The following was authored by Mary Guzman, Senior Vice President, InfoSec Practice Leader with McGriff, Seibels & Williams, Inc.
There is much going on in the cyber world related to energy and utility companies. As has long been anticipated, it appears that Industrial Control Systems are the subject of targeted attacks both against Oil and Gas companies as well as Utilities. At the moment, it appears the attackers are focused on espionage with a plan for who knows what down the road. There is a new Oil and Gas ISAC (Information Sharing and Analysis Center) in addition to an already very active ICS ISAC (if you don’t visit their web site often already, it is a great source of information about current cyber threats against Critical Infrastructure). Also, the DHS is holding several closed working sessions for select insurance industry representatives on how we can play a more crucial role (and how they can help us) in developing risk transfer solutions and risk mitigation strategies for clients in this sector. I attended the first one and I am hopeful some good things will come out of it in the coming months!
Below you will find several recent articles highlighting attacks on the energy sector, as well as an update on how robust the SEC is becoming in pursuing companies that do not provide adequate disclosures around information security related risks and security breaches that have already occurred. The debate looms over how much information is too much, but really how much is a sophisticated hacking group like Energetic Bear going to learn from a paragraph in your SEC filing?
On the insurance front, as you are hopefully aware, McGriff has developed an energy line slip that provides $100mm+ in insurance capacity that covers the full spectrum of information security related risks for utilities and other energy companies, including full privacy coverage with no sub-limits for breach response expenses, damage to data, business interruption and extra expense, failure to supply resulting in regulatory investigation/fines and/or law suits from third parties who suffered an outage as a result, and other industry specific risks that have not been readily insurable before. We are gaining traction on both the product and the process we use (partnering with a third party information security firm) to provide robust risk assessment underwriting data to the markets on a confidential, secure basis.
Given the current state of these targeted attacks, some of the coverage features we’ve built into this policy form (not available on standard policy language or, as far as we are aware, anywhere else) become even more vital to make sure the protection you believe purchased is in fact included in the contract.
- automatic 2 years of Prior Acts coverage (huge if you are buying this insurance for the first time)
- favorable “warranty” language
- favorable Notice and Consent provisions
- full regulatory coverage even for non-privacy related fines and penalties where insurable and with most favored venue language
- failure to supply
- first party “programming or administrative” error coverage
- affirmative “cyber terrorism” coverage
This policy is geared specifically to your industry and the very risks discussed in these headlines.
Of importance to note, in the Oil and Gas sector there are already exclusions on most property and/or terrorism policies for cyber attacks that preclude coverage for actual property damage and/or business interruption and extra expense. Having several rigs out of operation for days on end could cost millions of dollars in lost income and damage to or loss of proper use of a blow out preventer could have serious consequences. We are seeing a nudge (as opposed to a push) to add these exclusions to utilities and we are also seeing concerning language on casualty policies (such as regulatory or intentional acts exclusions) that may be problematic in the event of a major breach event. There is capacity available on a separate policy form and through a different underwriting process for these risks (several carriers now coming out with policies written to address these gaps). If cyber-related property damage is of interest to your organization, please let us know.
We hope you find this of use and that you will pass this along to others in your organization that may be interested.
Hackers Target Energy Firms By Mathew J. Schwartz, July 1, 2014 (BankInfoSecurity.com)
Russian Hackers Targeting Oil and Gas Companies By Nicole Perlroth, June 30, 2014 (The New York Times)
SVP,InfoSec Practice Leader