Dive Brief:
- Insurance companies are "very concerned" with the potential for attacks on critical U.S. infrastructure and are raising insurance premiums for energy companies by double and triple digits, according to Michael Gaudet, U.S. energy, power and utility leader within Marsh's financial and professional liability practice. The company is an insurance broker that works with underwriters who provide utilities with cyber insurance.
- Electric utilities procuring cyber insurance from industry-backed insurers have seen premiums rise 25-30%, while other types of energy companies in the commercial insurance sector have seen premiums more than double, Gaudet said.
- Guidehouse expects the global cyber insurance market for energy will grow from $102 million in 2021 to $442 million by 2030, and in a new report warned power plants may see the steepest rate hikes.
Dive Insight:
Cyber insurance rates are rising for a variety of reasons, including geopolitics, ransomware, a growing threat to operational technology, and continued fallout from last year's Colonial Pipeline attack, say experts.
"Since the 2021 Colonial Pipeline ransomware incident, which resulted in oil shortages across the US East Coast, companies seeking cyber insurance coverage have been turned away, and those with coverage have seen their premiums rise substantially," according to the Guidehouse report, issued in the first quarter of this year.
The report notes global damages from cyber incidents and remediation across all sectors in 2020 reached $20 billion, and ransomware payments increased more than 340% from 2020 to 2021. Specific to energy, the report cites Dragos data that the average cost of an industrial "security incident" last year included almost $3 million in direct costs and another $2 million that included legal, regulatory and other costs.
Colonial paid a ransom of more than $4 million to hackers in order to speed recovery of its internal systems, though federal officials were able to recover a portion of the ransom.
"There is growing concern that additional ransomware payouts may lead threat actors in cyberspace to increase attacks on the energy industry, and ransomware is not the only risk," Guidehouse said. "The cyber insurance market is at a turning point, and the energy industry is at the forefront."
While cyber insurance rates are going up across the energy sector, electric utilities' premiums have not risen as much as those of oil refineries, power plants and pipelines, said Marsh's Gaudet.
Part of the difference is due to electric utilities procuring insurance through what are known as "industry mutual insurers," which are backed by companies in the sector and can offer lower rates. In these instances, cyber insurance renewals have been about 25-30% higher, said Gauret.
Cyber insurance rates for electric distribution utilities also remain low because they have extensive security controls in place, Gaudet said.
Utilities are investing more than ever on cybersecurity, and there are critical infrastructure security requirements set by federal regulators. Cost is a growing concern, however.
At the National Association of Regulatory Utility Commissioners' winter policy summit on Monday, Virginia State Corporation Commission member Judith Jagdmann called ratepayer costs "the number one impediment" to achieving cybersecurity goals.
The need to manufacture more critical grid equipment in the United States, including large transformers, could also drive up the cost of security and resilience, say experts. But not all energy companies are making such large investments.
"Power generation companies that are sometimes owned by private equity, they don't invest as much, honestly, in cybersecurity. The underwriters see it," said Gaudet. Those power plants, along with some oil refineries and pipeline companies in U.S. markets, may have seen premiums rise up to 130% as commercial insurance companies price increasing risk.