Insurers are limiting how much coverage energy companies can buy to protect themselves against a major attack by hackers, potentially leaving investors, customers and taxpayers on the hook for sizable losses.

Brit Insurance, a syndicate that works with Lloyd’s of London, limits cybersecurity policies to around $300 million, according to underwriter James Bright. While companies can piece together policies from different insurers to boost that limit, the costs can be prohibitive, often requiring third-party assessments of security that can need upgrading.

The result is an industry largely unprepared for a hacker-triggered catastrophe, according to cybersecurity experts. The Exxon Valdez oil spill cleanup, for instance, cost $7 billion. Those kind of numbers have left insurers anxious over the lack of quantifiable information in an expanding market, and concerned the energy industry’s protections may not be adequate.

Energy companies tend to have “a superman fallacy,” said Dante Disparte, the head of Risk Cooperative, a Washington-based brokerage. “They don’t believe bad things will happen to them, or they believe the government will help them get back on the field.”

It’s a belief that’s drawing concern from the U.S. government, according to Disparte, who said he met with Treasury Department staff in mid-May. The government, along with industry groups and companies, are in the early stages of discussing the need for a cyber version of the Federal Deposit Insurance Corp., with energy as an initial target, he said. The Treasury Department wouldn’t immediately comment.

Taxpayer Protection

The goal, according to Disparte: Keep taxpayers from saddling the bill for potential problems. “The energy sector is too big to fail, too big to hide and no single energy company is able to fund the risk on their own,” he said.

In the meantime, cyber insurance is one of the fastest growing segments of the more than $5 trillion global insurance market. The market for standalone cyber plans among all industries was about $1.75 billion to $2 billion in 2017, and the U.S. accounted for 90 percent of that, said Nolan Wilson, the Miami-based leader of the energy practice at Aon Plc, an industry consultant.

By the end of 2018, the global market could grow to $5 billion, including tack-ons to property and liability insurance, according to Jürgen Reinhart, chief underwriter for cyber at Munich RE, an insurance group based in Germany. So far, though, the energy industry makes up just a sliver of the market, less than 3 percent, he said.

Predicting Weather

“We have very sophisticated insurance products for things like hurricanes, tornadoes, earthquakes and even terrorism,” said Brian Walker, a principal at The CAP Group in Dallas, a risk advisory firm. “You can predict those. But you have a very difficult time predicting what is going to happen in cyber.”

Insurers are struggling with “how to bind their risk” within the energy world, he said. “The geographic scope and the size of the impact are not estimable.”

How big can the problem be? “Energy companies have enormous supply chain relationships,” said Disparte, so an attack anywhere along the line could have far-reaching implications.

A cyber-specific policy for a major energy provider or pipeline might cover everything from replacing software and equipment in the event of an explosion, to indemnifying companies against lawsuits resulting from environmental damage, or the loss of power to customers. In some cases, generating facilities can service millions of customers across broad communities.

Operations Halted

Earlier this year, Schneider Electric SE reported that a hack of its Tricon software resulted in at least one customer halting a plant’s operations. While no cost was given for that shutdown, A.P. Moller-Maersk A/S, the container ship giant, last year reported a loss of roughly $300 million related to a cyberattack on its operation.

In such a scenario, just getting a skilled cybersecurity crew out to a single site can cost $10,000 in the U.S., according to Duncan Greatwood, chief executive officer of Xage Security, which works with industrial operations based in Palo Alto, California. Multiplying that across numerous systems using, or connected through, the same or similar software can quickly add up.

The development of cyber insurance for the energy industry will be critical “because insurers help drive safety code and building codes,” according to Disparte. The same “best practice” thinking is needed for the technology used by energy providers, he said.

‘All Risks’

But getting coverage is complicated. Many energy companies assume they’re covered by their “All Risks” policies, but there’s either fine print cutting out cyber attacks or they have never been tested for this new, fast-evolving threat, said Brit Insurance’s Bright.

“It’s a gray area,” he said, adding that Lloyd’s has been trying to educate brokers and customers about the need for a plan that specifically includes cyber coverage.

There’s no question the problem is growing. An analysis released in March by the FBI and Homeland Security said that hackers are conducting a broad assault on the U.S. electric grid, water processing plants, air transportation facilities and other targets in rolling attacks on some of the country’s most sensitive infrastructure.

Cyberattacks are “literally happening hundreds of thousands of times a day,” U.S. Energy Secretary Rick Perry told lawmakers during a March hearing.

March Attacks

In late March, at least half a dozen pipeline operators shut down their third-party electronic communications due to a cyberattack. Those actions became known because they affected traders and customers. The problem for insurers is that energy companies aren’t required by law to disclose attacks, and often don’t, seeking to avoid becoming bigger targets, and drawing public or investor scrutiny.

Three major oil and gas pipelines, for instance, were hit by so-called ransomware this year that were never publicly reported. These attacks sought payments based on their threats to open pipes or overpressure systems to explode, according to Xage’s Greatwood.

Fracking Fluid

In the Permian, an oil driller recently found that a vendor’s employee hacked into a system to take precious fracking fluid out of a tank to resell it on the side. It’s unclear how long the theft was going on, but it’s not unusual for such attacks to be undetected for months, said Maureen Krezmien, director of sales for oil and gas industry solutions at GS Labs LLC in Dallas.

It’s unclear how the two threats were countered. The cybersecurity firms involved wouldn’t disclose more details on the incidents for confidentiality reasons. Raushaunah Muhammad, a spokesperson for the Federal Bureau of Investigation, declined to comment and Homeland Security didn’t respond to requests seeking comment.

While these specific cases appeared to be motivated by profit, and didn’t result in reportable pipeline accidents, they point to an expanding — and potentially costly — assault on infrastructure largely responsible for keeping the U.S. economy running.

With oil prices on the rise this year, producers “are getting a little bit better cash flow and they are opening up their wallets during discussions on protecting themselves, their employees and infrastructure from cyber threats,” according to GS Lab’s Krezmien. But they still remain slower to adopt cyber coverage compared to other industries, she said.

“I don’t like to use fear as a sales driver,” Krezmien said. “But this is the real Y2K. At this point of my career I’m looking at this and saying it’s not my favorite approach but it’s at a point where it’s necessary. “