Cyber attacks targeting the oil and gas industry have been in sharp focus since the Colonial Pipeline incident of 2021. More recently, ransomware campaigns have impacted major players like Halliburton, Hitachi Energy and PVC-MS, leading to network outages, data breaches and extortion demands.
In Europe, another campaign affected 22 firms after hackers exploited a command injection vulnerability, launching targeted DDoS attacks. Most media attention focuses on these network and data-related disruptions, but often overlooked are the very real downstream exposures such as physical damage, business interruption, or even bodily injury and environmental liabilities.
Oil and gas operators are uniquely reliant on operational technology (OT), including cloud-connected OT and industrial control systems (ICS). These often-legacy systems can be highly vulnerable to cyber attacks or administrative errors.
When cyber events target industrial equipment, the risk isn’t just data loss. Malfunctions can lead to real-world physical consequences, including overheating, explosions and fires. While less common than traditional ransomware losses, physical damage caused by cyber attacks is a well-documented and growing concern in the energy sector.
Over the past few years, changes in the property insurance market have made these exposures even more of a concern. Since 2020, Lloyd’s of London and many U.S. carriers have adopted mandatory cyber exclusions in property policies. These exclusions go further than just clarifying that intangible cyber losses are excluded.
Two model clauses drafted by the Lloyd’s Market Association for use in property insurance policies, LMA 5400 and LMA 5401, exclude any losses arising from a cyber attack, including ensuing physical damage and business interruption.
In other words, if a cyber event causes real-world damage, your property policy may not respond.
The good news is that cyber insurers have started to respond. Today, it’s possible to secure affirmative coverage for tangible losses stemming from cyber events, covering not only financial loss, but also physical damage, bodily injury and environmental liability.
However, coverage in this space remains complex. Many standard cyber policies do not automatically include coverage for these exposures. That’s why it’s essential to review the interplay between your property, cyber and liability programs to identify gaps or overlaps.
Willis, a WTW business, brings together broking, technical and claims expertise to help oil and gas clients assess their exposure across all coverage lines. Our consultative approach helps organizations clarify their position and make informed decisions on whether, and how, to extend their cyber cover to account for these risks.
Our CyNat insurance solution is built specifically for the operational realities of oil and gas businesses. It can be tailored to match your specific risk profile, including physical damage, OT-triggered outages and regulatory exposures.
WTW hopes you found the general information provided here informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, WTW offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
