On May 7, 2021, pipeline operator Colonial Pipeline Company suffered a ransomware cyberattack on its namesake Colonial Pipeline. Hackers attacked computerized management equipment, effectively freezing one of the largest pipelines responsible for delivering gasoline and jet fuel across the Southeastern United States. The attack was the largest of its kind on an oil infrastructure target in United States history.
With FBI assistance, the company paid a $4.4 million ransom to restore pipeline operations. Law enforcement agencies and media sources identified DarkSide, a criminal hacking group, as the culprit.
In the wake of the attack, developers of energy projects which rely on pipelines to deliver products (from traditional oil to renewable natural gas) find themselves exposed to the new risk of ransomware attacks – a risk which security technology is still struggling to address. In the meantime, energy project stakeholders (from financing sources to offtake customers) are turning to cyber risk insurance for protection. Project financiers and offtake customers to whom firm delivery obligations are owed are increasingly seeking evidence of cyber risk coverage during diligence efforts. But not all policies are created equal; selecting the coverage most appropriate to a project requires an understanding of the types of coverage available and common exclusions.
The most common insurable cyber risks involve dangers to privacy, security, operations, and service. Generally, cyber risk coverage addresses these risks through four distinct insuring agreements: network security, network business interruption, media liability, and errors and omissions. Of those, the agreement most applicable to cyberattacks like the one to which the Colonial Pipeline fell victim, deals with network security.
Often, network security coverage provides protection against both first party costs (those suffered directly by an insured) and third-party costs (those suffered directly by a party other than the insured) incurred as the result of a network security failure (which can include a data breach, malware infection, cyber extortion demand, ransomware attack, or business e-mail compromise). First-party covered costs typically include legal expenses, IT forensics, negotiation and payment of ransomware demands, data restoration, public relations assistance, and – if applicable – credit monitoring and identity restoration. Some policies also provide for the potential recovery of lost profits and extra costs incurred due to business interruptions.
While most cyber risk policies contain some combination of the above protections, the variety of carriers entering the market makes navigating products daunting. Companies need to sift policies for exclusions of future lost profits, for example, and determine what gaps in cyber risk coverage more traditional insurance products, like property liability and general liability coverages, might address. They also need to brace for rigorous underwriting. Given the recent increase in remote work and telecommuting, carriers are increasingly wary of inadequate security controls and unsecured networks. Moreover, recent cyber attacks have resulted in considerable carrier payouts – making good responses to underwriting requirements essential to securing affordable coverage without onerous exclusions. Professional advisors familiar with the cyber risk insurance market can be essential to securing the coverage businesses need.