US energy companies are scrambling to buy more cyber insurance after this month’s attack on Colonial Pipeline (COLPI.UL) disrupted fuel supplies in the United States, but they can expect to pay more because cyber insurers plan to increase prices following a series of ransomware attacks.
The Colonial ransomware attack on May 7 shut down the largest fuel line system in the United States for several days, crippling the delivery of fuel to most of the United States’ east coast. Pipeline companies rely on electronic networks, which puts them at risk of additional attacks that could hamper the delivery of crude oil or other fuels.
Insurers are preparing to increase cyber insurance premiums by 25% to 40% in many industries due to the number of claims, according to insurance companies and brokers. But energy companies should expect rate hikes at the high end of the spectrum, as the colonial attack exposed their vulnerabilities and exposed insurers to losses.
According to Nick Economidis, vice president of cyber liability at insurer Crum & Forster, only about half of the nation’s pipeline companies currently purchase cyber insurance, although ransomware attacks have become more common.
âSince the colonial blackout, bids from energy companies have been on the rise in all areas,â Economidis said, adding that he started receiving calls the day after the colonial attack.
Anthony Dagostino, cyber insurance broker at Lockton Companies, said his Houston office had responded to a large number of calls from energy companies in recent weeks.
âBefore the attack, the energy sector had one of the lowest interests in purchasing cyber insurance of any industry, but over the past two weeks they are now very interested,â said Dagostino.
Regulators are working with pipeline companies to strengthen protection against attacks, the US Department of Homeland Security said this week. The energy industry’s cyber risk management and mitigation practices are not as advanced as other major sectors such as banking or real estate, increasing the risk of successful attacks, a Moody’s Investors Service said in a May 10 report.
Cyber ââattacks can be particularly damaging to the pipeline industry compared to other companies in the energy industry, as fuel supplies cannot be easily rerouted, Moody’s said, and pipeline operators have increased their supply. use of digital technologies to manage delivery.
To date, many companies have not purchased cyber insurance due to high premiums and difficulties quantifying incident costs, according to a report from the Government Accountability Office, a federal watchdog, Monday.
âMany operators haven’t done the business impact analyzes that banks and large retailers do to determine the overall costs of a drop over a period of time,â Dagostino said.
Colonial had cyber coverage of only around $ 15 million, according to a media report. Last year, the company had net income of $ 420 million on $ 1.3 billion in revenue, according to regulatory filings.
Cyber ââinsurance typically covers ransom payments, and insurers often provide staff to negotiate with hackers, in addition to IT and public relations services.
The average ransom paid is $ 1.9 million, but in recent months cybercriminals have extracted ransoms of up to $ 40 million from a single company, according to a Bloomberg News report.
Companies that have cyber insurance often keep the initial loss which can range from $ 500,000 to $ 10 million, depending on the policy. Then the insurance steps in to cover the ransom, which in Colonial’s case was $ 4.4 million, its managing director told The Wall Street Journal.
Insurance also covers business interruption costs and supply chain partner costs after a waiting period of eight to 24 hours.
Colonial, which carries around 2.5 million barrels of fuel per day, could have lost $ 9 million to $ 15 million in revenue due to the six-day outage, depending on the wait period, according to calculations by Reuters. Colonial has not commented on his losses.
Businesses have started buying cyber insurance in recent years after state laws began requiring them to notify consumers of data breaches. However, pipeline companies have little data on consumers, which may have prevented them from purchasing protection, Economidis said.
Our standards: Thomson Reuters Trust Principles.