The ransomware attack that shut down one of the largest fuel pipelines in the U.S. and set off gas shortages and panic-buying is indicative of the growing cyber risk threatening American infrastructure, experts said in a recent USA Today report. Colonial Pipeline Co., which moves 2.5 million barrels of petroleum each day, was forced to discontinue operations May 7 after the hacker gang DarkSide reportedly targeted the pipeline operator’s financial computer networks. The company began resuming services on May 12 after unconfirmed reports that a $5 million ransom was paid to the hackers.
Though Colonial Pipeline announced May 15 that its systems were back to normal, concerns remained about high gas prices and fuel outages as industry leaders assessed the full fallout from one of the “most disruptive cyberattacks in history” — an incident that U.S. Transportation Secretary Pete Buttigieg described as a “wake-up call” about the nation’s preparedness for the digital era.1,2
“Colonial Pipeline supplies an absolutely massive amount of crude, which is then refined into gasoline, jet fuel, and heating oil for the East Coast,” said Alex Krcmarik, Senior Broker, Environmental, Burns & Wilcox, Denver, Colorado. “When it shut down, it just wreaked absolute havoc on the supply chain.”
It also had the company facing substantial expenses, from days of lost revenue to the reported ransom payment of $5 million in cryptocurrency.3 These costs could be covered by Cyber & Privacy Liability Insurance — if a company carries it, said Erica Rangel, Manager, Professional Liability, Burns & Wilcox, Chicago, Illinois.
“There are no federal mandates on the cybersecurity measures a company must have or any requirements that the company carry a Cyber & Privacy Liability policy,” she said. “It is up to companies to do that. They may not have been considered targets before, but they definitely are now.”
Single cyberattack can have ‘profound’ effects
In Washington, D.C., about 81% of gas stations still did not have gasoline as of May 16, CNN reported, and similar conditions continued in other areas of the Southeast.4,5 A single cyberattack having such a widespread impact may come as a shock, but it is a reality that must be considered, said Danion Beckford, Underwriter, Professional Liability, Burns & Wilcox, Toronto, Ontario.
“Having to shut down this pipeline caused a trickle-down effect, including the hysteria we saw around (the U.S.) with individuals trying to fill up buckets of gasoline,” he said. “This shows on a larger scale that a cyberattack can happen and it will not just affect the company at hand; it can have a far-reaching impact. The ramifications are profound.”
The attack comes not long after U.S. officials learned the extent of the SolarWinds Corp. hack, which reportedly began in early 2020 and went undetected for months, allowing hackers to spy on U.S. government agencies in what was called the “largest and most sophisticated” cyberattack in history.6,7 The same risks are present in Canada, where an August 2020 cyberattack forced government officials to temporarily shut down the majority of its online portals that residents use to apply for aid and access other services.8
Because the Colonial Pipeline cyberattack impacted individuals more personally than other major breaches, “it really woke consumers up,” Rangel pointed out. “Most of the American public would not have thought twice about another ransomware attack in the news, but this situation hits a little bit differently,” she said. “Many of the attacks you hear about affect personal data, whereas this situation had a huge impact on the country’s infrastructure.”
The high-frequency and high-severity nature of cyber claims means it could end up costing you a lot more in the long run to not buy [Cyber & Privacy Liability Insurance].
Other energy industry companies may also become more aware of the risk after witnessing the disruption caused by the recent attack. They should know that their Commercial General Liability (CGL) Insurance policies would not typically include coverage for cyberattack-related expenses, Krcmarik said. Though some CGL Insurance policies will have a limited cyber crime enhancement, this could provide a false sense of security.
“This is better than nothing, but the coverage is usually very restricted or sub-limited to $25,000 or $100,000, which will leave a substantial gap in coverage,” he said. “A company may see cyber on the form and think they are set, when they really would benefit from a standalone Cyber & Privacy Liability Insurance policy. It is typically marginally more expensive, and the high-frequency and high-severity nature of cyber claims means it could end up costing you a lot more in the long run to not buy it.”
Cyber & Privacy Liability Insurance can cover business interruption, ransomware payments
Though the full financial toll of the Colonial Pipeline hack has not been determined, the monetary impact was no doubt “huge,” Krcmarik said, “Even beyond the $5 million ransom, I am sure there was a massive business expense for being shut down that long.”
Ransomware payments are generally covered by Cyber & Privacy Liability Insurance, Rangel said. “Usually there are stipulations in the policy that you have to contact the insurance carrier before paying the ransom, because the carrier will have coaches on staff to help them through that kind of situation with negotiating a ransom,” she said. “It is imperative that they have those resources available to them.”
In addition to extortion amounts, Cyber & Privacy Liability Insurance can help with expenses such as regulatory fines and penalties, loss of business income during a shutdown, public relations assistance for repairing reputational harm, and digital asset restoration. “This attack could have locked up their entire computer network and in that process destroyed some components, for example,” Rangel explained.
The policy can also help with the cost of investigations, post-breach notifications, and legal defense in the event of third-party lawsuits related to the breach. “It is really coverage to assist with getting the company back on their feet,” Beckford said. “It is about investigating what happened and helping out those affected by the breach. Depending on the severity of the attack, repairing the company’s reputation could be a very expensive part of it and require an extensive PR approach.”
Business owners who rely on a particular business in order to operate should ask their insurance broker about dependent business interruption coverage, which can be a key component of Cyber & Privacy Liability Insurance. While standard business interruption coverage can recoup lost revenue for the company that was directly attacked, dependent business interruption coverage can trigger the policy when there’s a breach on the third party’s network, thus putting them out of business for a period of time.” Any supplier that relied on the pipeline for their gas, for example, could file a claim for dependent business interruption,” Rangel noted. “This is part of the trickle-down effect that occurs. It is up to the broker to make sure the company gets the best coverage available.”
While the Colonial Pipeline case has renewed debate over ransomware payments, these are unfortunately not unusual, Beckford said.9 In fact, ransomware demands may be growing. According to one recent survey, 75% of companies said they had been infected by ransomware and more than half of those companies paid the amount demanded.10 Of those that paid the hackers, 40% ultimately were faced with further ransom demands, representing an increase of 320% from last year.
“At the end of the day, companies need to continue working and that is why they have their insurance in place,” Beckford said. “The cyber experts on the team will work together to figure out the best way to handle the situation. You are dealing with a cyber criminal. A company may have to pay it once, but they will be looking at what they can do to ensure it does not happen again.”
Smaller companies just as vulnerable to cyber risk
While high-profile cyberattacks often make news headlines, it is not only Fortune 500 companies that are targeted, Krcmarik pointed out. “There are a lot of small- and medium-sized enterprises that are affected by cyber crime, as well. They are not just targeting the big fish,” Krcmarik said. “That is a common misconception. Anyone with a cyber vulnerability is fair game to them.”
Smaller companies may even be more vulnerable, he said, because they often do not have dedicated risk managers to put prevention plans in place. This is another reason why Cyber & Privacy Liability Insurance is so important, Beckford added. “Small and large companies need to understand the risk, look into the coverage, and make sure all levels of their staff understand that even one error could end up costing the company a significant amount of money.”
Small and large companies need to understand the risk, look into the coverage, and make sure all levels of their staff understand that even one error could end up costing the company a significant amount of money.
In the energy industry, contractual agreements often have a strong influence over the type and amount of insurance a company will carry, including CGL Insurance, Professional Liability Insurance, Excess Liability Insurance, Pollution Liability Insurance and other policies. If contracts have not been updated in recent years, Cyber & Privacy Liability Insurance may not even be named in those contracts.
“The energy industry as a whole has risk management practices that are extremely driven by contractual requirements,” Krcmarik said. “This is a double-edged sword. On one hand, it ensures that these companies are operating with some coverage for their key exposures, but on the other hand, a lot of these companies lose sight of coverage in pursuit of just purchasing the bare minimum required to satisfy the contact.”
This could mean they are not thinking through their other exposures, such as cyber risk. “It is really important for these companies to not lose sight of risk management in pursuit of compliance,” he said. “A lot of these contracts were written before the emergence of the cyber exposures that we see today. This is a good opportunity for business owners to reevaluate their coverage based on their actual exposure, rather than just compliance.”
Employee training, cybersecurity protocols may help prevent cyberattacks
On May 12, President Joe Biden announced an executive order aiming to strengthen the nation’s cybersecurity defenses and offer commercial software security standards.11 The order also includes new requirements for companies that work with the government, NPR reported, and aims to ultimately influence the private sector as well. As companies work to improve their individual cybersecurity, employee training is essential, Krcmarik said.
“You want to build a culture where employees buy into this training,” he said. “You want your employees to see the value in it and understand that this is a legitimate exposure.”
This should include basic steps such as setting up multi-factor authentication, Beckford said. In fact, companies are encouraged to have this in place before they even seek out a quote for Cyber & Privacy Liability Insurance. “We want to make sure that you cannot just get onto your network with one password,” he said. “Most places will not even quote the policy for you without that being in place.”
Companies should know that we have market capacity to structure the high-limit towers of Cyber & Privacy Liability Insurance, Rangel said.
“For some companies, a ransom of $5 million could wipe out their entire business if they do not have insurance,” she said. “There are so many different facets to what Cyber & Privacy Liability Insurance can cover. Talking to your broker about your specific exposures for your industry is really important.”
Companies should review their cybersecurity guidelines regularly and keep up with all necessary software updates. “The criminals behind these attacks are sophisticated; they know how to get in,” Rangel said. “All companies need to take a hard look at what their controls are and find out what is needed to make them as secure as possible. There is no perfect system, but doing what you can to protect yourself is most important.”
Cyber risks are expected to continue to intensify, Beckford added. “Unfortunately, this risk is not going to go away,” he said. “Cyber crime is trending upwards and I currently do not see that stopping. Companies just really have to understand that risk. It can happen to anybody, and everyone has to be vigilant.”
1Lee, Carol E.; Kube, Courtney; and Welker, Kristen. “Biden admin discussed using military fuel stockpile, National Guard to respond to Colonial Pipeline hack.” NBC News, May 14, 2021. 2Gregg, Aaron; Sullivan, Sean; and Hunt, Stephanie. “As Colonial Pipeline recovers from cyberattack, leaders point to a ‘wake-up call’ for U.S. energy infrastructure.” The Washington Post, May 13, 2021. 3Rich, Gillian. “Big Cryptocurrency Ransom Payment Unlocked Colonial Pipeline: Report.” Investor’s Business Daily, May 13, 2021. 4Benveniste, Alexis. “More than 80% of gas stations in DC are out of gas.” CNN, May 16, 2021. 5Quinn, Christopher. “UPDATE: No gas available at nearly half of metro Atlanta’s stations.” The Atlanta Journal-Constitution, May 17, 2021. 6Jibilian, Isabella; and Canales, Katie. “The US is readying sanctions against Russia over the SolarWinds cyber attack. Here's a simple explanation of how the massive hack happened and why it's such a big deal.” Business Insider, April 15, 2021. 7Reuters Staff. “SolarWinds hack was 'largest and most sophisticated attack' ever: Microsoft president.” Reuters, February 14, 2021. 8Newton, Paula. “Cyberattack shuts down Canadian government accounts.” CNN, August 17, 2020. 9Politi, James; Manson, Katrina; Brower, Derek; and McCormick, Myles. “US opens debate over cyber ransom payments after pipeline hack.” Financial Times, May 10, 2021. 10Bracken, Becky. “Ransomware Demands Spike 320%, Payments Rise.” ThreatPost, February 8, 2021. 11Ordonez, Franco. “In Wake Of Pipeline Hack, Biden Signs Executive Order On Cybersecurity.” NPR, May 12, 2021.