In 2021, a U.S. oil pipeline company fell victim to a ransomware attack (opens a new window) that disabled its network systems for close to a week.
The effects were far-reaching, triggering fuel shortages and national security concerns (opens a new window).
The common image of a pipeline company — oil or natural gas flowing from one place to another through a maze of pipes — does not intuitively suggest vulnerability to a cyberattack. Yet pipeline companies, and energy companies more broadly, are particularly sensitive to network disruptions. That sensitivity can become even more pronounced during political, economic, and military conflicts.
Energy companies can no longer ask if they will face a cyberattack, but rather how they will respond when one occurs. Risk professionals can begin to answer that question through planning and preparation, and by working with the right advisor to understand their risks and insurance needs.
A critical risk
Cyber risk has evolved from a peripheral concern in the energy sector to a permanent and continuously expanding feature of modern warfare and geopolitical confrontations. As conflicts increasingly extend into the digital domain energy assets are especially vulnerable to cyber campaigns driven by political, military, or economic objectives. Consequently, cybercriminals and state-sponsored actors alike increasingly target energy companies
The energy sector’s heavy reliance on uninterrupted operations, sophisticated operational technology (OT) and industrial control systems (ICS), cloud-based environments, and interconnected third-party vendors exposes it to cascading cyber impacts.
These risks tend to intensify during periods of geopolitical tension. Several organizations and governments in recent weeks have reported cyber activity occurring alongside broader international conflicts.
Public reporting has described suspected hostile cyber incidents involving a medical technology company and a European research institution, for which threat actors claimed responsibility and authorities responded to with defensive action. While details and responsibility remain subject to ongoing assessment, these events underscore how cyber activity often escalates in parallel with geopolitical instability.
Operational disruptions and ransomware raising the stakes
Business interruption losses, a particularly consequential cyber risk for the energy sector, can arise not only from attacks on a company’s own systems, but also from outages affecting cloud providers, managed service providers, or other critical third parties. For example, the July 2024 CrowdStrike outage and the October 2025 Amazon Web Services and Microsoft Azure outages (opens a new window) affected companies across several sectors, including energy.
Ransomware represents another severe and growing threat. Ransomware strikes can disrupt OT environments, shut down critical systems, and interrupt the delivery of energy to customers. The consequences flow downstream into potential contractual, regulatory, and liability risks.
Compounding these risks is the energy sector’s low tolerance for prolonged downtime. Pausing and restarting generation and distribution assets often entails significant costs and technical risk. As a result, cybercriminals hold considerable leverage in ransom negotiations, leading to high-stakes extortion tactics that can disrupt power delivery, expose sensitive data, or target suppliers to magnify operational impacts.
Certain challenges can persist after normal operations resume. Ransomware groups are increasingly stealing engineering data and production information before encrypting systems, creating longer-term security and regulatory risk challenges.
From the fourth quarter of 2024 to the first quarter of 2025, ransomware attacks involving industrial operators — including energy companies — increased by 46% (opens a new window), according to Honeywell. Even limited IT compromises can force operators to halt physical processes out of an abundance of caution, turning limited intrusions into major operational disruptions.
Energy companies can become complacent and underinvest in cybersecurity if they assume that cybercriminals overlook them because they have relatively little customer data. Their systems can still contain sensitive employee data, engineering schematics, and commercial intelligence that cybercriminals may find attractive.
Cybercriminals can obtain this sensitive information via social engineering ploys that exploit employees’ fatigue with multifactor authentication, phishing tricks, and vendor-spoofing schemes. Artificial intelligence (AI) can help attackers fool even the best-trained and cautious employees.
Plugging coverage gaps through cyber insurance
Traditional property, casualty, and management liability policies can provide limited protection against cyber-related events. However, these policies were not designed at their core to protect against the losses we see arising out of everyday cybersecurity claims. Traditional policies often exclude coverage for:
Nonphysical damage and resultant business interruption from cyber events.
Bodily injury arising from a cyber event.
Claims against CISOs, CIOs, and other C-suite executives in their capacity as company directors and officers.
Social engineering and invoice manipulation.
These gaps highlight the importance of dedicated cyber insurance for energy companies. A well-crafted cyber policy typically includes:
First-party coverage. This includes coverage for investigation costs, business interruption losses, extra expenses, and data and computer hardware restoration costs.
Third-party coverage. This covers claims made against an insured business by outside parties, including regulators. Third-party policies can include legal fees and other costs and expenses related to cyber incidents, data breaches, and violations of privacy laws.
Cyber policies also generally provide access to proactive and specialized cyber risk management that can help companies prepare for and respond to potential events. These include:
Technical and legal consulting and often discounted tooling to help organizations prepare for and mitigate cybersecurity events.
Networks of expert cybersecurity response firms that help organizations respond to cyberattacks effectively and efficiently.
Of course, not all cyber policies are equal. It’s vital that energy companies work with their insurance brokers to carefully select the right insurer(s) for any program. It’s equally important that they optimize policy terms — including limits and sublimits — and language. Specifically, risk professionals and their brokers should take a close look at:
OT and ICS coverage.
System failure coverage.
Language related to “failure to supply.”
Language related to fines imposed by the North American Electric Reliability Corporation and Federal Energy Regulatory Commission.
Language related to relighting expenses.
Missed bid coverage.
Affirmative coverage for property damage and bodily injury.
Policy wording related to geopolitical risk and war.
Energy companies and their brokers should also be sure to look at insurance coverage holistically. That means ensuring a coordinated approach to purchasing across all lines, including cyber, property, D&O, GL, and fidelity/crime, which can help to minimize potential gaps and give energy companies confidence that their insurance coverage will respond as intended when needed.
Looking beyond insurance
While insurance can provide an essential backstop, effective cyber risk management calls for broader preparation.
Energy companies should invest in incident response planning that clearly defines how to:
Detect incidents, including monitoring systems, suppliers, and environments.
Analyze events for their operational impacts and escalate according to established criteria.
Execute appropriate response actions to minimize operational impacts and restore operations.
Plans should assign roles and responsibilities for internal and external stakeholders. Internal stakeholders include executive leadership and boards, along with key functions such as risk management, finance, legal, communications, information technology, and security. Third parties that are often involved in incident response include insurers, brokers, outside counsel, and forensic accounting specialists.
Tabletop exercises involving these external and internal parties can help organizations test their plans, identify potential gaps or deficiencies, evaluate response times, and ensure everyone understands their roles and responsibilities.
Contractual risk management is equally important. Energy companies should review agreements with technology and service providers to ensure they include appropriate cyber insurance requirements, indemnification provisions, and incident notification obligations.
Choosing the right risk advisor
As energy companies navigate this evolving risk landscape, their insurance broker should serve as a trusted strategic advisor. That partner should offer:
Insurance and energy industry expertise. It’s not enough to understand cyber risk or the energy industry alone — your broker should have a deep understanding of both, including the unique OT/ICS exposures you need to protect against.
Fluency with policy wording. Your broker should be familiar with war exclusions and other policy endorsements insurers may seek to apply, and should be able to work with you to tailor your policy to meet your unique needs.
Strong relationships and credibility with leading carriers. Your broker should advocate on your behalf, negotiate coverage terms, and educate insurers about your specific needs and what sets you apart as a potential risk.
Advanced analytics. Your broker should be able to help you make informed, data-driven decisions about your insurance program. Among other things, they should help you run financial modeling, quantify your cyber exposure, and help you make crucial choices about limits, deductibles, and more.
For more on how you can improve your cyber risk preparedness, visit:
Or contact a member of Lockton’s Cyber & Technology team.
