GCShutter / iStock
Oil and gas companies are increasingly under threat from cyber attack, yet few of them have adequate protection in place to reduce this threat. A new generation of insurance products is being designed to meet these complex challenges, writes Dominick Hoare, chief underwriting officer, Munich Re Syndicate.
Nearly 70 percent of oil and gas companies have recently experienced a cyber incident, according to a 2017 study by Ponemon/Siemens. Coordinated attacks, such as the hack on companies that supply power to the US power grid in early September, or the one in Norway that targeted 300 oil and gas producers in 2014, underscore the growing risk.
Worldwide, the oil and gas sector has the highest percentage of cyber attacks of any industry: 32 percent of all attacks. Yet the industry appears slow to accept the likelihood and severity of the risk. Just a handful of the top 25 oil and gas companies worldwide cited cyber breaches as a major risk in their annual disclosures.
Oil and gas producers are increasingly in the crosshairs of hackers and protecting themselves has become more difficult than ever. The industry is operationally and financially complex, and the increasing reliance on technology only increases the risk.
Among the chief vulnerabilities is increased connectivity, with drilling and production operations often spread across a broad geographic area. That vulnerability is deepened with the growing use of automation, including robots, and the use of satellite links to control offshore operations.
The industry’s financial complexity also offers multiple avenues for hackers. With complex royalty payment structures for onshore operators, there is more of the ‘traditional’ data breach exposure than is often perceived. In addition, much of the data held and generated by oil and gas producers, such as seismic and well logs, is sensitive.
Among the top cybersecurity issues identified by Munich Re Syndicate, together with Munich Re’s Corporate Insurance Partner unit, is the fairly easy accessibility of production systems from the internet; the use of IT products with unpatched vulnerabilities in the production environment; insufficient monitoring of the systems for cyber attacks and incident response; a lack of employee cybersecurity awareness and training; access of suppliers to IT and production systems; and insufficient separation of data networks.
While the entire industry is vulnerable, upstream operations—exploration development and production—are at particular risk. The overarching reason is the legacy asset base, which has been retrofitted and patched together over the years.
The level of protection is surprisingly inadequate. Whether hackers are motivated by financial gain, including industrial espionage, or political gamesmanship, the ramifications of a breach are enormous. Still, 61 percent of oil and gas companies say their organisation has difficulty managing cyber risks, according to Deloitte data.
“A mere 15 percent of oil and gas companies worldwide have fully considered the information security implications of their current strategy and plans.” If a breach should occur, the industry seems dramatically underprepared. A mere 15 percent of oil and gas companies worldwide have fully considered the information security implications of their current strategy and plans, according to a 2016/17 survey by EY. An even smaller percentage—just 6 percent—have a robust incidence response programme and regularly conduct tabletop exercises, the survey found.
Perhaps most surprising, it’s estimated that less than 2.5 percent of upstream oil and gas companies buy any form of cyber insurance.
The occurrence of cyber attacks is only expected to intensify as the drive for efficiency via the link between technology and business continues to evolve. The possible consequences of a cyber attack are broad. On the physical side, oil and gas businesses face risks ranging from shutdown of production systems, fire and explosion, to loss of well control and pollution. Business interruption is a very likely scenario.
Non-physical consequences might include loss or falsification of research data that could lead to delays in new ventures and being at a competitive disadvantage, the costs and time associated with IT forensics and data recovery, reputational risk, legal defence and extortion or other criminal acts.
Demand for insurance products is growing, albeit very slowly. According to the Association of British Insurers, the oil and gas sector will spend $1.87 billion on cybersecurity solutions and services by 2018.
Insurance solutions strive to cover multiple risks, from physical losses, such as a well blowout, to business interruption. For example, one product introduced recently includes a provision for a full cyber attack buyback; business interruption and outsourcing coverage; physical damage; privacy breach protection and liability; and cyber base coverage, including data loss and recovery, cyber extortion, reputational risk and network security liability.
The oil and gas industry underpins much of the world economy. Munich Re Syndicate sees the importance of moving quickly to address this risk for the oil and gas sector—on top of the traditional cyber coverage on business interruption and loss of reputation.
With so much at stake, executives and boards must take steps to educate themselves and their employees about the growing threat of cyber attacks, and protect their businesses with preventive measures and comprehensive insurance coverage.
Munich Re, Association of British Insurers, Deloitte, Cyber attack, Oil and gas companies, Dominick Hoare, Global