US energy companies are scrambling to buy more cyber insurance after last month's attack on Colonial Pipeline disrupted the US fuel supply, but they can expect to pay more as cyber insurers plan to increase rates following a slew of ransomware attacks.
The Colonial ransomware attack on 7 May shut the largest fuel pipeline network in the United States for several days, crippling fuel delivery to most of the US East Coast. Pipeline companies rely on electronic networks, putting them at risk of additional attacks that could hamper delivery of crude oil or other fuels.
Insurers are preparing to increase cyber insurance premiums by 25% to 40% across many industries because of the number of claims, insurance companies and brokers have said. But energy companies should expect rate increases at the higher end of the spectrum as the Colonial attack exposed their vulnerabilities and exposed insurers to losses.
Only about half of the nation's pipeline companies currently buy cyber insurance even though ransomware attacks have become more frequent, according to Nick Economidis, vice president of cyber liability at insurer Crum & Forster.
"Since the Colonial outage, submissions from energy companies are up across the board," said Economidis, adding that he started getting calls the day after the Colonial attack.
Anthony Dagostino, cyber insurance broker at Lockton Companies, said his Houston office has been fielding a large number of calls from energy companies in recent weeks.
"Before the attack, the energy sector had some of the lowest interest in purchasing cyber insurance of all industries, but, in the past 2 weeks, now they're very interested," Dagostino said.
Regulators are working with pipeline companies to strengthen protection against attacks, the US Department of Homeland Security said. The energy industry's "cyber risk management and mitigation practices are not as advanced" as other major sectors like banking or real estate, raising the risk of successful attacks, Moody's Investors Service said in a 10 May report.
Cyber attacks can be particularly damaging for the pipeline sector compared with other companies in the energy sector because fuel supply cannot be easily rerouted, Moody's said, and pipeline operators have increased their use of digital technologies to manage delivery.
To date, many companies have not bought cyber insurance because of high premiums and difficulties in quantifying the costs from incidents, according to a report from the Government Accountability Office, a federal watchdog.
"A lot of operators have not done the business impact assessments that banks and big retailers do to determine overall costs of being down for a certain period of time," Dagostino said.