: In other words, cyber liability insurance cover, including specific policies for data breach, liabilities, property damage and losses ca used by information technology failures.
2. Cyber Endorsements: Policy endorsements extending the cover of existing insurance; for example, extending general liability policies to cover data breaches.
The Resultant Silent Threat
The main problem with current cyber offerings is that there is currently no market consensus regarding how to quantify and allocate the risk which flows from digital business activities.
The digital transformation of the energy sector is in its infancy, despite its fast and prominent growth, and there is not enough loss data for insurers to allocate the risk in a traditional way.
Another major problem for reticent insurers is their potential exposure to "silent" cyber risks. Such risks occur as a result of the wording of current cyber insurance products, and arise in two main instances:
1. Gaps in Cyber Exclusions in Traditional Policies: Traditional energy policies often exclude cyber liability except for specific nominated perils, such as fire and explosion. There is concern in the market that such wordings may leave insurers open to largescale losses (no matter how unlikely it may be that such nominated perils will trigger cyber cover), as the nature, extent and probability of occurrence of such perils in a cyber context is unknown. It is difficult to model the likelihood of a specific cyber triggering event.
2. Traditional Policies without Cyber Exclusions: The prominence of "All Risks" policies in the energy sector is a major worry for cyber insurers. All Risk policies often contain no express cyber exclusions or endorsements for cyber losses, and there is therefore a risk of them unintentionally covering unquantifiable cyber losses.
Building for the Future
As a result, there is growing sentiment within the energy market that current cyber offerings are unsustainable. Insurers are concerned that soft market conditions have driven them to offer insurance for a risk which is fundamentally unknown, inherently scalable and prone to risk aggregation.
The Prudential Regulation Authority acknowledged this issue in a consultation paper dated November 2016, in which it stressed the need (and expectation) for insurers to identify, quantify and manage the risks emanating from cyber underwriting, both in terms of affirmative and silent cover.
The EU Network Information Security Directive, which applies from May 2018, is a further reaction to the potential systemic nature of cyber risk, and imposes an obligation on "operators of essential services" within the energy sector to minimise the impact of cyber security incidents and to ensure the continuity of their services.
The effect of such government-driven awareness and legislature remains to be seen, but it is clear that energy insurers should not wait for the "next big cyber loss" before refining and fully determining the risk profile of cyber cover. Hacking attacks such as the 2015 attack on Korea Hydro and Nuclear Power Co are a stark reminder of the potential devastating impact to the energy insurance industry of cyber losses.
Insurers should work with energy companies to gain a better understanding of how, why and where cyber-attacks are likely to affect energy operations. The lack of historical claims data is a current constraint to the development of cyber insurance products but insurers should not wait to react to government regulation to develop the cyber market.
Demand for cyber coverage in the energy sector has never been higher, and insurers should seize this opportunity.
For further information, please contact:
Sophie Shiffman, Clyde & Co
sophie.shiffman@clydeco.com
Rob King, Partner, Clyde & Co
rob.king@clydeco.com
