Client Advisory: Cyberattack Forces Oil and Gas Services Provider Halliburton to Take Systems Offline

Halliburton stated it was hit by a cyberattack on August 21, 2024 when an unauthorized third party gained access to some of its systems. The top U.S. oilfield services firm is working with external advisers to assess and remediate the situation, the company said in an SEC filing. In response to the attack, Halliburton proactively took certain systems offline to help protect them and notified law enforcement. Halliburton explained the incident has caused disruptions to some operations and corporate functions. On September 3, Halliburton confirmed that data exfiltration had taken place in their cyberattack. The company is still evaluating the nature and scope of the information and what notifications are required. 

Organizations in the oil and gas industry are increasingly basing their daily operations on connected technologies and computer systems. Halliburton’s situation and recent attacks on Crescent Point Energy, Qulliq Energy, and Encino Energy, which also included data exfiltration, are the latest reminders of how the energy and oil and gas sectors have become targets for cybercriminals in recent years.

Supply chain risk is an important related consideration for the oil and gas industry. For example, when Marquard & Bahls subsidiaries Oiltanking GmbH Group and Mabanaft Group were hit by a cyberattack in 2022 that disrupted operations in Germany, Shell was forced to reroute oil supplies.

Increased reliance on computer systems, technologies, and access to information has significantly increased a company’s exposure to cybersecurity threats. Dragos, a security firm focused on operational technology and industrial controls systems, noted a 50% increase in ransomware events last year, with 70% of the events originating in the IT environment.¹

Another report by Sophos surveying 275 energy and oil and gas companies revealed that 67% of those companies surveyed had been hit by a ransomware attack in the last year. Over 47% received ransom demands of more than $1 million, while 24% received demands of more than $5 million (mean payment of $3,225,093).¹ More than half of those organizations took longer than a month to recover from the event, according to the Sophos survey. “I’d rather have a root canal than go through one of these attacks again,” said the CEO of Suncor, one of the survey participants.

As the threats to the oil & gas industry have evolved, so have Cyber policies to keep pace with needs and exposure. Older cyber policies, for example, were primarily purchased by organizations with a vast amount of Personally Identifiable Information (“PII”). Today, however, critical infrastructure and operationally heavy organizations have become key buyers due to the broad first-party coverages now routinely built into the policies.  

These coverages can include reimbursement of ransom payments, Business Income/Extra Expense coverages, coverage for system failures and software errors, and contingent business interruption coverage. 

These cyber policies also provide access to best-in-class vendors to assist with claims and free (or low-cost) third-party risk management services. An important aspect of the Halliburton event is a feature within cyber coverage called “Voluntary Shutdown.” This is often not included as standard coverage and would need to be endorsed to the policy. 

Not all cyber policies are built equally, so it is important to read yours carefully and consult with your broker regarding whether specific loss scenarios may be covered.

McGriff has built cyber products available for clients in this industry class that include coverages and terms not typically found in off-the-shelf cyber policies. These can include Co-venture/Joint Venture coverage, affirmative coverage of outages for oil and gas technology, and coverage for contractual penalties due to delays in projects and drilling. Failure to supply coverage is also available if needed.