The Intelligent Quarterly from the publishers of The Insurance Insider

Summer 2018

Search archive


Powering ahead

Laura Board

December in Western Ukraine isn't a time or a place where you'd want to be without electricity, but an estimated 230,000 people experienced just that in 2015 when hackers shut down the supply from three utilities by disseminating malware.

Within Ukraine, the attack was immediately suspected to have emanated from its easterly superpower neighbour. Outside the civil war-stricken country, the event took on a different significance. It confirmed fears that where once hackers targeted customer data at retailers, banks and internet service providers, they were now seeking to wreak physical damage on critical infrastructure.

Obstacles to coverage
Power and energy companies haven't traditionally seen themselves as obvious targets for hackers.

Back in 2015, an Aon risk management survey showed only 14 percent of utilities respondents had already purchased cyber cover, the lowest proportion of any sector.

And in the oil and gas industry, an oil price slump from June 2014 crimped energy insurance premiums overall and made cost-conscious management think twice about spending on what is often very limited cyber protection.

But attacks in Ukraine and elsewhere have forced a reassessment, just as energy groups' and utilities' growing reliance on interconnected technology has made them increasingly vulnerable.

The World Energy Council and the European Commission (EC) both recently highlighted cyber risk as a prime concern in the energy sector, given that it could cause major operational failure of an asset.

In a February 2017 report, the EC called on the insurance industry to develop instruments to address potentially catastrophic losses in the sector.

And demand for cyber insurance is clearly on the rise. The 2015 Aon survey found that more respondents in the utilities sector than any other industry planned to buy it in future.

Andrew Herring, head of Marsh's Emea energy practice, says: "We are seeing a significant increase in energy companies' appetite to buy cyber insurance. It is more prevalent in North America and that is also reflected in the oil and gas industry, though power has been ahead of oil and gas in that regard."

But there are obstacles on the carriers' side too. As with cyber risk in general, underwriters complain of insufficient data to price risk accurately and say that energy companies aren't always coming clean about cyber breaches. Clyde & Co partner Helen Bourne, who is head of the law firm's UK cyber team, notes:

"There are undoubtedly challenges for insureds in being able to give a fair presentation of the risk. The environment they are operating in is possibly unique and cyber risk introduces a lot more doubt into the process. Another challenge is that there isn't a universal cyber security standard that any company has to meet."

A further obstacle is the lack of a common policy language, with carriers taking divergent routes to providing cover for energy clients.

Marsh's Herring says: "We need to be able to offer clients hundreds of millions of capacity for that remote but potential cat event, but if we can't get a common approach from carriers we can't get that sort of cover."

Standard exclusion
Cyber attack became a standard property policy exclusion in 2003, with most markets using clause CL380 to exclude cover for losses "indirectly caused by or contributed to by, or arising from the use or operation, as a means of inflicting harm, of any computer, computer system, computer software program, malicious code, computer virus or process or any other electronic system".

In the past few years, underwriters in the downstream sector have begun providing cover for physical damage caused by cyber attack-related fires and explosion. But many are holding out in the upstream sector.

Herring says: "Carriers are restricted by what their treaties will allow them to do and the message from the treaty market is somewhat confused. CL380 is driven by marine and energy treaties and while exceptions are available on a referral basis, it is a pretty clumsy approach."

John Cooper, JLT Specialty's managing director of technical energy business, offers an additional explanation.

"In the downstream market there's arguably a much wider pool of leaders, so they haven't been able to resist the brokers' attempts to include resultant damage from cyber attacks, whereas in the upstream market there is a more concentrated pool of potential leaders who have been able to resist the deletion of CL380," he says.

Moves to rethink the CL380 exclusion are divisive. In the upstream sector, carriers including QBE and XL Catlin have begun offering the so-called cyber attack buyback endorsement (Cabbe), which offers a partial CL380 writeback. Clyde & Co is currently assessing the Cabbe wording for the Lloyd's Market Association.

But critics point out several shortfalls with Cabbe, including the fact that indemnity is restricted to the value of the largest asset attacked, and that contingent business interruption insurance is excluded.

More comprehensive cover is offered by Marsh's Cyber Gap insurance product, which effectively negates the CL380 exclusion, electronic data exclusion NMA2914, and an associated terrorism exclusion. The product offers a limit under standalone cover of $432mn for a single client.

And this year Munich Re Syndicate launched a new cyber product for small and mid-sized upstream and midstream energy clients.

Munich Re Syndicate chief underwriting officer Dominick Hoare says: "The basic concept is that the cyber risk in the energy sector, particularly the upstream oil and gas sector, is increasing significantly, and as everything becomes more automated we certainly see a heightened risk."

The product writes back the CL380 cyber exclusion completely without the restrictions of a Cabbe. The syndicate is offering $100mn of sub-limit to the original policy and expects to increase that over the next 12 months where demand warrants.

"If the original policy gives business interruption, this gives business interruption. We are keeping it very simple and very broad," says Hoare.

The cover also provides non-physical damage business interruption insurance in the event of a data breach.

Munich Re's Hoare is alarmed by some of the efforts to address the energy cyber gap, while both the Prudential Regulation Authority and Lloyd's have expressed concern about risk aggregation.

Hoare says: "There are elements of the energy market offering on occasion CL380 writebacks, but there is no risk assessment nor technical pricing. Unless you approach [underwriting] from a technical point of view it is going to fall apart pretty soon."

He adds: "A personal concern of mine is that many entities are not paying due attention. They are not looking at the accumulation of the risk, so there could be a big issue somewhere down the line.

"That would be very damaging for a market that is trying to grow."

Market participants appear to share a "not if, but when" expectation of a major cyber-related energy sector event, which could generate many hundreds of millions of dollars in losses.

Whether that involves the catastrophic breakdown of high-speed machinery at a petrochemicals facility, coordinated attacks on nuclear installations or oil rig explosions, the cyber energy insurance market would get an instant fillip.

However, it could also leave some insurers extremely exposed.

As one underwriter says: "The issue for all these markets is a systemic problem. If one platform blows up, we can deal with it. If 10 platforms blow up, that isn't what we want to confront."

This article was published as part of issue Autumn 2017

Euromoney Trading Limited - 3rd Floor, 41 Eastcheap, London, EC3M 1DT, United Kingdom. The content of this website is copyright of Euromoney Trading Limited 2018. All rights reserved Euromoney Trading Limited actively monitors usage of our website and products and reserves the right to terminate accounts if abuse occurs.