If, during the first week of May of this year, we had asked any insurer or corporate risk manager in the Middle East what they thought the biggest risk facing the region was, we probably would not have seen any kind of consensus.
Ask the same bunch of people after Friday 7 May the same question, however, and we might well have seen a consensus focused on cyber risk.
What changed, of course, was the ransomware hack that day in the Colonial pipeline in the far-flung Americas.
Here, hackers claimed their biggest targets to date as they shut down the 8,800km Colonial pipeline network that shifts petrol, diesel and jet fuel from Gulf of Mexico refineries to the Atlantic coast. The bad guys, most probably based in Russia according to the FBI, are known as DarkSide.
The Middle East, with its heavy dependence on the extraction and sale of hydrocarbons, must have received a sharp wake-up call and were doubtless wresting with the thorny dilemma of what they would do if such a thing happened closer to home.
The reality is that some corporates that are the victims of ransomware attacks have little choice but to pay up – since they do not have access to reliable copies of the data that has been compromised. As a consequence, there is no right or wrong way to respond to a ransomware attack and it will depend very much on individual situations.
A couple of years ago only a few brave insurers offered cyber cover that would offer protection in circumstances such as this – whereas today everyone seems to be at it.
Naturally critics use this as a stick to beat the insurance industry with – on the basis that simply providing cover for ransomware attacks encourages corporates to pay the ransom and then claim. Law enforcement agencies, naturally, feel that caving into any form of blackmail or extortion simply exacerbates the problem.
Cyber security expert Josephine Wolff of Tufts University said it has come to be built into organisations’ risk-management practices “as one of the costs of doing business. And I think that’s really worrisome because that is what fuels the continued ransomware business - people keep paying ransoms”.
A few days after the Colonial pipeline attack, AXA said that it would no longer be writing cyber insurance policies in France that reimburse customers for extortion payments made to ransomware criminals, in what could be an industry first.
Emsisoft analyst Brett Callow called AXA’s decision smart, noting that some organisations seem more inclined to pay ransom if the money is not coming from their own pockets. “The only way to break this vicious cycle is to cut off the flow of cash - and ceasing to reimburse ransom demands may well do that.”
Whatever the outcome, the energy sector in the Middle East is likely to be looking closely at the level of cover it has for cyber attacks on its pipeline networks and other distribution networks – and this could be an opportunity for the insurance sector as well as a significant learning experience.
Paul McNamara
Editorial director
Middle East Insurance Review