In May 2021, a ransomware attack on the Colonial Pipeline slammed the brakes on fuel deliveries across the U.S. East Coast, exposing the alarming vulnerability of critical infrastructure and sparking chaos in its wake. The oil and gas industry, which is highly dependent on automation and digital control systems, has since made cybersecurity a top priority, a trend confirmed in the 2023 Cyber Survey conducted by Moody’s. The report highlights both the growing focus on cyber risk management across the sector and the uneven implementation of protective measures, including cyber insurance for oil and gas companies.
Only 51% of surveyed companies have standalone cyber insurance, compared to 78% across other sectors. While Colonial Pipeline had coverage, Moody’s snapshot of the industry underscores a critical vulnerability, especially as cyberattacks become more frequent and sophisticated. The reluctance to adopt cyber insurance stems partly from the sharp rise in premiums—some oilfield services companies have seen premiums surge by over 300% in recent years. Higher-rated companies have tended to forgo standalone insurance, relying instead on internal governance frameworks to mitigate risks, a strategy that may expose them to significant financial losses in the event of a cyber incident.
Moody’s 2023 Cyber Survey gathered data from 58 issuers in the oil and gas sector through a 90-question survey. Our further takeaways from the report follow: You can get the whole report here.
Growing Awareness and Spending
According to Moody’s 2023 survey, oil and gas companies are increasingly aware of the cyber threats they face. Nearly 93% of surveyed companies have dedicated cybersecurity staff, and 26% have tied their chief executives’ compensation to cybersecurity performance—both figures surpass the global corporate average. This is especially true for large integrated oil companies, which have been quicker to adopt advanced security protocols. Despite this, there remains a disparity in cyber commitment between different segments and regions, suggesting there is still room for improvement, particularly in terms of escalating cyber risk reporting to C-suite executives. Having cyber insurance for oil and gas companies can help address some of these disparities.
Smaller companies have shown the most significant increase in cybersecurity spending, allocating 9% of their IT budgets to cyber defense in 2023, up from just 3% in 2019. In contrast, larger companies, which already have well-established cyber defenses, have maintained more stable budgets.
Core Cyber Defenses Are Widespread
Basic cybersecurity defenses are nearly universal across the industry. All surveyed companies have implemented incident response plans (IRPs) for cyber incidents, and 84% of oil and gas firms use multi-factor authentication (MFA) for remote access to critical internal systems, slightly above the cross-sector average of 72%. Larger companies, especially integrated oil majors, are leading the way in this regard, with 100% adopting these measures.
However, gaps remain in other areas, notably in data backup practices. Only 67% of oil and gas companies perform regular data backups, compared to an 81% average across all sectors. This could expose the industry to greater risk in the event of a cyberattack. Moreover, testing and review of cyber defenses are less frequent than industry benchmarks, with many companies conducting tests only once a year.
Cloud Storage Lags Behind
Despite the rising prominence of cloud computing in other industries, the oil and gas sector has been slow to adopt cloud solutions. On average, just 10% of oil and gas IT infrastructure is hosted on cloud platforms, with a preference for private cloud systems over public ones. Larger companies favor a hybrid approach, integrating cloud solutions with on-premise legacy systems to maintain robust perimeter defenses. This cautious approach likely stems from concerns over security and energy infrastructure vulnerabilities.
Disparities in Regional and Segment Practices
The report identifies significant regional differences in cybersecurity practices. For example, while 100% of companies in the Asia-Pacific (APAC) region report cybersecurity risks to their boards, only 56% escalate these risks directly to C-suite executives, compared to 81% in the Americas. This difference suggests that in APAC, cybersecurity may be viewed more as a governance issue rather than an operational concern.
Similarly, there are discrepancies between different segments within the industry. Midstream energy companies and independent exploration and production firms lag behind large integrated oil companies in several key areas, including cybersecurity governance and cloud adoption. While integrated oil companies have been quick to adopt advanced protocols like red team simulations and penetration tests, smaller companies have been slower to implement these measures.
Future Outlook
Moody’s survey reflects an industry that is increasingly aware of the cyber risks it faces but has yet to fully address these challenges in a comprehensive and unified manner. The rise in regulatory pressure, such as the EU’s updated Network and Information Security Directive (NIS2), will likely push companies to strengthen their defenses further. However, the low adoption of cyber insurance for oil and gas companies and uneven reporting lines to senior management remain critical gaps.
As the oil and gas sector continues to diversify into other energy markets, particularly electricity retail, the complexity of managing cyber risks will only grow. For companies in this sector, robust cybersecurity strategies will be essential not only to safeguard their operations but also to protect their credit ratings and broader financial stability.
In conclusion, while the oil and gas industry has made significant strides in improving its cybersecurity posture since the Colonial Pipeline attack, challenges remain. Regions and segments show disparities, companies remain cautious toward cloud computing, and oil and gas companies underuse cyber insurance, highlighting the need for more action to fully secure this critical sector from evolving cyber threats.
Other News: Hackers Get Trickier as Companies & Cyber Insurers Improve Their Defenses (Opens in a new browser tab).
Other News: The Attack on Colonial Pipeline: What We’ve Learned & What We’ve Done Over the Past Two Years.
