U.S. energy companies are scrambling to buy more cyber insurance after this month's attack on Colonial Pipeline disrupted the U.S. fuel supply, but they can expect to pay more as cyber insurers plan to hike rates following a slew of ransomware attacks.
The Colonial ransomware attack on May 7 shut the largest fuel pipeline network in the United States for several days, crippling fuel delivery to most of the U.S. East Coast. Pipeline companies rely on electronic networks, putting them at risk of additional attacks that could hamper delivery of crude oil or other fuels.
Insurers are preparing to increase cyber insurance premiums by 25% to 40% across many industries because of the number of claims, insurance companies and brokers have said. But energy companies should expect rate increases at the higher end of the spectrum as the Colonial attack exposed their vulnerabilities and exposed insurers to losses.
Only about half of the nation's pipeline companies currently buy cyber insurance even though ransomware attacks have become more frequent, according to Nick Economidis, vice president of cyber liability at insurer Crum & Forster.
"Since the Colonial outage, submissions from energy companies are up across the board," said Economidis, adding that he started getting calls the day after the Colonial attack.
Anthony Dagostino, cyber insurance broker at Lockton Companies, said his Houston office has been fielding a large number of calls from energy companies in recent weeks.
"Before the attack, the energy sector had some of the lowest interest in purchasing cyber insurance of all industries, but in the past two weeks, now they're very interested," Dagostino said.
Regulators are working with pipeline companies to strengthen protection against attacks, the U.S. Department of Homeland Security said this week. The energy industry's "cyber risk management and mitigation practices are not as advanced" as other major sectors like banking or real estate, raising the risk of successful attacks, Moody's Investors Service said in a May 10 report.
Cyber attacks can be particularly damaging for the pipeline sector compared with other companies in the energy sector because fuel supply cannot be easily rerouted, Moody's said, and pipeline operators have increased their use of digital technologies to manage delivery.
To date, many companies have not bought cyber insurance because of high premiums and difficulties in quantifying the costs from incidents, according to a report from the Government Accountability Office https://www.gao.gov/assets/gao-21-477.pdf, a federal watchdog, on Monday.
"A lot of operators have not done the business impact assessments that banks and big retailers do to determine overall costs of being down for a certain period of time," said Dagostino.
Colonial had cyber insurance coverage of only about $15 million, according to one media report. Last year, the company had net income of $420 million on $1.3 billion of revenue, according to regulatory filings.
Cyber insurance typically covers ransom payments and insurers often provide staff to negotiate with the hackers, in addition to IT and public relations services.
The average ransom paid is $1.9 million, but in recent months cyber criminals have extracted ransoms as large as $40 million from a single company, according to a Bloomberg News report.
Companies that have cyber insurance often retain the initial loss that can range from $500,000 to $10 million, depending on the policy. Then the insurance kicks in to cover the ransom, which in Colonial's case was $4.4 million, its chief executive told the Wall Street Journal.
Insurance also covers business interruption costs, and costs from supply-chain partners after a waiting period of eight to 24 hours.
Colonial, which carries about 2.5 million barrels of fuel a day, could have lost $9 million to $15 million in revenue from the six-day outage, depending on the waiting period, according to calculations by Reuters. Colonial has not commented on its losses.
Companies started to buy cyber insurance in recent years after state laws began requiring them to notify consumers of data breaches. Pipeline companies, however, have little consumer data, which may have prevented them from purchasing protection, Economidis said.
(Reporting by Laura Sanicola in New York Editing by Matthew Lewis)