Cyber insurance for Energy & Mining sector

The energy and mining sectors have placed more emphasis on technology for operational, research and development purposes; however, the development of cyber security in the industry has not increased at the same rate. As a result, energy companies deal with a constant barrage of cyber attacks on a daily basis.

These cyber-attacks are not only taking place in order to locate personal and financial information but also to cause damage to property and operational systems. In the upstream and midstream segments, an attack can lead to significant business interruption, catastrophic property damage or bodily injury.

Whereas the downstream segment will have data exposure risk that could result in litigation, expense and regulatory scrutiny, in addition to the physical impact concerns. 

JLT provides cyber risk management solutions and cyber liability insurance across the energy and mining sectors. Whether you need coverage for your nuclear, electric or oil and gas business, our team of experts will work with you to find the right cyber security solution against cyber attacks and data breaches.



Energy and Mining spot 1

The following are cyber risks that energy and mining companies should consider:

  • A system or data issue causes a shutdown itself, total or partial, of one or more facilities which results in significant business interruption and additional expenses being incurred
  • Liability from transmission of viruses, unauthorized use of systems to attack third parties, or liability from websites and other media
Energy and Mining spot 2
  • An incident which results in the total or partial destruction, encryption, corruption etc. of data or specialist software / programs
  • Liabilities arising from a contamination incident, injury or loss of life, as a result of a cyber incident.

We can provide bespoke cyber risk management solutions and cyber liability insurance across the energy and mining sectors. Our team of experts will work with you to find the right cyber security solution against data breach and cyber attacks.


Information Technology (IT) generally refers to all things computing. Less familiar is Operational Technology (OT), the software and hardware used to monitor and control physical devices. OT is typically found in industry and critical infrastructure, where electron systems operate equipment (such as sensors, valves or controls) in pipelines, refineries and nuclear power plants.

These Industrial Control Systems have been used for decades (and can trace their origins to the beginnings of computing and automation in the 1950s) in a wide range of sectors, such as energy, utilities, manufacturing, chemicals, transport and scientific research. They can collect data, control processes and machinery, as well as measure and manage environmental factors, like temperature, pressure etc.

OT is becoming more and more important with the march of Industry 4.0 and increased levels of automation in industry. Smart systems are being developed for power and utilities, transport and manufacturing that will see more and more industrial control systems and equipment connected to networks, including the cloud.

And with the Internet of Things (IoT), OT will increasingly move beyond the industrial environment, as more and more technology is used to monitor and control devices in other sectors, such as logistics, medicine, building management, telecommunications and entertainment.

However, OT and IT are quite different beasts, and are usually treated separately within organizations. But, according to Gartner, developments in IoT, smart systems, machine learning and automation will see IT and OT systems become more integrated.

But OT and IT systems currently have conflicting priorities. While IT services are primarily concerned with data protection and security, OT has so far prioritized accessibility over security. Many industrial control systems were not designed with security front of mind, but awareness of their vulnerabilities and the potential consequences of cyber attacks have been increasing.</p.>

One of the most high profile attacks using OT involved a steel mill in Germany, where hackers accessed the plants control systems, taking control of the blast furnace. Iranian hackers were also said to have taken control of flood gates at a US damn in 2013.

OT systems are also harder to protect than IT. Many are known to run on unsupported or unpatched operating systems. Such systems are also vulnerable to human error – hackers used targeted emails and social engineering to infiltrate the German steel mill systems.

As cyber criminals and other protagonists increasingly look to target industrial systems, the security of OT is set to become as important as it is in IT.

Companies are becoming increasingly dependent on IT systems - to manage supply chains, communicate with customers and trade - and are therefore exposed to the risk of significant disruption from IT system failures.

Cyber insurance has evolved over recent years and broad forms of system failure coverage are now available. However it is important to examine wordings as significant differences exist between policies.

Cyber insurance can cover business interruption losses from a wide range of systems failures, but will not generally cover outages caused by power supply or telecommunications failures. Depending on the policy, other exclusions may also apply, such as the failure of new software roll-outs or upgrades.

System failure cover typically falls into one of two camps: all risks or named perils. All risks provides the broadest cover, but the market is more limited in terms of insurer options and capacity, and the pricing is frequently higher. Underwriters are also likely to require more information from insureds.

For companies that require system failure it is critical to be aware of the type and scope of cover under their cyber insurance policies. It is also important to work with a specialist broker to understand the implications of wordings.

Cyber espionage is one of the murkier aspects of cyber risk. Few organizations will admit to having been victim of cyber espionage, but many are concerned for a cyber attack that seeks to steal confidential information, like trade secrets or client data.

Cyber espionage topped the list of major threat concerns for global business, according to a survey by Trend Micro. One in five global organizations surveyed ranked cyber espionage as the most serious threat to their business while 20% of US companies were said to have suffered a cyber espionage related attack in the last year.

Cyber espionage is a broad term to describe the theft of information related to individuals, companies and governments, using hacking techniques. Foreign governments, state-affiliated hackers and even business rivals will all potentially have an interest in stealing valuable data, such as military secrets, technology or research.

In its broader sense, cyber espionage can also refer to attempts to disrupt critical infrastructure or services by foreign governments or state-backed hackers. For example, a cyber attack in Ukraine targeted power stations in December 2015, causing wide-spread outages. 

As more and more critical data and intellectual property moves online, cyber espionage is likely to become a more pressing issue. At the same time, nation states and state backed hacking groups tend to be better resourced and use more sophisticated methods than cyber criminals.

A recent report from Lloyd’s identified energy, telecommunications and the public sector as the three sectors most susceptible to cyber espionage, followed by manufacturing and professional services. Foreign governments and their agents target these sectors as they seek to steal sensitive information on politically exposed persons, intellectual property and key infrastructure.

Lloyd’s also noted that cyber espionage techniques are also evolving, with traditional tactics now being repurposed by criminals to attack banks and financial infrastructure via Advanced Persistent Threats.

Cyber threat analysis can help companies better understand whether they are a likely target of cyber espionage and how best to defend against it. Cyber insurance can also help companies respond quickly and effectively to the consequences of a cyber espionage attack, limiting the commercial and reputational damage.

Patches are software updates, usually released to improve the performance or fix bugs and security vulnerabilities in software already installed on computers, IT systems and devices.

Software is far from perfect and glitches and vulnerabilities are readily exploited by hackers who use them to carry out cyber attacks, spread viruses, malware, ransomware and to create armies of botnets.

More sophisticated cyber attacks use unknown vulnerabilities – called zero-day exploits – but the majority rely on known vulnerabilities. Analysis suggests that zero-day vulnerabilities account for as little as 1% of vulnerabilities in Microsoft software.

In fact most exploits involve vulnerabilities that were patched more than a year ago. According to Fortinet’s recent Threat Landscape Report, 90% of organizations recorded exploits for vulnerabilities that were three or more years old. Some 60% of firms were still seeing attacks for vulnerabilities dating back 10 years or more.

The WannaCry and Petya ransomware attacks in 2018 earlier this year demonstrate the extent to which not-patching can leave companies vulnerable. Both used known vulnerabilities to spread through networks and encrypt data, and despite the availability of a patch, the malware infected hundreds of thousands of computers.

Regular patching is known to be an effective form of defence against cyber attacks, and yet companies take on average 100 days or more to update their systems.

In an ideal world, every organization would apply the latest security patches and updates to their IT systems as soon as they are released. But in reality there are many good reasons why companies do not keep software up-to-date, not least because of the complexity and interdependencies of software and the reliance on critical IT systems.

Installing patches can create more problems than they solve, and are known to have caused systems to crash catastrophically. In 2015, trading ceased on the New York Stock Exchange for nearly four hours after a technology upgrade went wrong, while a failed upgrade left thousands of banking customers unable to access their accounts at Australia-based St George’s Bank.

Keeping connected devices like industrial control systems updated can also be challenging, especially for older or legacy systems. According to Sans, only 46% of firms regularly apply vendor-validated patches to their industrial control systems. In some cases software will no longer be supported by vendors while patching is often unpractical.

Yet many cyber insurance policies contain wordings that exclude losses arising from a ‘failure to maintain’ systems and apply regular patches and updates. Given that updates may take time to install or would not be practical, this exclusion can be problematic.

In some instances it is possible to have a ‘failure to maintain’ exclusion deleted, but clients will need to provide underwriters with quality information on updating procedures. Insurers will want to see processes that ensure updates are applied in a timely manner, but that also prevent business interruption and usability issues.

Silent cyber refers to potential cyber exposures contained within traditional property and liability insurance policies, which may not implicitly include or exclude cyber risks.

Unlike specialist standalone cyber insurance, which clearly defines the parameters of cyber cover, traditional insurance policies were not designed with cyber exposures in mind. In many cases, traditional policies will not specifically refer to cyber and could theoretically pay claims for cyber losses in certain circumstances.

This is particularly true for all risk property coverages that do not exclude cyber risk - also known as ‘non-affirmative’ cyber - and is particularly relevant for marine, aviation, transport and property lines, although it is also present in some liability covers.

For example, a study by the UK’s Prudential Regulation Authority (PRA) in 2016 found that the aviation insurance sector has to date been comfortable providing implicit cyber cover and the market has not witnessed a move to introduce exclusions.

Similarly, there are currently no widespread cyber exclusions in the property market. However, underwriters have acknowledged the potential for cyber aggregation resulting from cyber attacks on high-profile commercial or industrial targets, or from smart-house technology, the PRA said.

Casualty lines may also have significant exposure to silent cyber losses, reflecting the fact that exclusions are not widely used or because some policies cannot exclude cyber losses, such as mandatory coverages like motor. Directors and officers, professional indemnity, financial institutions and general liability products are likely to be exposed to various degrees to ‘silent’ risks due to a lack of use of effective exclusions, the PRA said.

How the market approaches silent cyber exposures will have a direct impact on coverage and the way in which the market reacts to very large and systemic losses. 

Cyber-attacks against digital supply chains are on the rise. Supply chain compromises typically seek to introduce security flaws or exploitable features into hardware, software, or digital services, which are then passed on to customers. Last year saw some significant examples of supply chain attacks, including the compromise of managed service providers (MSPs) and several software products.

In 2017, suspected Chinese hackers compromised several global MSPs, which deliver outsourced IT, HR and business services. It is thought that the attackers obtained commercially sensitive data from the MSPs and their clients, which included government agencies.

According to the National Cyber Security Centre (NCSC), MSPs represent a particularly attractive target as they have links to thousands of customers worldwide. Even if a client has strong cyber security, it may find itself vulnerable if a trusted network link to an MSP is compromised.

Between 15 August and 12 September 2017, downloads of a free computer clean-up tool known as CCleaner were infected with malware. The incident is thought to have affected over two million downloads by both individuals and businesses, and resulted in further attacks against large technology and telecommunications companies in the UK, Taiwan, Japan, Germany and the US.

NotPetya, the global malware attack that caused major disruption in June 2017, was also a supply chain attack.

Attackers managed to introduce malware into MeDoc, a legitimate software application widely used by businesses in Ukraine for handling tax returns. The compromised MeDoc update infected users of the application, while the malware was then able to spread itself within networks.

Supply chain cyber attacks are seen as an increasing threat by cyber security agencies and cyber security firms. Analysis from Symantec identified a 200% increase in attacks where hackers injected malware into the software supply chain. This equated to one attack every month last year, compared to four attacks in all of 2016. 

Cyber war games simulate the experience of a real cyber-attack, enabling organizations to test their cyber response procedures, capabilities and governance in a safe and controlled environment.

Cyber war games differ from traditional penetration testing, which typically looks for vulnerabilities in IT systems, networks and websites. Cyber war games are a much more involved exercise, aimed at testing an organization’s overall response to a cyber incident, including the decision making of senior managers and the effectiveness of communications.

War games use specially developed scenarios – like a malware or spear phishing attack – to simulate an attack. Simulations can be a simple ‘table top’ exercise or a full-blown simulation. The former would see participants briefed on the attack scenario, whereas participants in a simulation are given very little information and have to work through problems as they arise.

The exercise should, however, be cross functional, involving IT, risk management, business continuity, legal, corporate communications, marketing and customer care. This helps build relationships in advance of a cyber incident and tests the flow of information, including an organization’s ability to share information effectively and quickly, both internally and externally.

Companies can employ a third party to design and run the war game on their behalf. War games can involve an organization’s key business partners, suppliers and contractors; while incorporating third party services, including breach response, crisis management and even insurance. 


Energy and Mining
Energy and Mining

We are aware that you have a choice of who represents you, so why choose JLT?

  • We stay close to the pulse of the dynamic London insurance market and leverage our relationships and knowledge
  • Our deep technical knowledge means that we do not accept any insurer's standard policy form and will work tirelessly to ensure you receive a differentiated result
  • Claims advocacy is a vital part of our offering to clients. We link it to placing and wording to ensure that clients receive an aligned approach. Our claims advocates will provide you with tailored policy wordings, advising you about notification and coverage, and work with you and your insurers to achieve successful resolution of all claim-related matters
  • We host training workshops and establish regular meetings with clients 
  • We create content that highlights the latest risk trends and aims to simplify concepts that may seem confusing to individuals with limited experience in technology. This includes our monthly newsletter, Cyber Decoder, in- depth whitepapers as well as a wide range of educational videos and materials
  • We know we can’t do it all (penetration testing, incident response drilling, technical security advice) and so we seek unique partnerships, to bring you cutting edge solutions.



In December 2015, a cyber attack led to power outages throughout western Ukraine. The blackouts left 250,000 people without power after three power distribution companies were targeted by hackers. The attack was initiated after an employee opened a spear phishing email targeted at the companies IT staff. There are allegations that the attack was a state sponsored attack carried out by the Russian government keen to cause disruption and political unrest in the Ukraine.


A Canadian mining firm suffered a serious data breach in April 2016, losing 14GB of corporate data. This data included sensitive material regarding both the employees and the firm. This data included emails, payroll information and bank account numbers. Despite the sensitivity of the data released the intrusion did not affect day to day operations of the company.


The clearly measurable costs in both these cases include defending lawsuits from current and former employees for the loss of their personally identifiable information and the provision of identity-protection services to those employees.

The forensic investigation costs into the cause of the data breach along with public relations costs required to communicate with the company’s customer base will also be incurred. Less easily quantified impacts include the loss of reputation and the business interruption caused.

Read our latest insights