Insurance coverage for cyber-attack losses in the global energy market isn’t as clear-cut as the industry might hope.
A new market report from Willis Group Holdings concluded that companies face a tougher time accessing coverage for billon-dollar catastrophic events that cause physical loss or interrupt business practice.
That lack of options for catastrophic coverage is a cause for concern. Alistair Rivers, the Global Head of Natural Resources at Willis, noted as much in his introduction to the firm’s evaluation of the 2014 energy market: “Cyber-Attacks: Can The Market Respond?”
“Alarmingly, this risk is currently excluded from most energy insurance policy forms,” Rivers wrote. “Although we can now detect the beginnings of a market for this critical risk, much more needs to be done to bring cyber, political violence and energy underwriting expertise together to forge a product that will truly meet the needs of this industry.”
At the same time, the report noted, coverage remains available for milder, non-catastrophic cyber-attack losses that hit data and intellectual property. Typically, that includes first-party network loss, privacy and security liability, media liability, privacy regulation defense (awards and fines), crisis management and cyber extortion costs, available from cyber insurance markets, the report explained.
It’s a big deal that cyber policies often don’t address catastrophic cyber-attack catastrophes, because the situation “could well have financial consequences way in excess of the limits offered by this market” for covered losses, the report argued.
In addition, the “Upstream” and “Downstream” energy insurance markets generally add an exclusion (CL380) in policies, for example, involving cyber attacks resulting from viruses—something that can be found in policies covering the risks of war, civil war, or terrorism. (Editor’s Note: Losses from computer-guided missiles remain covered for policies with war coverage. See exclusion language in accompanying textbox, “What Does CL380 Say?”)
Why does this happen?
The report points out that losses resulting from cyber-attacks aren’t covered by energy insurers’ reinsurance treaties (which also apply the CL380 clause), that the energy insurance markets have an aggregation issue with cyber risk, and, tellingly, that most energy market insurers aren’t cyber experts.
It’s not as if signs of trouble aren’t making themselves known. The BBC reported recently about the discovery of bugs in software that helps to run a control system commonly used for oil rigs, power plants and refineries. Security researchers found the flaw, and the U.S. Department of Homeland Security said an attacker without much expertise could exploit the problem, according to the story. (April 4, 2014, BBC News, “Power plants put at risk by security bugs.”)
While the traditional cyber and energy insurance markets don’t cover catastrophic cyber-attack damage, some options have emerged, Willis noted, that give clients at least some cyber-attack insurance coverage options.
The issue has gained greater industry attention in recent months. Last September, Marsh’s Energy Market Monitor noted that continued uncertainty regarding the use of cyber-exclusion clauses is reducing the value of insurance and heightening concern among global energy firms. These CL380 exclusions give insurers the ability to deny physical loss claims from cyber-related incidents, whether they are accidental or related to malice.
Acknowledgement of the need for more catastrophic cyber-terrorism coverage for the global energy markets comes as the total theoretical upstream market capacity now stands at $5.7 billion. The downstream total has now hit the $4.6 billion mark, according to data cited in the Willis report.