Colonial Pipeline, which carries refined gasoline and jet fuel from Texas up the East Coast to New York, was forced to shut down on Friday, May 7 after being hit with a ransomware attack. In a statement issued by the company, one of the nation’s largest pipelines, carrying 2.5 million barrels of fuel a day or 45% of the East Coast’s fuel supplies, indicated that they had shut down 5,500 miles of pipeline in an effort to contain the breach. While there were disruptions along the pipeline on May 7, it was not clear whether those disruptions were the result of the attack or Colonial’s efforts to proactively halt the intrusion. Colonial indicated on Sunday, May 9, that although its four main pipelines remain offline, some smaller lines between terminals and delivery points were now operational.
Much remains unknown about this cyberattack and the situation is developing quickly. The systems affected by the attack, broader operational impacts on Colonial Pipeline (and across their customers and supply chain) and the identity of the attackers have not been confirmed. While the Federal Bureau of Investigation (FBI), Energy Department and the White House are still investigating, the FBI has confirmed that the attack was perpetrated by a cyber-criminal group called DarkSide. This is a private criminal group allegedly based in Russia although reports to date indicate no evidence of a connection to the Russian government. It has further been reported that the group attempted the exfiltration and holding of almost 100 gigabytes of data hostage, threatening to leak that information to the internet. The FBI and other government agencies worked with private companies to respond and prevent this attempt. Colonial's data does not appear to have been transferred from their source system elsewhere, potentially limiting the hackers' leverage to extort or further embarrass the company. Colonial Pipeline, which is privately held, declined to specify whether they have paid the ransom or are considering doing so when normal operations would resume.
In an effort to grapple with the fallout from this incident, the U.S. government relaxed rules on fuel being transported by roads, now permitting drivers in 18 states to work additional or more flexible hours when transporting refined petroleum products.
The cyberattack against Colonial Pipeline comes on the heels of several targeted attacks against energy assets in recent years. Last year, a ransomware attack against a natural gas pipeline operator forced a shutdown for 2 days after data was encrypted on both its IT and OT networks. In 2019, a cyber attack on the U.S. grid created blind spots at a grid control center and several power generations sites in the United States. As far back as 2015, the Lloyd’s of London Business Blackout study estimated that a larger scale cyber attack against power assets could cost $243 billion, or more than $1 trillion in the most extreme scenario. The regulatory oversight of cybersecurity vulnerabilities in the energy industry has also been heightened. For example, NERC fined a large utility operator $10 million for a series of security violations between 2015 and 2018.
If your business relies on Colonial Pipeline, we recommend reviewing the notice requirements under your cyber insurance policy, which may provide coverage for business interruption losses stemming from a cyber incident impacting an outsource provider or vendor. We can assist you in determining what business interruption coverage may be available to you and how to calculate your potential loss. It is important to note that certain policies may exclude utilities from what constitutes outsource providers or dependent businesses or have broad infrastructure exclusions under their business or network interruption coverage. If your organization has been impacted and there is coverage under your policy, your carrier will provide guidance on what steps to take to respond to this incident, which could include hiring a law firm to advise on what your reporting obligations could be to clients and regulators.
Energy companies need to take a comprehensive view of their exposures when evaluating cyber insurance options. An off the shelf cyber policy is likely to be inadequate to address both the immediate and potential downstream losses that may result from a cyberattack. Utility operators should seek to address potential exposures for third-party claims brought by customers for failure to supply services, costs associated with accessing the spot market for replacement power or gas or capacity assessment charges. Many diversified energy companies may also face exposures to physical damage, environmental liability or bodily injury following a cyberattack. There continues to be a tremendous amount of differentiation between the breadth of coverage one cyber insurer offers compared to the next and many cyber insurers are implementing restrictive exclusions for ransomware and systemic cyber events. In this environment, it’s imperative to pursue bespoke coverage options, where possible.
The shutdown of a such a vital pipeline highlights the vulnerability of infrastructure that is connected, directly or indirectly, to the internet. The frequency and sophistication of ransomware and other high profile cyber incidents (i.e. Solarwinds, Microsoft Exchange Server breach and Accellion) over the past year will likely continue to heighten insurance carrier focus on these exposures and the best way to manage them. In an already hardening insurance market, this incident is likely to be impactful in changing terms and availability of cyber coverage for some organizations. It is important for organizations to be aware of their potential exposure to this incident and be prepared for detailed additional inquiries from carriers on technical measures they are taking to manage vendor and broader cyber risks.
Willis Towers Watson offers proprietary coverages solutions for the energy sector to address the exposures highlighted above. We can also assist your organization in assessing your organizational cyber risk with its Cyber Quantified decision-support tool. Cyber Quantified evaluates a firm’s complete cyber loss potential with decision support to optimize risk management strategy. The tool interactively incorporates network outage risk and privacy breach liability. Using Cyber Quantified can support your organization in determining the right insurance structure to best support your organization, as technological safeguards only go so far. The Cyber Risk Solutions team can also provide tailored cyber consulting solutions that support insurance goals, align cyber risk management with business objectives, and deliver cost effective cyber risk resilience.
More than half of all cyber incidents begin with the cyber culture of an organization, the feeling towards and treatment of cybersecurity by its employees. Cyber incidents are quite frequently a people problem. The average breach costs $4 million, so it is also a capital problem. As a global leader in human capital solutions, risk advisory and broking, we are well prepared to assess your cyber vulnerabilities, protect you through best-in-class solutions, understand your cyber risk exposure, and radically improve your ability to successfully recover from future attacks.
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc.