Cyber risks in oil and gas

On June 27, 2017, a malicious cyberattack crippled Ukraine’s hospital networks, banks and government services within a matter of hours. So relentless was the attack on the country’s data infrastructure that Oleh Derevianko, the head of Kiev-based cybersecurity firm Information Systems Security Partners (ISSP), wasn’t sure how to label it.

“At first, I thought it was an APT (Advanced Persistent Threat),” Derevianko later told the BBC. “But soon I realized that we needed a new term to describe what was happening.”

Derevianko isn’t the only one failing to come to terms with a new world order in cyber risk. Once confined to data privacy and protection, cyber risk has also become a central concern for any industry moving toward advanced automation of operations. Hackers, meanwhile, are becoming more sophisticated and better funded, and are often politically or financially motivated to disable, disrupt and coerce, rather than merely steal data.

It would later be revealed that Ukraine was the victim of malware virus NotPetya. The same day as the Ukraine attack, NotPetya breached operations at Russia’s top oil producer, Rosneft. And A.P. Moller Maersk, the world’s largest container shipping company, experienced a total system shutdown after the malware attacked its automated operations, causing multiple days of paralysis and costing an estimated US$300 million. In September, FedEx also suffered US$300 million in damages from business interruption triggered by NotPetya.

Research firm Cybersecurity Ventures estimates global damages from cybercrime will reach $6 trillion annually in damages by 2021, a number that has been substantiated by other sources. In Canada, and across the globe, major industrial entities in oil and gas, mining and manufacturing are starting to wake up to the reality that cyber breaches are no longer about data privacy alone. They have the potential to cripple operations and cause serious physical damage.

“We’ve started to see the convergence of IT (information technology) and OT (operations technology) environments,” says Lance Mortlock, oil and gas leader for Ernst & Young in Canada. “That’s creating new cyber-physical risks. New risks are created where network-connected end points, such as smart sensors, handheld engineer terminals and industrial routing equipment, are being produced and deployed.”

And the more devices become connected, the greater the risk becomes, Mortlock says.

“Beyond damage to control systems and to equipment in the network, which has a safety impact, there is the potential to disrupt the supply chain, which has a production impact and a financial impact,” he notes.

Although Canadian firms have so far been sheltered from high-profile cyber breaches, the number of operations-disrupting cyber incidents skyrocketed in 2017. Ransomware payouts doubled from 2016 to $2 billion, according to anti-virus software firm Bitfinder. Uber, Equifax, the National Security Agency—no one is immune.

And cyber exposure has expanded from traditional data-heavy industries like banking and healthcare into any industry that uses a computer. With the rise of automated industrial control, and with the emergence of the Internet of Things, any device connected to the internet is another entrance point or vulnerability.

“Cyber risk has taken on less of a privacy risk focus and the concern is becoming more about the impact to an organization’s operations,” says Catherine Evans, a vice-president with Marsh Canada’s Cyber Centre of Excellence.

Vulnerabilities in the energy sector

The oil and gas sector is particularly at risk of cyber intrusion. A 2017 global study of oil and gas executives conducted by Ernst & Young found 87% of oil and gas companies have not fully considered the information security implications of their current strategy and plan; 60% have had a recent, significant cyber security incident; and 95% say their cyber security function doesn’t fully meet their organization’s needs.

“With the size and extent of the operations of oil and gas companies, you’ve got a multitude of different systems,” says Kyle Gray, director of underwriting for Ridge Canada, which deals wholly in cyber risk as a coverholder of Lloyd’s. “Not only different systems, but many are pretty old and legacy systems at some of these points of operation, which is a significant vulnerability. With the legacy systems, obviously, the security is not as broad as something that is newly developed.”

“Cyber risk has taken on less of a privacy risk focus and the concern is becoming more about the impact to an organization’s operations.”

Mortlock adds that energy firms and mining companies have, in some ways, come late to the digital revolution. The economic downturn and the rapid increase in automation have led to a significant digital push in the industry.

“Part of the challenge is that, even as they’re rapidly acquiring these technologies to improve efficiency, the impact of cyber security attacks is not fully understood by the [oil and gas] industry,” says Mortlock. “Given the level of investment we’re seeing in operational technology and automation, particularly around robotics, process automation, asset performance management, remote sensing, cloud computing, machine learning, mobile blockchain and analytics fuel ticketing, these companies need to be upping their cyber game. There are a lot of pilot projects, but they’re not necessarily integrated. What are they doing to manage that risk from a cyber perspective?”

A shift in the insurance landscape

“The number of cyber incidents that have taken place in the last couple of years have heightened the risk up to the board level,” says Evans at Marsh. “The conversation has shifted. Before it may have been the risk manager or the IT team trying to get attention of people above them. Now, we find they’re reaching out to us to talk about it because the board has mandated it.”

This has had a twofold effect on the type of insurance available and the profile of the cyber-risk insurance customer.

“Ten years ago, it was very basic and limited in coverage, and limited in the carriers,” says Gray at Ridge Canada. “It was primarily a liability product at the time for any lawsuits stemming from cyberattacks.

“Typically, customers were entities with a large volume of customer data or personal information or banking information,” says Gray.

Gray notes that cyber policies still tend to be broad, but insurers are starting to put specific sublimitations in place.

“The policies today are extremely broad in the verbiage of the coverage, with the exception of specifically listed exclusions or sublimits, such as social engineering,” he says.

Social engineering refers to hackers manipulating employees to breach systems internally. In the past, it wouldn’t have been explicitly mentioned. Now, says Gray, in a million-dollar policy, social engineering may be sublimited to $50,000.

Evans notes there have also been developments on the business interruption side, in an attempt to appeal to industries or entities that may not have previously considered cyber coverage.

“Oftentimes, the people that are responsible for making these decisions aren’t always that comfortable understanding or talking about cyber risk.”

“The other piece is examining existing insurance portfolios and taking a look at where the gaps may exist from a property and general liability perspective,” she says. “If they include cyber types of exclusions, there are now products that can drop down and fill in those gaps or that can sit over top of those and act as a wraparound for those coverages to broaden out the cyber that’s available.”

The broker role

According to AI and machine learning analytics specialist ABI Research, oil and gas firms worldwide are expected to spend US$1.87 billion on cyber security in 2018. But most agree that money alone will not resolve the issue.

“You can spend a lot of money on cyber security and not have much to show for it,” says Tim Truman, a cyber-security architect based in Calgary. “You can buy the best technology in the world, but if it’s not implemented correctly, if you don’t have the baseline practices in place to take care of the technology that you buy and make sure it’s deployed to meet certain conditions and mitigate certain risks, then you’re really just buying stuff just to have it.”

Brokers, says Truman, have a unique role to play in helping their clients understand that cyber risk management follows the same principles as enterprise risk management, which is how he approaches cyber security architecture for his clients.

“We look at the industry, we look at the state of our control infrastructure, the assets we have deployed, what’s potentially out there, what emerging trends are in the cyber world that could potentially pose a risk to us—and we drive an action plan to see how we can mitigate that risk,” Truman says.

Evans notes the brokers also play a unique role in educating company decision-makers on the nature of cyber risk. Part of that is about having a solid understanding of the technology at play. It’s a key reason Evans sought out certification in Risk and Information Systems Control (CRISC), so she could be well positioned to educate clients on the technical side of risk without merely relying on a checklist.

“I think that’s very difficult for an organization to try to get their heads around,” she says. “Oftentimes, the people that are responsible for making these decisions aren’t always that comfortable understanding or talking about cyber risk. They could be intimidated by them because it has to do with technology that they’re not familiar with.

“Part of our role is to try to bridge that divide a bit, to bring everyone to the table together to make sure we have all the stakeholders involved in evaluating these considerations and trying to address them.”

__________________________________________________________________________
Copyright © 2018 Transcontinental Media G.P. This article first appeared in the January/February edition of Canadian Insurance Top Broker magazine

This story was originally published by Canadian Insurance Top Broker.