Energy Companies Can’t Get Cyber Attack Insurance Because Their Defenses Are Too Weak

Lloyd’s of London won’t gamble on insuring energy companies against cyber attacks yet.

Photo by Matt Cardy/Getty Images

Lloyd’s of London, insurer of celebrity body parts, is so concerned about digital security at energy companies that it won’t sell most of them insurance, even though there is a growing demand.

BBC News reports that Lloyd’s underwriters are getting more and more requests for cyber attack insurance from energy groups, but the insurer is unwilling to take the risk after assessing the companies’ defenses. That means that the protections currently in place by energy companies must be horribly inadequate, because Lloyd’s is known for finding ways to insure pretty much anything, even high-risk ventures like oil tankers.

The idea of cyber attack insurance is pretty simple. Like any other disaster that a company might need to recover from, a data breach or other type of attack could create major financial problems, and cyber attack insurance would help soften the blow. In fact, Laila Khudari, an underwriter at a Lloyd’s of London syndicate, told BBC News that Lloyd’s has negotiated cyber attack insurance with energy companies in the past, but that they aren’t qualifying for the multimillion-dollar policies they want now because the defenses they have in place aren’t adequate, which has already been reported in other contexts.

For example, the Council on Foreign Relations released a report in June 2013 describing how U.S. oil and natural gas companies weren’t defending themselves adequately against cyber attacks. The report warned that this could potentially lead to pipeline outages or problems at refineries and drilling platforms. It noted that:

Several of the world’s major oil and gas producers, including Saudi Aramco (officially the Saudi Arabian Oil Company) and Qatar’s RasGas, have fallen victim to cyberattacks since 2009. Others, such as Chevron, have also had their networks infected.

When assessors look at the companies’ IT strategies for implementing firewalls, updates, and other network maintenance, most come up short. BBC News reports that it’s not totally clear what has prompted the surge in interest for this type of insurance. Though the huge retailer hacks in the U.S. and the endless revelations about government surveillance on both sides of the Atlantic could be, you know, contributing factors. Or whatever.

Even given that the companies’ concerns are justified, Khudari told BBC News, “We would not want insurance to be a substitute for security.” And that’s a really good point.