Cyber attacks targeting the oil and gas industry have been in sharp focus since the Colonial Pipeline incident of 2021. More recently, ransomware campaigns have impacted major players like Halliburton, Hitachi Energy and PVC-MS, leading to network outages, data breaches and extortion demands.
In Europe, another campaign affected 22 firms after hackers exploited a command injection vulnerability, launching targeted DDoS attacks. Most media attention focuses on these network and data-related disruptions, but often overlooked are the very real downstream exposures such as physical damage, business interruption, or even bodily injury and environmental liabilities.
A sector built on operational technology and exposed by it
Oil and gas operators are uniquely reliant on operational technology (OT), including cloud-connected OT and industrial control systems (ICS). These often-legacy systems can be highly vulnerable to cyber attacks or administrative errors.
When cyber events target industrial equipment, the risk isn’t just data loss. Malfunctions can lead to real-world physical consequences, including overheating, explosions and fires. While less common than traditional ransomware losses, physical damage caused by cyber attacks is a well-documented and growing concern in the energy sector.
Why this risk now matters more
Over the past few years, changes in the property insurance market have made these exposures even more of a concern. Since 2020, Lloyd’s of London and many U.S. carriers have adopted mandatory cyber exclusions in property policies. These exclusions go further than just clarifying that intangible cyber losses are excluded.
Two model clauses drafted by the Lloyd’s Market Association for use in property insurance policies, LMA 5400 and LMA 5401, exclude any losses arising from a cyber attack, including ensuing physical damage and business interruption.
In other words, if a cyber event causes real-world damage, your property policy may not respond.
Cyber markets are evolving, but clarity is key
The good news is that cyber insurers have started to respond. Today, it’s possible to secure affirmative coverage for tangible losses stemming from cyber events, covering not only financial loss, but also physical damage, bodily injury and environmental liability.
However, coverage in this space remains complex. Many standard cyber policies do not automatically include coverage for these exposures. That’s why it’s essential to review the interplay between your property, cyber and liability programs to identify gaps or overlaps.
How we can help
Willis, a WTW business, brings together broking, technical and claims expertise to help oil and gas clients assess their exposure across all coverage lines. Our consultative approach helps organizations clarify their position and make informed decisions on whether, and how, to extend their cyber cover to account for these risks.
Our CyNat insurance solution is built specifically for the operational realities of oil and gas businesses. It can be tailored to match your specific risk profile, including physical damage, OT-triggered outages and regulatory exposures.
