Energy companies in the power and oil and gas sectors are leading targets of cyberattacks, as threats to critical infrastructure systems continue to rise. A 2021 report by a third-party cyberrisk company found that a quarter of the energy sector is “highly susceptible” to a ransomware attack, and almost half of the energy sector has a “critical vulnerability” due to out-of-date systems.
The 2021 cyberattack on Colonial Pipeline in the United States is a strong reminder that hackers can cause significant financial losses. The attack caused extensive fuel shortages and other disruptions and resulted in a ransom payment exceeding $4 million.
As cybersecurity threats continue to evolve, increase in complexity, and impact supply chains, it is critical for energy companies to take proactive steps to mitigate such first-party and third-party liability losses by obtaining the appropriate cyberinsurance to protect against such risks. The first step is to evaluate all potentially applicable insurance policies for coverage.
These policies cover first-party losses and third-party liabilities arising from cyberlosses. The first-party coverage elements can cover, among others, (1) costs related to notification, computer experts or forensic analysts, cyberextortion or ransom costs, data restoration, and public relations services; (2) loss of money, securities, and tangible property; (3) income loss and extra expense; and (4) reputational harm. Third-party coverage elements often include coverage related to privacy and security liabilities, media liabilities, and regulatory proceedings.
Commercial property and business interruption policies may contain cyber-related protections, including coverages for loss or damage to data, programs, or software and related business interruption coverages. However, these policies may contain broad exclusions for data or cyberrisks.
An appellate court in EMOI Services LLC v. Owners Insurance Co., 180 N.E.3d 683 (Ohio Ct. App. 2021), recently found that coverage may exist under a business owners special property coverage form, a data compromise endorsement, and an electronic equipment endorsement. The court held that since the policy’s definition of “media” included software and reproduction of data on covered media, damage to the software by a hacker’s encryption could be covered under the policy.
Commercial crime insurance often covers losses resulting from employee dishonesty or from employees or third parties committing fraud through the use of computers. Such policies, however, may exclude data breach costs or other indirect losses from a cyberattack.
The Indiana Supreme Court in G&G Oil Co. of Indiana v. Continental Western Insurance Co., 165 N.E.3d 82 (Ind. 2021), held that loss from a ransomware attack, resulting directly from the use of a computer, may be covered under the computer fraud provision of a commercial crime coverage section of a policy. The court noted that “the interplay between computer fraud coverage and computer hacking is an emerging area of the law,” and that “[c]ourts have had limited opportunities to construe these types of provisions.” Id. at 89. The court sided with G&G Oil and concluded that the term “fraudulently cause a transfer” is unambiguous and could reasonably be understood as simply “to obtain by trick,” and that a ransomware attack could qualify as fraudulent under certain circumstances. Id. The court also found that G&G Oil’s losses “resulted directly from the use of a computer,” even though G&G Oil “voluntarily” transferred the ransom. Id. at 90. G&G Oil confirmed that some traditional policies not marketed as “cyberinsurance” may extend to losses relating to ransomware.
CGL insurance policies may provide coverage for certain third-party claims arising from a cyberattack. As a result of a cyberincident, third parties may assert claims related to privacy or security breaches. Insurers often argue that such breaches are not covered by these CGL policies.
A federal court of appeals in Landry’s, Inc. v. Insurance Co. of the State of Pennsylvania, 4 F.4th 366 (5th Cir. 2021), held that an insurer had a duty to defend an underlying third-party dispute arising from a data hack under a CGL policy because the third-party complaint sought damages arising out of the oral or written publication of material that violated a person’s right of privacy.
Directors and officers also face exposure to cyber-related risks and liabilities, particularly due to the heightened regulatory environment and oversight concerning cybersecurity, readiness, response, and related litigation. D&O insurance may help mitigate these liabilities, but such policies may also contain exclusions for cyber-related claims. Businesses should evaluate whether to secure cyber-related extensions of coverage to their D&O policies.
Given the complexities of cyberinsurance coverage and the growing risks to the energy sector, it is important to think proactively and critically about evaluating insurance coverage programs and assembling an insurance recovery team.
Morgan Lewis can provide advice on risk management and loss prevention issues, as well as on understanding your current cyberrisk coverage and gaps and implementing proactive measures to minimize future cyberattack losses. After a cyberattack, Morgan Lewis can assist with claim presentment, notices, loss assessments, information gathering, proofs of loss, claim negotiation, and, if necessary, coverage litigation to enforce policyholders’ insurance rights and maximize insurance recoveries.