Posted in News on 02 Dec 2021
Cyber-attacks are becoming increasingly prevalent as criminals develop ever-more sophisticated modes of attack.
Companies are growing faster and expanding their reach further, and Covid-19 has accelerated the need to digitize sooner. It means they’ve left themselves much more exposed to cyber threats, which have increased in both severity and frequency.
Among the fastest growing and most costly is ransomware. Often led by nation-state sponsored hackers from countries such as Russia and Ukraine, ransomware attacks use malicious software to block access to a computer system and the hacker will then typically extort large sums of money – often in the multi-million dollar region - for the system to be unlocked again.
Some of ransomware attack methods also exfiltrate the victim’s data, with the threat of it being sold on the dark web if the criminals’ demands aren’t met. This adds a further layer of legal liability and complexity, requiring victims to notify affected regulators and individuals that their data has been compromised.
Social engineering scams, mainly business email compromise and invoice fraud, are on the rise too. Victims sustained $1.7 billion in losses stemming from business email compromise alone in 2019, according to the FBI’s Internet Crime Report 2020.
The effects on businesses can be devastating, both financially and reputationally. But until an event happens, many companies are reluctant to invest in cyber security because of the lack of instant, tangible results and the perceived low-value returns for shareholders.
Energy firm targets
Top of hackers’ list of targets are energy and utility companies worth billions of dollars. Their large geographic spread and organizational complexity, coupled with the unique interdependencies between their physical and cyber infrastructure, makes them more vulnerable to exploitation. For example, if hackers gain access to midstream operations, they can halt the supply of oil through the pipeline to the end customer.
The most high-profile attack in recent times was on the Colonial Pipeline, which supplies 45% of the oil used by the U.S. East Coast. Hackers managed to shut the company down for five days in May and accrued a $4.4 million ransom demand, half of which was paid in Bitcoin. Industry-wide, the total cost of data breaches for the energy sector is $6.39bn per year, well in excess of a global average of $3.86bn.
Cyber-attacks aren’t just limited to oil and gas companies either. A recent security research report found that a co-ordinated attack against electric vehicle charging stations has the potential to take down an entire power grid. Given the growing threat of such attacks, demand for cyber insurance from energy companies has skyrocketed in recent months.
Emerging bad actors
Not only is the frequency of cyber-attacks on energy firms rising, but cyber security experts and intelligence sources report that the number of threat actors are increasing too. As are their capabilities. Internal threats from human error and disgruntled employees or contractors have traditionally been the most common threats.
But now nation-state actors and organized criminal gangs have muscled in on the act. There’s been crossover between the two as well, with professional hackers being contracted to carry out ransomware attacks on behalf of a state or country.
One of the most common attack vectors in the power industry is phishing. This is where the target is sent an email asking them to click on a link, which if they do, infects their system with malware, or requests personal data to enable unauthorized network access. Other popular methods include credential theft, denial of service and remote access trojans.
Points of vulnerability
Among the biggest targets are industrial control systems, which hackers attempt to access through third parties in the supply chain. After gaining entry, they quickly learn how the system operates and take control of the physical assets such as power plants, substations, and transmission and distribution networks, causing widespread disruption and damage.
Added to that, while power firms have benefitted greatly from modernizing the grid, they’ve also left themselves exposed by inadvertently providing hackers with a host of new access points to exploit. As the supply chain becomes more complex and companies continue to automate functions, so the risk increases.
Taking a holistic view
The problem is that energy companies have traditionally classed cyber risk under two distinct categories: those which affect either information technology (IT) or operational technology. As the two have increasingly converged, though, thanks to digitization and the Internet of Things, companies now need to consider them as one risk.
Cyber risk isn’t limited to these two categories either: it encompasses every department of the organization from supply and procurement to corporate information security and legal. To mitigate the problem, an effective ownership and accountability structure needs to be put in place.
Companies also need to have full oversight of third-party suppliers and get them to adhere to the same rigorous cyber security procedures. Those that fail to do so should be held to account or, in some cases, let go for a more cyber conscious partner.
Insurance is a key part of tackling the growing problem of cyber risk. In the wake of the Colonial Pipeline attack, energy firms have been rushing to secure cyber coverage, in fear that they may suffer a similar fate.
However, at the same time, insurers have been ramping up their rates by as much as 25% to 40% in response to a surge in claims coming from a rise in recent ransomware attacks. Prices are set to climb even further still, with cyber insurers’ average loss ratios increasing year-on-year (44.8% in 2018 and 67.8% in 2019).
Underwriters have also been increasing their scrutiny of risks, requiring more information from insureds before quoting the risk. They have also been pulling back on coverage and capacity, and inserting sub-limits and exclusions into their policies.
Another problem is that many companies mistakenly believe they’ll be covered for cyber-attacks under their property or liability policies, but they’re not. So they need to take out a specific cyber insurance policy or write-back add-ons to plug any coverage gaps.
But where companies are able to find affordable coverage, they’ll be protected against losses related to damage to or data loss from IT systems and networks. They can also help to manage the incident in the media, which is essential when faced with reputational damage or regulatory enforcement.
Rating agency A.M. Best has warned that cyber insurance’s fast-changing risk landscape has outpaced insurers’ consideration for the exposures they’re looking to underwrite. Many risks that would have been inconceivable just a few years ago are now among the most common and expensive to deal with.
Yet, despite the withdrawal of some key players, new entrants keen to take advantage of the hard market are filling the void and bringing new capacity to the table.
The problem, however, is that many of the more established insurers still rely heavily on questionnaires, penetration tests and on-site assessments to gain insight into clients’ cyber security strategies and defenses. This is time-consuming and expensive, and only provides a small snapshot of what they are doing at that particular moment.
Because of changing corporate ecosystems, supply chains and mergers and acquisitions and their effect on an organization’s security strength and protocols, insurers need to have a regular oversight of the real time risks facing that organization. It’s vital therefore to use data-driven tools that can effectively gain insight into the past and current cyber security performance of an energy business if a meaningful cyber insurance solution is to be delivered.
Risk mitigation strategies
From a company perspective, there are key steps energy firms can take to pro-actively mitigate cyber risk. They should:
- —examine their current property and casualty, liability and crime insurance policies to determine exactly what level of cover they have in the event of a cyber-attack, and identify any gaps or overlaps
- —work with their brokers to ensure they have a comprehensive cyber insurance policy in place, considering the use of self-insured retentions, any exclusions, liability limits and security standards required, as well as regional restrictions
- —use the pre and post-breach services provided by their broker and insurer to improve their risk management practices, and access the legal, forensic and claims teams required if an event should occur
- —have a regularly tested incident response plan in place that includes the time frame to identify and report a breach, and appropriate actions
- —integrate their cyber security protocols into critical decision-making and expansion plans, proactively devising robust programs and processes that reduce geographic, operational and supply chain vulnerabilities, and emerging tactics, techniques and procedures used by cyber criminals.
And lastly, and perhaps most difficult to deliver, there needs to be an industry-wide effort to secure the sector’s physical and virtual infrastructure, as well as its IT and operational technology networks. If we are to protect energy and utility users from the outages that a cyber-attack could cause.
FOR MORE INFORMATION, GET IN TOUCH
JONATHAN SMITH | MANAGING PARTNER
Direct: +44 (0)20 7204 6186