Energy and utility companies have become the main target for cyber attacks, according to a recent report by re/insurance broker Gallagher.
Given the growing threat of such attacks, demand for cyber insurance from these companies has skyrocketed in recent months, the broker noted.
According to the report, in response to a surge in claims coming from the rise in ransomware attacks, insurers have been ramping up their rates by as much as 25% to 40%.
Prices are set to climb further, with cyber insurers’ average loss ratios increasing year-on-year (44.8% in 2018 and 67.8% in 2019).
Underwriters have also been increasing their scrutiny of risks, requiring more information from insureds before quoting the risk.
They have also been pulling back on coverage and capacity, and inserting sub-limits and exclusions into their policies.
The vulnerability of energy companies lies in their geographic spread and organisational complexity, coupled with the unique interdependencies between their physical and cyber infrastructure, the report noted.
Traditionally, energy companies have classed cyber risks under two categories: those that affect either information technology (IT) or operational technology.
But, according to Gallagher, this is a problem, because now that they have increasingly converged, companies need to consider them as one risk instead of two separate ones.
In addition to this, cyber risks are not limited to those categories, but every department in the organisation; therefore, to mitigate the problem, an effective ownership and accountability structure needs to be put in place, noted Gallagher.
The broker added: “Companies also need to have full oversight of third-party suppliers and get them to adhere to the same rigorous cybersecurity procedures. Those that fail to do so should be held to account or, in some cases, let go for a more cyber-conscious partner.”
Another problem noted in Gallagher’s report is that many companies mistakenly believe they’ll be covered for cyber attacks under their property or liability policies, when they are not.
Because of this, they need to take out a specific cyber insurance policy or write back add-ons to plug any coverage gaps.
Some of Gallagher’s suggestions for the energy firms to proactively mitigate cyber risks include working with their broker to ensure they have a comprehensive cyber insurance policy in place.
As well as to examine their current property and casualty, liability, and crime insurance policies to determine exactly what level of cover they have in the event of a cyber attack, and identify any gaps or overlaps.