Insurers are limiting how much coverage energy companies can buy to protect themselves against a major attack by hackers, potentially leaving investors, customers and taxpayers on the hook for sizable losses.
Brit Insurance, a syndicate that works with Lloyd’s of London, limits cybersecurity policies to around $300 million, according to underwriter James Bright. While companies can piece together policies from different insurers to boost that limit, the costs can be prohibitive, often requiring third-party assessments of security that can need upgrading.
The result is an industry largely unprepared for a hacker-triggered catastrophe, according to cybersecurity experts. The Exxon Valdez oil spill cleanup, for instance, cost $7 billion. Those kind of numbers have left insurers anxious over the lack of quantifiable information in an expanding market, and concerned the energy industry’s protections may not be adequate.
Energy companies tend to have “a superman fallacy,” said Dante Disparte, the head of Risk Cooperative, a Washington-based brokerage. “They don’t believe bad things will happen to them, or they believe the government will help them get back on the field.”
It’s a belief that’s drawing concern from the U.S. government, according to Disparte, who said he met with Treasury Department staff in mid-May. The government, along with industry groups and companies, are in the early stages of discussing the need for a cyber version of the Federal Deposit Insurance Corp., with energy as an initial target, he said. The Treasury Department wouldn’t immediately comment.