1 Why Your Corporate Insurance and Risk Management Program May not Respond to a Cyber Attack In House Counsel Summit Series November 6, 2014 Glenn R. Legge

2 “As the country becomes ever more dependent on digital services for the functioning of critical infrastructure, business, education, finances, communications, and social connections, the Internet’s vulnerabilities are outpacing the nation’s ability to secure it.” “We are at September 10th levels in terms of cyber preparedness.” -- Reflections on the Tenth Anniversary of the 9/11 Commission Report – The Bipartisan Policy Center – July 2014 Concerns About a Cyber Related 9/11

3 Current cyber threats to the energy industry. Corporate management’s enhanced obligations to protect against cyber threats and provide adequate insurance. Current coverage wordings that address cyber-risks. Current coverage exclusions for cyber-risks, including CL380 and the new ISO provisions and how they may be challenged in the courts. Emerging contractual risk allocation terms to address damages arising from cyber-risks. Issues to be Addressed

– Target Corporation – 40 million credit and debit card accounts. $200 million to reissue 21.8 million credit and debit cards.Target Corporation 2014 – Neiman Marcus – 350,000 payment cards.Neiman Marcus 2014 – Home Depot – 56 million debit and credit cards – JP Morgan Chase – 76 million households, 7 million small businesses – eBay – personal records of 233 million users. Recent Examples of Cyber Attacks or Data Breaches on Retail and Financial Companies

5 Massive use of Big Data – data sets so large and complex that it becomes difficult to process using on-hand data management tools or traditional data processing applications. Big Data managed by “supervisory control and data acquisition” (SCADA) and “industrial control systems” (ICS). Shareholder pressure to improve returns and reduce costs by increasing operational efficiencies through use of IT. Broad geographic distribution of facilities requires use of IT. Energy sector is the focus of cyber intrusions from government- based cyber attackers and non-government groups. Energy Sector – Exposure to Cyber Attack

6 In May 2013, after recognizing various probable cyber risks, the US Department of Commerce commissioned the National Institute of Standards and Technology (NIST) to issue guidelines for SCADA and ICS systems. guidelines U.S. Government’s Early Response to Cyber Threats

7 NIST recognized various probable risks resulting from a cyber attack or data breach. Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life; Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects; and Interference with the operation of safety systems, which could endanger human life. NIST Special Publication , Revision1NIST Special Publication , Revision1. U.S. Government’s Early Response to Cyber Threats

8 August Shamoon malware contaminated up to 30,000 computers at Saudi Aramco. Days later, the computer systems at Quatar-based RasGas were infected by a virus, shutting down the company’s website. June 20, 2014 – A network of hackers called AnonGhost announced it had launched a barrage of cyber-attacks on international energy companies in the Middle East and the United States. Symantec, the IT security company, identified this emerging cyber-threat as Operation Petrol. July 2, 2014July 2, 2014 – The Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned energy companies of malicious software used by “a Russian hacking group known as ‘Energetic Bear’ or ‘Dragonfly’... that primarily targets the energy sector and related industries.” November 3, 2014 – DHS’s ICS-CERT identified a sophisticated malware that has compromised numerous ICS using a variant of the Black Energy malware. Black Energy variant targeted GE Cimplicity and Siemens WinCC SCADA programs. Is the Energy Sector Next? Is Next Now?

9 Who uses Big Data in the Energy Sector? Deepwater Exploration & Production (E&P) - Real time downhole data sensors – temperature, pressure, vibration, flowmeters and subsea control modules. Onshore E&P - Remote monitoring and control of well sites. Midstream Transportation - Remote detection and control systems. Monitoring high pressure/high temperature and corrosion. Maritime Transportation - Security and vessel traffic control, GPS aided functions and ECDIS navigation systems. Refining & Petrochemical - Processing of hydrocarbons/chemicals, predictive maintenance of equipment/machinery, supply chain and distribution chain. Is the Energy Sector Next? Is Next Now?

10 Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective Executive Order Improving Critical Infrastructure Cybersecurity, 12 June Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 National Institute of Standards and Technology (NIST), 12 Feb DHS/DOE Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG – C2M2) – Version 1.1 – February DHS Insurance Industry Working Session Readout Report – Insurance for Cyber-Related Critical Infrastructure Loss: Key Issues – July SEC Commissioner Aguilar’s Addresses New York Stock Exchange Members Regarding Corporate Obligations Concerning Cyber Risks– June 2014.

11 Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective Executive Order 13636, Improving Critical Infrastructure Cybersecurity Adoption of the Cybersecurity Framework (“Framework”) Market-based incentives to encourage the development of cyber insurance. Litigation risk mitigation for entities that adopt the Framework and meet reasonable insurance requirements. Legal benefits may include limited indemnity, higher burdens of proof, or limited penalties; case consolidations; case transfers to a single federal court. Insurance options could include a requirement for the purchase of private market liability insurance in order to apply for these liability protections and legal benefits. Executive Order 13636Executive Order 13636, 12 June 2013.

12 Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective NIST - Framework for Improving Critical Infrastructure Cybersecurity Encourages development of voluntary standards and processes for industry concerning critical infrastructure to address cyber risks. Urges corporate management to focus on cyber risk management. NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1, 12 Feb Framework for Improving Critical Infrastructure Cybersecurity

13 Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective DHS/DOE Oil and Natural Gas Subsector, Cybersecurity Capability Maturity Model (ONG – C2M2) C2M2 program address the “unique characteristics of the oil and natural gas subsector.” C2M2 program can be used to: Strengthen cybersecurity capabilities in the ONG sector. Enable ONG organizations to effectively and consistently evaluate and benchmark cybersecurity capabilities. Share knowledge and best practices within the ONG sector as a means to improve cybersecurity. 104 references and comments on “risk management.” Oil and Natural Gas Subsector, Cybersecurity Capability Maturity Model (ONG-C2M2)Oil and Natural Gas Subsector, Cybersecurity Capability Maturity Model (ONG-C2M2), Version 1.1, Feb. 2014

14 Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective DHS Insurance Industry Working Session Readout Report, Insurance for Cyber-Related Critical Infrastructure Loss: Key Issues, July Insurance for Cyber-Related Critical Infrastructure Loss: Key Issues

15 Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective DHS Insurance Industry Working Session – July 2014 Round table meetings with insurance industry – Oct to Nov meetings ReportReport on energy sector insurance: Exclusion CL380 described as an exemption clause that is “… commonplace in property insurance written for energy sector companies.” Recognized the existence of several energy sector data sets that include failure scenarios that could assist in creating underwriting data templates.

16 Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective SEC Commissioner Aguilar addresses New York Stock Exchange members regarding corporate obligations concerning cyber risks – June 2014 addresses

17 Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective SEC’s Recommendations to New York Stock Exchange Members – June 2014 June 10, 2014 – SEC Commissioner Aguilar advised :advised That “ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.” Best practices include the review and assessment of corporate insurance policies. From the SEC’s perspective, directors and officers of publicly traded companies have an obligation to review and assess the adequacy of insurance coverage that would respond to a cyber-attack. Ariel Yehezkel & Thomas Michael, Cybersecurity: Breaching the Boardroom, THE METROPOLITAN CORPORATE COUNSEL, April 2014.Cybersecurity: Breaching the Boardroom Directors and Officers (D&O) liability insurance policies often exclude coverage for failure to procure/maintain adequate insurance coverage.

18 Energy Industry’s Response to Threat of Cyber Attack Increased concern about insurance coverage for cyber attack/data breach. Oil and Natural Gas – Information Sharing and Analysis Center (ONG- ISAC) Members – Upstream, midstream and downstream energy companies and contractors. Goal – “[T]o provide shared intelligence on cyber incidents, threats, vulnerabilities, and associated responses present throughout our industry.” Anonymous information sharing through an ONG-ISAC secure web platform. Coordinated response among ONG-ISAC members. ABI Research projected costs to guard oil and gas infrastructure against cyber attacks will be $1.87 billion in 2018.

19 Insurance Coverage for Cyber Attacks on the Energy Sector – Where is it? Type of losses and policies that may be involved in a cyber attack: LossPolicy Property of the company or third partiesProperty/Liability Pollution damages/liabilityLiability/OEE Well control and re-drill expensesCOW/OEE Business interruption, contingent business interruption and lost or delayed production of company or third parties Property/Liability Loss of intellectual property, trade secrets and financial information Cyber Risk Remediating damage to computer systemsCyber Risk Bodily injury or death claims of employees or third partiesLiability Regulatory fines and/or penaltiesCyber Risk Shareholder suitsD&O

20 Coverage for Cyber Attack Under Available Policies Cyber Risk Policies Limited cyber-risk insurance policies provide coverage for first party and third party claims with relatively low limits ($10-25 million). Coverages: Forensic analysis, remediation of data systems, notification to customers, public affairs/public relations and notification to third parties. Loss of intellectual property, financial information, and proprietary data of the insured. London market coverages have provided some property damage and business interruption coverages. Property damage, environmental impairment and bodily injury/loss of life are not covered under most cyber risk policies.

21 Coverage for Cyber Attack Under Available Policies D&O Policies Provide some coverage to corporate management and the entity for securities claims related to alleged failures to mitigate cyber risks. Coverage for damages to property of the corporation or third parties will not be provided under most D&O policies. Many D&O policies have exclusions for cyber risks. D&O policies will not provide coverage for property damage, environmental impairment or business interruption. Many D&O policies exclude coverage for failure to procure and maintain adequate insurance coverage.

22 Coverage for Cyber Attack Under Available Policies Property Insurance Provides coverage for company’s physical assets and business interruption/contingent business interruption. Often excludes losses resulting from cyber risks/cyber attacks. US Courts are divided regarding whether damage to software/computer systems are “physical damage to tangible property.” American Gur. & Liab. Ins. Co. v. Ingram Micro, Inc., Civ TUC ACM, 2000 WL , (D. Ariz. 2000) (Corruption of electronic data was physical damage to tangible property); Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App.— Tyler 2003, no pet.) (Damage to data is loss of tangible property). Ward Gen. Ins. Servs., Inc. v. Emp’rs Fire Ins. Co., 7 Cal. Rptr. 3d 844, 851 (Cal. Ct. App. 2004) (Loss suffered by plaintiff was a loss of information. Plaintiff did not lose the tangible material of the storage medium.)

23 Coverage for Cyber Attack Under Available Policies Upstream Energy Insurance Facilities Oil Insurance Limited (OIL) is a Bermuda-based mutual insurance program for the energy industry. Coverage includes property damage, control of well, redrill, and pollution coverage. Some degree of coverage for cyber attacks on its members – but not war risks. The aggregate limits of OIL coverage is $750 million per event. Chrysalis is a specialized excess insurance program underwritten by London market insurers. Provides coverage similar to those provided under OIL, including some coverage for cyber attacks. Chrysalis also provides up to $125 million per occurrence for cyber- attacks.

24 Coverage for Cyber Attack Under Available Policies Commercial General Liability Insurance (CGL) Property Damage – Coverage A Is damage to electronic data “property damage”? Magnetic Data, Inc. v. St. Paul Fire and Marine Ins. Co., 83 A.3d 664 (Conn. App. 2014) – electronic data erased from hard drive was intangible and not covered under “property damage” definition. After 2001, many policies exempted “electronic data” from “property damage” definition. After 2004, ISO wording excluded “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” “Electronic Data Liability” Endorsement reintroduced “electronic data” into the definition of “property damage.

25 Coverage for Cyber Attack Under Available Policies Commercial General Liability Insurance (CGL) Personal and Advertising Injury Liability – Coverage B “Personal and advertising injury” includes “Oral or written publication, in any manner, of material that violates a person’s right of privacy.” Coverage for loss of personally identifiable information (PII). Zurich American Insurance v. Sony Corporation, No (N.Y. Sup. Ct. Feb. 24, 2014). Court ruled that Coverage B of the CGL policy applied to publication of Sony customers’ confidential information. Because the disclosures were made by the hackers, and not Sony, the insurer had no duty to defend the insured or pay for damages. Netscape Communications Corp. v. Federal Insurance Co., 343 Fed. App’x 271 (9th Cir. 2009). SmartDownload software collected claimants’ internet usage and used information for advertising. Court found claims within “personal injury” coverage and ruled that insurer had duty to defend the insured. Court did not require a disclosure of PII to a third party.

26 Cyber Risk Exclusions ISO 2004 Electronic Data Exclusion ISO 2014 Data Breach Exclusions CL 380 Cyber Risk Exclusion NMA 2915 – Cyber Exclusion NMA 2914 – Electronic Data Endorsement A

27 ISO 2004 Electronic Data Exclusion and Definition CG (2004 CGL Form)

ISO Data Breach Exclusions CG

29 CL380

30 NMA 2915

31 Contractual Risk Allocation for Cyber Risks Cyber risk allocation scheme needs something more than “at law” contribution clause. “Knock for knock” scheme may not be applicable to damages arising from cyber attacks. Risk allocation based upon “emanation” or means of entry. Suitable for a “bring your own device” environment between operators and contractors? Representations/warranties/certifications that software/hardware/devices used in performance of services is free of any virus/malicious code/malware. Representations/warranties to promptly notify customer of discovery of any “cyber incidents” or compromised cyber security events prior to/after the performance of services. Requirements that contractor have liability insurance that would cover damages resulting from cyber attacks? No policy exclusions?

32 Insurance Coverage for Cyber Attacks/Cyber Risks in the Energy Sector - Path Forward Good News U.S. government is considering use of commercial, financial and legal incentives to: Encourage companies to implement measures to prevent cyber attacks. Encourage the creation of insurance programs to respond to cyber attacks. The energy sector and the insurance market have worked closely for years on conceptually challenging risks. Specialists in energy insurance and cyber security can provide the means to conduct risk assessments of companies/insureds. Existing risk assessment templates can be used to address cyber risks and create safeguards to prevent them. Bad News Insurance coverage for energy sector cyber attacks is still a nascent risk market. Unlike some other risks, cyber attacks continue to evolve at a rapid pace.

33 Glenn Legge For 30 years Mr. Legge has practiced in the areas of commercial litigation, including energy, marine, construction, insurance coverage and trade secrets disputes. He represents operators, contractors, service companies and insurers involved in onshore and offshore energy, construction, environmental and regulatory matters. Mr. Legge has tried numerous cases to verdict, has arbitrated commercial disputes through award and enforcement and has argued cases before Texas appellate courts in the 1st, 5th and 14th Districts, the Texas Supreme Court and the United States Court of Appeals for the Fifth Circuit. In the last four years he has had the honor of obtaining significant victories in two matters before the Texas Supreme Court involving onshore and offshore construction and insurance coverage disputes. You can contact Mr. Legge at Jeanie Tate Goodwin is a Senior Associate at Legge Farrow. Her practice includes maritime personal injury and casualty matters, as well as representing energy companies in complex, commercial litigation. In addition, she has substantial experience in insurance law, including both first party and third party coverage matters. In the first quarter of 2015, she will join Catlin’s legal department on secondment in London. You can reach Jeanie at Jacob Esparza is a Senior Associate in Legge Farrow that has represented energy companies and their insurers for nearly 10 years. He handles complex litigation involving contractual risk allocation issues in the on- and offshore energy industries. Mr. Esparza also successfully represents foreign and domestic insurers in coverage and bad faith litigation stemming from various commercial coverages, including energy, liability, property, cargo, motor carrier and business interruption. In 2014, Mr. Esparza was selected to the Super Lawyers "Texas Rising Stars" List for the Energy and Natural Resources, Insurance Coverage and Transportation/Maritime practices. You can contact Mr. Esparza at Authors

34 Why Your Corporate Insurance and Risk Management Program May not Respond to a Cyber Attack In House Counsel Summit Series November 6, 2014 Glenn R. Legge