15 March 2024
Energy Firms Face Up to New Generation of Operational Risks
Ageing infrastructure, new technologies, and cyber intrusions are among the challenges facing a continually transforming energy sector
Energy firms are facing a series of challenging headwinds, presenting new and emerging operational risks. In addition to macro threats, such as geopolitical turmoil and growing climate extremes, there are challenges associated with ageing infrastructure, the transition to Net Zero, and a rapidly evolving cyber risk landscape.
From an operational risk management perspective, the primary focus has traditionally been on the protection of physical assets, infrastructure and machinery. However, this is shifting as the threat landscape becomes more intangible in nature. In today’s world, firms are just as likely to experience a major loss from a supply chain blockage or cyber intrusion as they are from a fire or explosion.
Inflation remains a significant concern as we move through 2024, prompting energy underwriters to factor the increased cost of claims into their pricing. Against the backdrop of a more constrained insurance market, demand is growing for more bespoke risk transfer solutions and risk mitigation advice.
Inflation and supply chain issues remain persistent in a period of transition
As companies move forward on their transition journeys while at the same time focusing on near-term challenges of ensuring adequate and affordable capacity, there are multiple operational and cost pressures to contend with in the energy sector. Price inflation and shortage of raw materials remain key issues despite fewer major supply chain disruptions in recent months.
Shortage of materials result in higher pricing and increased risk for developers. The pressures are particularly hard on small and medium-sized enterprises, which lack the purchasing power and balance sheet buffers of their larger competitors.
For the foreseeable future, rising project costs and construction delays will continue to be a feature for energy providers. It will influence the margins of all businesses, especially those in the renewables sector, where the indexed price inflation of materials, in particular, is spurring volatility within the market. Operational costs remain heavily contingent on global pricing trends.
Meanwhile, the global energy transition continues to present challenges as the resource mix evolves toward renewable energy and there is less flexible generation. As new onshore and offshore energy sources integrate into the grid and as other renewable projects come online, they inevitably introduce intermittent fluctuations, resulting in peaks and troughs that need to be carefully managed by grid operators.
For the foreseeable future, rising project costs and construction delays will continue to be a feature for energy providers.
A major issue for many energy and power operators are the costs and vulnerabilities associated with outdated and deteriorating infrastructure. This is a particular problem for electric utility firms, with US providers estimated to be spending over $100 billion a year to patch up ageing infrastructure.
Demand for enhanced output exposing the limits of outdated infrastructure
A major issue for many energy and power operators are the costs and vulnerabilities associated with outdated and deteriorating infrastructure. This is a particular problem for electric utility firms, with US providers estimated to be spending over $100 billion a year to patch up ageing infrastructure.
In Europe, the war in Ukraine has worsened the situation, requiring plants to operate for extended durations. Given the high costs and political sensitivity associated with constructing new energy plants, this necessitates repair and retrofitting rather than out-and-out rebuilds. Regulatory directives also underscore the need for upgrades amid concerns over reliability, with associated demand for enhanced engineering standards.
Due to the additional demand imposed by factors such as inflation, plant operations have shifted from 'base load' to 'two-shifting' on machinery not initially designed for such operational patterns. This shift results in inefficiencies, heightened maintenance costs, and potential safety hazards.
Distinguishing between old technologies, such as fossil fuel, and green technologies, such as renewables, is crucial. But it does not tell the whole story.
The physical, operational risks associated with traditional energy firms are generally well-understood, and there is much a longer claims history, allowing operators and underwriters to anticipate and price the underlying risk. But at the same time, issues associated with ageing plants and machinery (particularly in oil and gas) and new prototypical technologies (particularly within renewables) introduce new vulnerabilities.
For many firms, investment is required to identify current and future operational requirements and where upgrades are necessary. It is also important to devise effective strategies for retaining skilled employees, and in implementing comprehensive training programs to upskill the existing workforce.
“publicly available information on significant cybersecurity incidents is limited due to under-reporting and lack of detection”
Power and energy an easy target for cyber threat actors
The power and energy sector has emerged as a prime target for cyber threat actors, highlighted by the surge in malicious activities globally. The heightened integration of technology, particularly via the Internet of Things (IoT), has escalated the sector's vulnerability to risks and circumvented many facilities’ traditional ‘air gapping’ cyber defence. The evolution of infrastructure has further compounded the susceptibility to attacks, introducing a multitude of possible entry points for potential breaches.
Vulnerabilities within dated and unpatched industrial control systems render many energy firms easy pickings, with the International Energy Agency noting that “publicly available information on significant cybersecurity incidents is limited due to under-reporting and lack of detection”. While there have been few examples to date, the potential of a cyber-attack to cause physical damage to energy facilitates and/or bodily injury is an exposure many risk and insurance managers continue to grapple with.
A report by Moody’s Investors Service, notes that water and wastewater companies are increasingly becoming a target of cybercriminals. The rating agency explains this is due to the use of digital components becoming more widespread and the potential for physical cyber attacks rising due to insecure operational technology. It warned that the use of AI could accelerate this trend.
Recently, the targeting of energy and power infrastructure has become a deliberate tactic of war, with evidence that cyber-attacks on utility firms reached “alarmingly high levels” following Russia’s invasion of Ukraine. Escalating global instability has given rise to an augmented onslaught of cyber threats against the sector. This includes hacks targeting European wind energy firms and a rising slew of ransomware attacks.
State or state-sponsored threat actors are actively attempting to disrupt and damage critical infrastructure. Simultaneously, cybercriminal groups are capitalising on vulnerabilities within dated control systems, targeting what they perceive as 'high-value' entities to reap substantial economic profits.
Leveraging risk engineering is becoming a key differentiator
Faced with a shifting risk landscape, the role of industrial risk engineering is becoming an increasingly important tool for energy businesses. It is crucial to ensure that hardware, machinery, and other physical assets and infrastructure are well maintained. Additionally, plant personnel should possess the requisite training and experience. The structures governing specific processes should operate seamlessly, particularly those involving skilled activities, such as hot work or welding. Protocols such as risk assessments can help implement robust measures to fight cyber threats. These include assessing the risk associated with unauthorised access, data breaches, malware attacks and other cyber threats specific to the energy sector.
The responsibility is on operators to meet these standards, demanding a serious consideration of risks and a proactive approach to risk mitigation and operational resilience. Risk engineering helps energy operators develop incident response plans to effectively respond to digital threats. This can help define roles and responsibilities, establish communication channels and outline steps to contain, investigate and recover cyber-attacks. By having a well-defined incident response plan, companies can minimise the impact of cyber threats and quickly restore normal operations.
Engaging risk engineers and demonstrating what action has been taken on the back of recommendations to build more robust operations reduces the threat of claims. Having ‘skin in the game’ helps clients build stronger relationships with the insurance market and puts them in a stronger position from which to negotiate pricing, terms and conditions.
Best practice for risk improvement
- Strive for a high level of ‘risk maturity’ through sound engineering.
- Ensure the focus is on value.
- Enable companies to align the risks they are willing to take through risk financing.
- Effective communication with the insurance market about operational measures is pivotal.
Preventive risk management is emerging as a priority, so engaging in proactive forecasting and educational initiatives is advisable to enhance competitiveness.
How the insurance industry is responding to new operational risk exposures
As the risk landscape evolves and clients are forced to contend with more intangible exposures, such as cyber, demand is growing for more specialist coverages and alternative solutions to reduce operational risk and mitigate cyber risks. For example, cyber liability insurance provides financial protection for costs associated with investigating and managing a cyber-incident, as well as providing cover for business interruption losses and third-party claims. Financial assets can come under attacks such as theft of funds, fraudulent electronic transfers or social engineering attacks. Crime insurance can help mitigate financial losses caused by cyber-criminals. Physical assets are areas of high risk where property insurance can provide coverage for physical damage resulting from an online attack, such as damage to computer systems, or other critical infrastructure.
Energy clients are keen to enhance the quality of risk mitigation practices as they face an increasingly complex and volatile series of global threats. This encompasses thorough risk assessments with regard to macro threats, including cyber, geopolitical and climate-related risks. Such an approach enables decision-makers to gain a more nuanced understanding of risk dynamics affecting their organisation now and into the future.
Mike Parry, Partner, Renewables – Gallagher Specialty
"Brokers need to be optimising the cost of financing insurable risks, including targeting spend on insurance premiums, to where it adds the most value or removes the most damaging risks from the balance sheet.
Client objectives ultimately revolve around mitigating risk. We ask ourselves, ‘How do we facilitate this?’ The answer is not complicated – we assist clients in being standouts in the market, helping them build strong, strategic win-win insurer relationships, attract sophisticated risk transfer solutions and move forward with confidence."
Mike Parry, Partner, Renewables – Gallagher Specialty
Innovating to meet changing demands
There is a growing expectation for brokers and the wider insurance industry to adopt creative and strategic approaches. This involves delving deeper into clients' risk profiles and offering services such as risk engineering, scenario analysis and portfolio stress testing to identify and remedy potential operational vulnerabilities and plug gaps in insurance programs.
As the industry continues on its transformation journey, it is clear that clients will require a holistic approach to managing and mitigating operational risk. It is important for energy companies to carefully assess their specific requirements by consulting with insurance professionals to determine the most appropriate cover for their needs. Brokers and insurers offering risk engineering services can support clients in nurturing their understanding of the intricacies of operational risk in an ever-evolving world.
Arthur J. Gallagher (UK) Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 119013.