U.S. energy companies are scrambling to buy more cyber insurance after this month’s attack on Colonial Pipeline (COLPI.UL) disrupted U.S. fuel supplies, but they can expect pay more as cyber insurers plan to increase their rates following a series of ransomware attacks.
The Colonial ransomware attack on May 7 shut down the largest network of fuel pipelines in the United States for several days, crippling the delivery of fuel to most of the east coast of the United States. learn more Pipeline companies depend on electronic networks, exposing them to additional attacks that could hamper the delivery of crude oil or other fuels.
Insurers are preparing to increase cyber insurance premiums by 25% to 40% in many industries due to the number of claims, according to insurance companies and brokers. But energy companies should expect rate hikes at the high end of the spectrum, as the colonial attack exposed their vulnerabilities and exposed insurers to losses.
According to Nick Economidis, vice president of cyber liability at insurer Crum & Forster, only about half of the nation’s pipeline companies currently purchase cyber insurance, although ransomware attacks have become more common.
“Since the colonial blackout, bids from energy companies have been on the rise across the board,” Economidis said, adding that he started receiving calls the day after the colonial attack.
Anthony Dagostino, cyber insurance broker at Lockton Companies, said his Houston office had responded to a large number of calls from energy companies in recent weeks.
“Before the attack, the energy sector had one of the lowest interests in purchasing cyber insurance of any industry, but over the past two weeks they are now very interested,” said Dagostino.
Regulators are working with pipeline companies to strengthen protection against attacks, the US Department of Homeland Security said this week. The energy industry’s cyber risk management and mitigation practices are not as advanced as other major sectors such as banking or real estate, increasing the risk of successful attacks, a Moody’s Investors Service said in a May 10 report.
Cyber attacks can be particularly damaging to the pipeline industry compared to other companies in the energy industry, as fuel supplies cannot be easily rerouted, Moody’s said, and pipeline operators have increased their supply. use of digital technologies to manage delivery.
To date, many companies have not purchased cyber insurance due to high premiums and difficulties quantifying incident costs, according to a report by the Government Accountability Office, a federal watchdog, on Monday.
“Many operators haven’t done the business impact analyzes that banks and large retailers do to determine the overall costs of a drop over a period of time,” Dagostino said.
Colonial had cyber insurance coverage of only about $ 15 million, according to a news report. Read more Last year, the company made a net profit of $ 420 million on $ 1.3 billion in revenue, according to regulatory filings.
Cyber insurance typically covers ransom payments, and insurers often provide staff to negotiate with hackers, in addition to IT and public relations services.
The average ransom paid is $ 1.9 million, but in recent months, cybercriminals have extracted ransoms of up to $ 40 million from a single company, according to a Bloomberg News report.
Companies that have cyber insurance often keep the initial loss which can range from $ 500,000 to $ 10 million, according to police. Then the insurance steps in to cover the ransom, which in Colonial’s case was $ 4.4 million, its managing director told The Wall Street Journal.
Insurance also covers business interruption costs and supply chain partner costs after a waiting period of eight to 24 hours.
Colonial, which carries around 2.5 million barrels of fuel per day, could have lost $ 9 million to $ 15 million in revenue due to the six-day outage, depending on the wait period, according to calculations by Reuters. Colonial has not commented on his losses.
Businesses have started purchasing cyber insurance in recent years after state laws began requiring them to notify consumers of data breaches. However, pipeline companies have little data on consumers, which may have prevented them from purchasing protection, Economidis said.
Our Standards: The Thomson Reuters Trust Principles.