As one could easily predict, Colonial Pipeline is being sued in a punitive class action for negligence around their 6 day outage due to the recent ransomware attack that impacted fuel supply in the Southeast and up the eastern coast.  If your company had been relying on them in the way that the gas stations/convenience stores were, you might be in line to seek recovery for that loss. Though I am not a cyber broker any longer, therefore am not involved in the placements for any of the potential plaintiffs, I suspect that several downstream customers of Colonial Pipeline suffered business interruption losses in the tens of millions, each! 

As a result of my prior experience and role in developing policy wording for this sector, I am intimately familiar with the policy language in the Oil & Gas sector and am sure Colonial is now looking to their cyber policy’s “failure to supply” coverage to respond to their third party losses.  But, they will have already blown much if not all of their limit on their own ransomware payment, costs to get the system back up and running, overtime, etc. 

How much limit do they have left to pay for defense costs and settlements to the many third parties that are suing them?  Do their force majeure provisions apply?  Not only will they run out of limits unless they bought well in excess of $100M (on my assumption only), but the negotiations around settlement will be a huge mess and could drag on for months or even years. 

How VendorGuard would have changed the outcome:

VendorGuard would have provided contract-specific, primary coverage for the benefit of the enterprise/sponsor (BP as an example, or any other corporate customer that suffered a business interruption and extra expense loss as a result of this breach). In addition, the policy would have paid for any potential downstream losses alleged by their customers’ customers (the individual consumer) to the extent there is enough of a link to show “negligence”, which would mean that there was a duty owed and that duty was breached.  How far their duty extends would be an interesting topic in and of itself.

VendorGuard, using BP as the example “enterprise sponsor” of the program, would have provided contract-specific cyber coverage for Colonial Pipeline that only inured to the benefit of BP under their contract for (gas supply) services.  The insurance would have been primary to CP’s other insurance such that if there were many other CP customers seeking recovery for their losses, it would not matter to BP, as the indemnity and insurance obligations agreed to between the two parties would be met via VendorGuard.

It is likely that BP’s own cyber insurance has some coverage for Contingent Business Interruption, but it may only extend to “technology” service providers, they may have to be “scheduled”, there may now be an exclusion for ransomware specifically, and they likely have a substantial deductible and/or waiting period that would apply first.  Obviously relying on your own cyber to cover losses that are a third party’s fault is not an ideal solution for anyone, as ultimately it will impact your rates and ability to renew your capacity even if insured in the short term.

 Third Party risk is not going anywhere! 

The attached infographic provides some additional background information about the state of “cyber” losses as they relate to/result from third party service providers. 

To stay up to date, follow us on social media:

Twitter: @crownjewel_ins

 LinkedIn: @Crown Jewel Insurance

 Facebook: @Crown Jewel Insurance