Hunton Insurance Recovery Blog

While the holiday season brings joy to many, it can be a stressful time for businesses. Cyberattacks often spike during weekends and holidays when businesses are less vigilant and slower to detect unusual activity. This reduced oversight creates an opportunity for attackers to exploit weaknesses and cause significant disruption. A recent article in Tech Times noted that ransomware groups launch over 50% of their attacks during weekends and take advantage of December’s increased operational shortages.

Cyber insurance is key to mitigating these cyber risks and the associated costs, including ransom payments and first-party costs such as forensic investigators and legal counsel. Cyber insurance also covers lost business income that results from network interruptions caused by a ransomware attack, and, if the coverage is purchased, will apply to cover lost business income when the system is shut down proactively to ensure containment.

Recently, Venezuela’s state-run oil company, PDVSA, was impacted by a ransomware attack, purportedly affecting its administrative systems, taking workers offline, and interrupting cargo loadings.

This incident is a critical reminder to the oil and gas industry that cyber insurance remains an essential safeguard against ransomware and other cyber incidents.

Indeed, as our colleagues explained in a recent article, the oil and gas industry remains an attractive target for cybercriminals and state actors as many operational technology systems are built on infrastructure that is rooted in outdated software and vulnerable to cybersecurity incidents.

Additionally, midstream companies, and oil and gas companies more broadly, often overlook the need to obtain and maintain a robust cyber insurance program. These companies often—wrongly—assume that they have little risk since they do not maintain significant stores of personally identifiable information (PII). However, cyber incidents that do not involve PII are still expensive and disruptive to a business’s operations. Every hour that a business’s operations are interrupted by a cyber incident can translate to millions of dollars in what would be considered covered losses under a robust cyber insurance program.

To ensure policyholders can transfer risks effectively in the wake of a ransomware attack, corporate policyholders should consider the following safeguards:

1. Maintain Standalone Cyber Insurance Coverage. Businesses should maintain a standalone cyber insurance policy that provides robust ransomware/cyber extortion coverage; breach/security event response coverage (including for investigation and legal fees); cyber liability coverage for both third-party claims and regulatory investigations/actions; network interruption coverage—including for voluntary shutdowns needed to ensure that the threat actor is out of the system; and digital asset/data loss coverage to cover the costs to restore or recreate electronic data compromised due to a ransomware attack. Policies should also provide coverage for notification costs, credit monitoring, and other expenses incurred in response to data breaches.
2. Check for Broad Cyber or Privacy Exclusions in Other Policies. Non-cyber forms can complement a business’ cyber coverage, as long as they don’t have broad cyber or privacy exclusions. For example, kidnap, ransom, and extortion coverage may offer additional limited coverage for ransomware attacks, while crime policies should cover social engineering claims. Commercial general liability and pollution policies can provide coverage for bodily injury or property damage claims stemming from a cyber incident, as long as they don’t exclude loss arising from cyber or privacy incidents. This coverage can fill the gaps left by cyber policies, which generally exclude coverage for bodily injury or property damage. Checking for cyber or privacy exclusions can help policyholders avoid unintended coverage gaps. Additionally, coordinating coverage forms can ensure that a policyholder’s entire insurance program works to provide comprehensive coverage for losses, especially when individual policies have coverage limitations.
3. Contingent Business Interruption Coverage is Key When Relying on Vendors. For policyholders that rely on cybersecurity and information technology vendors to help operate their business, contingent business interruption coverage is essential. Contingent business interruption coverage offers coverage for a policyholder’s lost income caused by a cybersecurity event, like a ransomware attack, which disrupts a vendor’s ability to provide the services a policyholder’s business relies on.
4. Utilize Contractual Risk Transfer Mechanisms in Vendor Agreements. Policyholders should ensure that contracts with cybersecurity vendors include defense and indemnity provisions that indemnify the policyholder if a vendor’s conduct results in a cybersecurity event such as a ransomware attack. Further, clients should request additional insured status under any vendor’s cyber liability coverage if that vendor maintains or otherwise utilizes PII that the company is responsible for.

As 2025 comes to a close, ransomware and other cybersecurity events remain a threat to corporate policyholders. Adequate insurance coverage and enforceable, carefully drafted, vendor contracts can help policyholders recover from the devastating effects of ransomware attacks and other cybersecurity events.