Author: Joey Sylvester
Cyber threats targeting the energy sector aren't new. What has changed is the nature of those threats and the tactics behind them. Based on real-world incident response data and forensic investigations across hundreds of energy-sector matters, three trends in particular warrant attention.
Who dominates the threat landscape
In the energy sector, two categories of threat actors account for most incidents: nation-state advanced persistent threat groups and organized cybercriminal organizations.
Nation-state actors (groups sponsored or financed by foreign governments) are often focused on intelligence gathering or, increasingly, outright disruption. Wiper malware designed to permanently destroy data (including backups) has been deployed against energy infrastructure and utility systems across multiple US states in recent months, with Iran and Russia among the attributed actors.1 The goal isn't financial gain. It's business interruption at scale.
Increasingly worrisome is the noted persistent threat and compromise of Operational Technology (OT) assets including Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA) by Chinese threat actor Volt Typhoon. US threat advisories highlight Energy as a critical sector in which Volt Typhoon has gained a significant foothold, possibly leading to disruptive attacks "in the event of potential geopolitical tensions and/or military conflicts." 2
Financially motivated groups, by contrast, are primarily seeking payment. These include ransomware operators and business email compromise (BEC) actors that many organizations are already familiar with. What has evolved is how they operate and how they extract value.
As organizations improved their ability to recover from encryption-based attacks, threat actors adapted. Today, they're more likely to exfiltrate data and threaten to release it to competitors, the media or regulators.
The three most common incident types we see in the energy sector are BEC (often involving wire fraud), ransomware and third-party breaches. That last category remains a significant blind spot. Under most state and federal frameworks, if a vendor or partner experiences a breach that exposes your data or disrupts your operations, your notification and compliance obligations are still triggered.
Data extortion is now the norm
For several years, ransomware was synonymous with encryption: attackers locked systems and demanded payment for a decryption key. That model has shifted. As backup practices improved, the leverage of system disruption alone weakened, and threat actors adjusted.
Today, a more common scenario involves data exfiltration without encryption. Attackers quietly extract sensitive files such as operational data, personnel records, client information and internal communications, and threaten to publish them unless payment is made.
For energy companies, which often hold commercially sensitive information alongside data tied to critical infrastructure, this type of exposure can carry consequences that extend beyond regulatory fines.
The data reflects this shift: ransomware incidents increased from 48% to 52% of total cybersecurity cases between 2024 and 2025, with attackers increasingly pivoting toward standalone data theft over traditional encryption-based attacks — a trend explored further in our 2025 cyber resilience analysis.
What this means for coverage conversations
- Data extortion events may not trigger the same policy language as traditional ransomware. Review how your policy defines a "cyber event" and whether data theft without system disruption is explicitly covered.
- Fewer than 10% of affected organizations ultimately pay the ransom but the decision is highly fact-specific, legally complex and time-sensitive. Having counsel and a forensics partner pre-engaged can make a meaningful difference.
- Office of Foreign Assets Control (OFAC) sanctions compliance must be verified before any payment is made, regardless of urgency.
AI is changing both sides of the equation
AI is reshaping the threat landscape in two distinct ways, and many organizations aren't fully prepared for either.
On the threat side, AI is making social engineering more convincing and more scalable. Phishing emails that once revealed their origins through poor grammar or formatting are now polished, industry-specific and contextually accurate.
In one example, a threat actor used a phone-based social engineering tactic to impersonate an IT staff member and gain remote access to a call center employee's device. Once inside, they leveraged an existing, authorized program to search for files containing usernames and passwords, locating what they needed in minutes without deploying malware.
In another instance, Deepfake technology has been used to steal many millions of dollars through impersonating executives in live video conferencing calls to even the most aware employees.3
On the other side, many organizations are adopting AI tools faster than they're implementing governance. Employees using consumer AI applications (often unapproved) for work-related tasks may unintentionally share confidential data with third-party platforms, creating a growing and often unaddressed exposure.
Acceptable use policies, data classification standards and IT controls governing approved tools are no longer optional. Gallagher works with clients to navigate these governance and coverage considerations as the regulatory landscape continues to evolve.
What organizations should prioritize now
The threat landscape is complex, but the response framework can be focused. Four areas offer the strongest return on preparedness investment for energy companies today.
Key preparedness priorities
- Incident response planning: A written, tested plan, including tabletop exercises, can significantly improve outcomes and support your position in any subsequent litigation or regulatory review.
- Third-party risk management: Map which vendors have access to your systems or data, and ensure your contracts address breach notification, forensic cooperation and liability allocation.
- OT security: Broadening the focus of the cybersecurity function to OT Assets including incident response, defensible architecture, and continuous visibility and monitoring can help better secure our most critical assets and maintain business continuity during a shifting threat landscape.
- AI governance: Establish a formal policy outlining which AI tools may be used, what data may be shared and how violations are managed. This is now a core risk management issue, not just an IT consideration.
Cyber insurance remains an important part of the risk transfer strategy, but it's most effective when supported by a broader approach to preparedness. Carriers move quickly when there's clear documentation of controls, governance and incident response protocols. Organizations that have invested in these areas often see faster claims resolution and stronger coverage outcomes when it matters most.
If you've questions about how these trends may affect your risk profile or coverage structure, connect with our team. These conversations are often more productive before an incident than after.