Middle Eastern oil & gas companies have insufficient contingency plans in place to deal with the threat of cyber attacks, according to a report issued by insurance brokers Willis.
Willis highlighted the industry’s vulnerability to cyber threats in its annual review of the energy sector’s insurance market, which called on insurers to find a way to provide cover.
“A major energy catastrophe – on the same scale as … Exxon Valdez or Deepwater Horizon – could be caused by a cyber attack, and, crucially, that cover for such a loss is generally not currently provided by the energy insurance market,” the insurance broker said.
Most insurance products currently available will cover minor things such as data losses or downtime caused by IT issues, but not major events like explosions at multiple facilities triggered remotely by hackers, Willis said.
It said the lack of coverage stemmed from a clause included in most energy sector insurance agreements over the past 10 years that explicitly excludes loss or damage caused by software, viruses or other malicious computer code.
“There can be little doubt that the removal of this exclusion would be the most effective way for coverage to be provided to the energy industry,” it said.
But the exclusion clause has remained because cyber security is not well-understood by the insurance industry, making it difficult to design comprehensive products. Additionally, problems lie with how insurers agree to cover damage to multiple plants or platforms caused by a single attack.
The issue is attracting more attention after high-profile events including Stuxnet – a virus that afflicted a uranium enrichment facility in Iran – and Shamoon – a virus linked to cyber assaults on energy firms in Saudi Arabia and Qatar in 2012.
Technology now allows entire oil and gas networks to be operated remotely, but connecting that infrastructure via the internet has also opened the door for hackers and computer viruses to target anything from refineries to pipelines.
Â
