REUTERS: US energy companies are scrambling to buy more cyber insurance after this month’s attack on Colonial Pipeline disrupted US fuel supplies, but they can expect to pay more as cyber insurers plan to increase their prices following a series of ransomware attacks.
The Colonial ransomware attack on May 7 shut down the largest network of fuel pipelines in the United States for several days, crippling fuel delivery to most of the United States’ east coast. Pipeline companies rely on electronic networks, exposing them to additional attacks that can interfere with the delivery of crude oil or other fuels.
Insurers are preparing to increase cyber insurance premiums by 25-40% in many industries due to the number of claims, according to insurance companies and brokers. But energy companies should expect rate hikes at the high end of the spectrum, as the colonial attack exposed their vulnerabilities and exposed insurers to losses.
According to Nick Economidis, vice president of cyber liability at insurer Crum & Forster, only about half of the nation’s pipeline companies currently purchase cyber insurance, although ransomware attacks have become more common.
“Since the colonial blackout, bids from energy companies have been on the rise across the board,” Economidis said, adding that he started receiving calls the day after the colonial attack.
Anthony Dagostino, cyber insurance broker at Lockton Companies, said his Houston office had responded to a slew of calls from energy companies in recent weeks.
“Before the attack, the energy sector had one of the lowest interests in purchasing cyber insurance of any industry, but over the past two weeks they are now very interested,” said Dagostino.
Regulators are working with pipeline companies to strengthen protection against attacks, the US Department of Homeland Security said this week. The energy industry’s cyber risk management and mitigation practices are not as advanced as other major sectors such as banking or real estate, increasing the risk of successful attacks, a Moody’s Investors Service said in a May 10 report.
Cyber attacks can be particularly damaging to the pipeline industry compared to other companies in the energy industry, as fuel supplies cannot be easily rerouted, Moody’s said, and pipeline operators have increased their supply. use of digital technologies to manage delivery.
To date, many companies have not purchased cyber insurance due to high premiums and difficulties quantifying incident costs, according to a Government Accountability Office report https://www.gao.gov/assets/gao- 21-477. pdf, a federal watchdog, Monday.
“Many operators haven’t done the business impact analyzes that banks and large retailers do to determine the overall costs of a drop over a period of time,” Dagostino said.
Colonial had cyber insurance coverage of only around $ 15 million, according to a news report. Last year, the company made a net profit of $ 420 million on revenue of $ 1.3 billion, according to regulatory documents.
Cyber insurance typically covers ransom payments, and insurers often provide staff to negotiate with hackers, in addition to IT and public relations services.
The average ransom paid is US $ 1.9 million, but in recent months, cybercriminals have extracted ransoms of up to US $ 40 million from a single company, according to a Bloomberg News report.
Companies that have cyber insurance often keep the initial loss, which can range from US $ 500,000 to US $ 10 million, according to police. Then the insurance steps in to cover the ransom, which in Colonial’s case was $ 4.4 million, its managing director told The Wall Street Journal.
Insurance also covers business interruption costs and supply chain partner costs after a waiting period of eight to 24 hours.
Colonial, which transports around 2.5 million barrels of fuel per day, could have lost $ 9 million to $ 15 million in revenue following a six-day outage, depending on the waiting period, according to Reuters calculations. . Colonial has not commented on his losses.
Businesses have started purchasing cyber insurance in recent years after state laws began requiring them to notify consumers of data breaches. However, pipeline companies have little data on consumers, which may have prevented them from purchasing protection, Economidis said.
(Reporting by Laura Sanicola in New York; Editing by Matthew Lewis)