Willis Group warns energy firms of cyber risk, predicts increase in insurance capacity in upstream market

Energy firms that integrate their industrial control systems with Internet-based computer systems increase their risk of cyber attack, and the “traditional” cyber insurance market does not normally cover significant physical loss or damage, suggests a recent report from Willis Group Holdings plc.

The London-based brokerage and risk management firm announced Tuesday it has published its annual Energy Market Review for 2014. That review includes a section on cyber risk.

“Of particular recent significance has been the general imperative in the industry to cut costs, which from an IT perspective has led to the integration of Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition Systems (SCADAs) and Distributed Control Systems (DCS) with other internet-based IT systems, sometimes without implementing adequate security measures,” Willis stated in the review.

“This strategy has been designed to improve efficiency and to allow management to view field data in real time; however, this seemingly innovative development has increased the possibility of oil and gas infrastructure being opened up to a cyber-attack.”

For energy firms, the “traditional” cyber insurance market provides coverage for a variety of losses, such as damage to digital assets affected by an attack, income loss and interruption expenses, damages and legal fees as a result of a privacy breach, damages and legal fees arising from publishing content in electronic or print media as well as regulatory fines and penalties, Willis notes.

“What is not traditionally covered – or is even envisaged by the providers of this cover — is the truly catastrophic event involving significant physical loss or damage,” from a cyber attack, Willis warned. The firm cited as an example the 2010 Stuxnet virus, which was designed for SCADA systems made by Siemens AG.

“Stuxnet ruined almost 20% of Iran’s uranium enrichment centrifuge capability by spinning out of control while simultaneously replaying the recorded system values which showed the centrifuges functioning normally during the attack,” Willis noted. “Stuxnet showed that it was perfectly possible for a cyber-attack to result in significant physical damage to energy infrastructure as well as the ensuing consequential/business interruption (BI) losses.”

Willis also analyzed the upstream energy (which includes offshore platforms) and downstream energy (which includes refineries) markets. The company contends an increase in market capacity in the upstream market is “almost inevitable” this year.

“The insurance sector in general is still awash with capital which, to put it bluntly, has nowhere else to go as interest rates remain low across the globe,” according to the review. “As upstream infrastructure values (particularly in the North Sea) increase, insurers can justifiably point out that they have to increase their capacity just to maintain their position on key market programmes.”

Though there is also excess capacity in the downstream market, “insurers continue to find themselves shackled by competitive pressures of increased capacity, despite rating levels continuing to fall well away from where their models are telling them they should be,” Willis noted.