Cyber insurance for oil companies

 By Chris Dalby

The rising prevalence of cyber-attacks targeting governments and corporations has made news coverage of said attacks seem almost banal. However, there is nothing banal to an energy giant having its intellectual property threatened, its reputation potentially put at risk, and its operations in danger of being suspended. Chris Dalby looks at the growth of the cyber-insurance market in the oil industry and how is becoming an essential part of a company’s coverage…

(Cover photo by

In 2015, 82 percent of oil and gas companies registered an increase in cyber attacks. This has seen coverage against cyber crime go from being a rising trend to an absolute necessity.

The rise in attacks have been attributed to many reasons, personal vendettas, geopolitical tensions, industrial espionage, but these influences have long impacted the oil sector. Instead, the advances in smart technology and connectivity have made the number of targets proliferate. Back in 2012, 40 percent of cyber attacks on U.S. critical infrastructure targeted energy assets.

In its World Energy Perspectives 2016, the World Energy Council wrote that “increasing interconnection and digitization of the energy sector (including smart grids, smart devices and the growing internet of things) and its critical role in the functioning of a modern economy make the energy sector a highly attractive target for cyber attacks aimed at disrupting operations. Although digitization increases operational efficiency in the industry, growing interconnection also raises the complexity of cyber risk management.”

The cost of such a data breach hits victim American companies for an average of $5.85 million, the highest level in the world.

Most targeted industries for cyber attacks

Even more scarily, cyber attacks can lead to body counts. A series of hacking attacks on oil facilities in the Middle-East over the summer caused at least three deaths, now making it a matter of life and death for all links of the oil value chain to up their cyber insurance.

Despite this, the insurance industry had been somewhat slow to respond to this new need for its oil clients. Older policies might cover data loss or IT downtime, but the physical damages, denial of service attacks, or various economic losses may not have been covered.

ExxonMobil did not wait for the industry to catch up and others are following its example, has also taken draconian measures to reduce the risk of cyber attacks. Its head of cybersecurity testified to the newly founded Commission on Enhancing National Cybersecurity that employees could no longer check personal emails at work and that devices such as USBs have been banned.

While supermajors have been proactive in countering these threats by upgrading their security and technological countermeasures, alongside their insurance policies, smaller companies had been left adrift without the resources they need to protect themselves.

In May, Willis Towers Watson launched Risk Protect, a risk management insurance option for the oil industry, which specifically covers cyber-crime. Willis has been warning of this peril for years. In 2014, it published a statement that “a major energy catastrophe – on the same scale as … Exxon Valdez or Deepwater Horizon – could be caused by a cyber attack, and, crucially, that cover for such a loss is generally not currently provided by the energy insurance market.”

SEE MORE: Tackling the cyber threat by Peter Ward


Smaller companies may not be able to devote the same resources to preparations as ExxonMobil. Nevertheless, targeted insurance policies such as this one also includes a range of additional protection, including security audits, assistance in designing technical solutions, training of staff, and response advice in the event of an attack.

The rest of the world is also being left behind by the U.S., which still accounts for 90 percent of the global cyber-insurance market. Yet, as insurers roll out similar protection one after the other, while tailoring them to the needs of individual clients, this gap must close.

In the past, certain excuses might have worked. EU laws requiring that data breaches be formally notified may have spooked certain companies afraid of penalties. Yet, according to Deloitte, cyber-insurance options now specifically offer coverage for any fees or penalties attached to the breach.

Underestimating the costs of attacks may have led executives to previusly downplay the risk. Yet the high double-digit increases in cyber attacks seen year after year mean that even the most technologically averse CEO are taking notice.

World Energy Council secretary-general, Christoph Frei, writes that ” we expect cyber risks to increase further and change the way we think about integrated infrastructure and supply chain management.” Having solid insurance will allow companies to face these significant threats with far more confidence.

about the author
Chris Dalby
Journalist. Editor. China, Mexico, Latin America, Asia, place branding, Olympics, oil and gas, mining, renewable energy, international politics.