Axa XL and Beazley are among the carriers on risk after a cyberattack last week took a major US oil pipeline offline, Inside P&C understands.
Market sources told this publication that Colonial Pipeline has at least $15mn in cyber insurance coverage, including a primary $10mn policy written by Axa XL.
Beazley is understood also to provide the company with a $5mn XS $10mn excess policy. The insurance program is brokered by Aon.
According to sources, private energy companies and pipeline operators typically take a scattergun approach to purchasing cyber cover, with some choosing to purchase low policy limits because they believe their potential exposure to punitive damages is limited.
“They [energy companies] still view this as data breach coverage and not business interruption coverage for a failure of critical infrastructure,” said one underwriter.
Another cyber specialist speaking to Inside P&C said that on energy company insurance accounts he had worked on, companies were advised to buy cyber programs with limits of between $100mn and $200mn.
It could not immediately be established whether Colonial has made a payment in response to the ransom demand from its digital attackers.
Colonial Pipeline is an arterial pipeline that transports fuel from the US Gulf Coast to the East Coast.
It was last Friday forced to shut down after a criminal group effectively locked up the company's computer system. In a statement last weekend, President Joe Biden said the US government does not believe the attack to be state sponsored.
As of Wednesday, the pipeline remained shut, although Colonial has reopened some smaller fuel lines.
Colonial has for more than a month sought to appoint a cyber manager at its Atlanta headquarters, Reuters reported on Wednesday.
Cyber insurance policies typically pay out for damage to infrastructure and loss of earnings caused by a cyberattack. Most policies have a waiting period of between eight to 12 hours before cover for business interruption kicks in.
News of the hack comes after the US government in late April established a ransomware task force in a bid to coordinate the public and private sector response to the epidemic. State agencies including the FBI remain opposed to the payment of ransoms to criminal groups.
Last week, Axa’s French business division, Axa France, announced that it would stop making ransomware payments in response to pressure from lawmakers. It continues to write cyber insurance in the country and to provide restitution for breach response costs.
Since late 2019, (re)insurers have been responding to a rising wave of ransomware attacks, and in late 2020 they sought to introduce specific sub-limits and exclusions to curtail their exposure to such losses.
The economic cost of ransomware has surged, along with the number of ransomware-as-a-service schemes, where digital criminals loan encryption software to other criminals for them to carry out attacks.
Industry experts have warned over the potential for cyberattacks to incapacitate key infrastructure, citing the Stuxnet virus which in 2010 was used to disrupt Iran’s nuclear program, and a malware attack on a German steel factory in 2014.
Beazley, Axa XL and Aon declined to comment. Colonial Pipeline did not respond to a request for comment.