How has insurance changed to protect oil and gas from cyber-threats?

Matthew Farmer 1 July 2020 (Last Updated July 1st, 2020 17:21)

For many, Covid-19 has meant working from home, and working from home has meant moving out of the safety of the office firewall. Virtual threats have not relented, but they are now working against industries which know their adversaries, and have plans for cyber-attacks.

How has insurance changed to protect oil and gas from cyber-threats?
Ransomware attacks are just one of the cybersecurity risks operators can choose to tackle with insurance. Credit: Christiaan Colen under CC BY-SA 2.0 licence.

For defence and prevention, cybersecurity in the time of Covid has involved contracts with software companies and considerations in planning. For mitigation and eliminating risk, this has come back to the insurance industry.

Insurers have changed their policies to encompass cyber threats, but now BRIT Insurance is offering an individual cyber-insurance policy. James Bright, senior underwriter for war and terrorism at BRIT Insurance said: “Oil and gas companies deal with massive assets, both above and below the sea, and above and below ground.

“Obviously it’s also an extensive use of manpower across their asset base, and all of the infrastructure is heavily automated. When something goes wrong, it can go wrong extremely quickly and cause catastrophic loss. So risk management procedures need to be rigorous, and education of employees in work practices should be at the top of the agenda.”

Cybersecurity for oil and gas faces a triple threat

In particular, oil and gas faces a triple threat. Like other companies, offshore operators hold valuable assets. However, their identities are often intertwined with a sense of national identity. This can lead to attacks by other nation states.

Zeki Turedi, EMEA technology strategist for cybersecurity company CrowdStrike, points to the group REFINED KITTEN as an example of this. He said the group is “likely tied to the objectives of the Islamic Revolutionary Guard Corps of Iran.”

“The adversary has been involved in conducting primarily espionage-oriented operations since at least 2013, and targeting oil and gas businesses is a key part of its way of operating. Victims are likely sent an email that contains a file, which is typically used to display spoofed domains hosting a variety of job-themed content.”

At the same time, ‘hacktivism’ has led some private groups to infiltrate oil and gas companies on supposedly altruistic grounds. This can be in support of climate campaigners or for reasons of international politics.

Cybersecurity and insurance are increasingly discussed

Saudi Aramco found this out the hard way in 2012, when 35,000 computers were compromised and at least partially wiped. A collective called ‘Cutting Sword of Justice’ took responsibility due to the company’s support of the authoritarian Al Saud family.

Saudi Aramco IPO
Saudi Aramco faced the world’s largest cyber-intrusion by hacktivists.

Bright continued: “Obviously attribution for these types of events is extremely difficult. So understanding whether an event happened because of a malicious actor may be challenging.

“These types of businesses are no different to any other, whereby their exposure to, for example, ransomware, is as marked as in any other industry. In our experience, the events that happen, happen in the same way as they do in any other business. But I would say that I’ve seen a substantial increase in the way that cyber risk has been handled by the oil and gas industry; it has become an executive-level topic.”

“Cybersecurity has become an issue that’s at the forefront of most people’s minds”

As reliance on computers and automation has grown, general understanding of digital threats has grown with them. In May 2018, the European Union enacted the General Data Protection Regulation, often referred to as GDPR. This has compelled companies to take care with personal data. For many, this has meant rewriting privacy policies and taking stock of how much potentially valuable information systems hold.

Bright said the reporting of this has caused people to understand threats better: “With the advent of GDPR, cybersecurity has become an issue that’s at the forefront of most people’s minds. The oil and gas industry is no different. I’ve seen them spend more money and recruit more staff to cater for what they perceive to be an increased risk.

“I think clients have become better informed in terms of the type of products they can buy. I would also say those clients now understand their policy language to a greater extent. They understand where they have gaps in their policies and their desire to fill them has increased.

“Have there been more people approaching us for a specific product? Definitely, I think it’s been a marked increase, not necessarily related to Covid, over the course of this year.”

New threats: Leaving the office means leaving the firewall

Covid-19 has presented a security challenge to companies, and an opportunity for infiltrators to take advantage of new set-ups. Turedi of CrowdStrike outlined the threats: “Teams have looked to new technologies and services to support them – without due-diligence or supervision. Privacy, data protection, and GDPR are still extremely important, even though we have other pressing business matters to manage.

“Businesses need to protect themselves from breaches because adversaries are not ‘sheltering in place’ – and phishing threats using Covid-19 have increasingly targeted enterprises. Beyond authentication, the only way to secure users and stop breaches now that employees are off the corporate network is through cloud-delivered security that monitors and defends all devices in real time against known and novel threats.”

Insurance has evolved to cover cyber-threats, and the financial and physical impacts of them. Currently, property or catch-all policies often cover attacks that result in large losses. Bespoke cyber-insurance is a new venture, which Bright feels will offer his clients peace of mind.

He said: “In any property or cyber policy, there can always be gaps or particular exclusions. Our product is designed to sit across both heads of cover and remove any doubts, because it’s being underwritten by underwriters that have a suite of expertise across those two markets.

“The view we’ve always taken is that clients are better protected when they have an affirmative policy. One that details out exactly the cover that they want to purchase, rather than relying on grey policy language that they potentially have in place.”