Cyber Risks in the Energy Industry

In times of depressed commodity prices and an ever-increasing risk because of cyber-attacks, companies especially in oil and gas need to find the right balance of affordability and risk mitigation spend (technical and financial) to survive and prosper.

Munich Re‘s cyber solutions and services enable all stakeholders from Tier 3 to Tier 1 to better understand the financial impact of cyber risks and the opportunities of the associated measures: mitigation of the risk; retention and funding of the risk; and transfer of the risk.

The industry is facing a “new normal”: ever-decreasing demand, driven in part from increasing competition of alternatives, higher volatility and continued depressed commodity prices, force oil and gas companies to cut costs immediately and to shift to more sustainable cost levels in the short-term.

Increased digitalisation efforts might reduce expenditures - but it comes at a cost: Especially in pipeline and tank farm operations, a high level of automation and remote condition monitoring might reduce enormous labour costs. But replacing humans with technology will also increase the risk profile consequent upon incremental risk from cyber threats. Highly knowledgeable and capable bad actors will cause an associated and a significant increase in the overall exposure organisations face in their risk portfolios. 

• Reducing costs will not be enough: There are many ways to reduce costs to meet short-term reductions in demand and lower prices: eradicate external contract spend, furlough or lay-off non-essential staff; defer transition from exploration to production, re-profile shipping schedules and so on. But there is a simple truth to acknowledge: In medium term, you can’t cut your way to success - either in terms of P&L performance or investing to meet the demands of a sustainably lower cost base to a commodity price range of $25-$40.
• Revisit your risk portfolio: Portfolio risk management in the light of aggressive, malevolent intent leads to a conclusion you might be under-estimating your portfolio risk. There is a high likelihood of greater levels of business interruptions than previously expected, and that the potential for associated bodily injury and property damage ramifications grow.
• Secure your operating license: In an era of transparent accountability built into ESG expectations and compliance, your operating license can be at risk if there is a failure of cyber security with the obvious associated corporate and personal accountabilities that flow from that.
• Your risk capital needs to work harder: Quantify your cyber risk with auditable quality, evidence-based numbers. This will give you more flexibility to make cyber risk provision mobile to able to be treated through existing financial instruments like the Captive and respond to the increased risk profile with contingent capital instruments. 

There is a fine line in finding the right balance of mitigation and risk transfer. At Munich Re we understand the sector and support you in this potentially existential transitioning decade in two ways: first, by helping to quantify cyber risk with auditable quality evidence-based numbers that enable the release of cyber risk capital.

Second, sharing of that risk with thoughtful and relevant solutions that can allow you to deploy your risk capital in ways that ensure it works harder for the stressed P&L the organisations in the sector are facing.