1 Cyber Security and Insurance Coverage: Evolving Risks Where More Than Data Is At Stake Cyber Risks – Insurance Coverage and Regulatory Updates for the.

Slides:

Advertisements

Similar presentations

3 rd AIDA Europe Conference Amsterdam, May, th May 2011, Working Party Civil Liability TOPIC: “Should there be mandatory liability insurance.

Advertisements

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

Service Sector Contracting Malcolm Mackay, Partner, Litigation, Brodies LLP Eve Brazier, Contracts Specialist, Oil & Gas, Brodies LLP.

1 Why Your Corporate Insurance and Risk Management Program May not Respond to a Cyber Attack In House Counsel Summit Series November 6, 2014 Glenn R. Legge.

LNG USA 2005 IQPC Houston, Texas November 9, 2005 Bruce F. Kiely Baker Botts L.L.P. Washington, D.C.

Cyber Insurance Today: Lots of Interest, Lots of Product Innovation, and Lots of Risk Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling,

David A. Brown Chief Information Security Officer State of Ohio

M&A & Insurance Mergers & Acquisitions Capabilities Presentation RIMS Fairfield/Westchester Chapter May 14 th, 2013.

Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

Security Issues on Campus: Government Initiatives Rodney J. Petersen University of Maryland Educause/Internet2 Security Task Force Copyright Rodney J.

ENVIRONMENTAL LIABILITY IN GREECE THE LEGAL FRAMEWORK & THE ROLE OF FINANCIAL GUARANTEES/ INSURANCE PRODUCTS TO COVER OPERATORS’ RESPONSIBILITIES UNDER.

TERRORISM / POLITICAL VIOLENCE SOLUTIONS FAIR International Insurance Conference on "Political Violence" April 2010 – Karachi Daniel O’Connell

K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Session 16: Distribution of Geospatial Data 1 Distribution of Geospatial Data in the Public Environment Hazard Mapping and Modeling.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

REGULATORY LEGAL AND CONTRACTUAL ASPECTS OF PPP IN WATER AJAY RAGHAVAN Counsel Training Workshop, Bhopal, February 2009.

Marine Industry Day 2015 Sector Command Center (24 hours): (504) National Response Center: Website:

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.

1 SG C Regulatory Fitness and Performance Programme (REFIT) September 2014.

BOTSWANA NATIONAL CYBER SECURITY STRATEGY PROJECT

AUGUST 25, 2015 Cyber Insurance:

Homeland Security UNCLASSIFIED United States Coast Guard Office of Port and Facility Compliance (CG-FAC) Cyber Security and the Marine Transportation System.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Delivering Legal Services Executing the Mission Delivering Legal Services Executing the Mission Tulane Admiralty Law Institute March 11 – 13, 2015 New.

℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

The Oil Pollution Act of 1990 By: Kevin Lee (Period 1) Name: Oil Pollution Act (OPA) Draft Year: 1990 Amendment Year: Never Amended International / National.

The Challenging Landscape of Critical Information Infrastructure: Are We Ready? Leonard Bailey Senior Counsel Computer Crime & Intellectual Property Section.

Cyber Attacks Threaten: privacy reliability safety resiliency 2.

Law and Policy of Relevance to the Management of Plant Genetic Resources Session 7: IPRs II: How Intellectual Property Rights Can Affect the Daily.

New A.M. Best Cyber Questionnaire

Territory Insurance Conference, resilient future Mr Ralph Bönig, Special Counsel, Finlaysons Cyber Times and the Insurance Industry Territory Insurance.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Protecting your Managed Services Practice: Are you at Risk?

1 INTERNATIONAL NETWORK ON FINANCIAL MANAGEMENT OF LARGE-SCALE CATASTROPHES Global Conference on Insurance and Reinsurance for Natural Catastrophe Risk.

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

1 EASTERN MUNICIPAL WATER DISTRICT Risk Management and Insurance Program Doug Hefley Director of Safety, Risk and Emergency Management June.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

European Environmental Liability Safety of offshore oil & gas activities Harko Kremers, sr specialist insurance techniques.

Managing Risk and Insuring Success: What is Environmental Insurance Pamela E. Barker, Esq.

HOW TO PROTECT YOUR INTEREST IN A SALE CONTRACT Focus on what you “get” when you sign!

Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.

National Emergency Communications Plan Update National Association of Regulatory Utility Commissioners Winter Committee Meeting February 16, 2015 Ron Hewitt.

The Privacy Symposium: Transferring Risk of a Privacy Event Paul Paray & Scott Ernst August 20, 2008.

Cyber Insurance Risk Transfer Alternatives Heather Soronen - Operations Director Rocky Mountain Insurance Information Association.

UNCLASSIFIED Homeland Security 2016 TRB Annual Meeting Cyber Risk Management CAPT Verne Gifford (CG-5PC) 1.

Still Afraid of CERCLA? Tools and Techniques to Address Liability Ellen M. Boyle, Esq. AIG Environmental® November 14, 2006.

Brownfields 101: Liability EPA Brownfields 2006 Conference November 12, 2006 Barbara Kessner Landau, Esq. Bernstein, Cushner & Kimmell, P.C.

Cyber Liability Insurance for an unsecure world

Cyber Insurance Risk Transfer Alternatives

Law Firm Data Security: What In-house Counsel Need to Know

New A.M. Best Cyber Questionnaire

PPPs for Value Chain Development

Information Security – Current Challenges

Iowa Communications Alliance

Agenda Control systems defined

Can Cyber Insurance Stand in the Data Breach

U.S. COAST GUARD CYBERSECURITY POLICY and CYBERSECURITY PLANNING

Offshore Oil and Gas Environmental Issues

Know Your Revised Alternate Security Program (ASP) Jen Wilk

Cyber Insurance: An Update on the Market’s Hottest Product

I have many checklists: how do I get started with cyber security?

Cyber Issues Facing Medical Practice Managers

Cyber Trends and Market Update

Understanding Cyber Insurance NASCUS/CUNA Cybersecurity Symposium

Cybersecurity compliance for attorneys

Managing IT Risk in a digital Transformation AGE

Internet of Things: Risks and Tips to Manage Team

Anatomy of a Common Cyber Attack

Presentation transcript:

1 Cyber Security and Insurance Coverage: Evolving Risks Where More Than Data Is At Stake Cyber Risks – Insurance Coverage and Regulatory Updates for the Offshore Energy and Marine Sectors Cefor Annual Seminar Oslo 9 April 2015 Glenn Legge James Brown Legge, Farrow, Kimmitt, McGrath & Brown, L.L.P.

2 Concerns about exposure to cyber attacks in the marine and offshore energy sectors. Enhanced government oversight and corporate obligations to protect against increasing risk of cyber attacks. U.S. Coast Guard (USCG) and Department of Homeland Security (DHS) proposed regulations for marine and offshore energy sectors. Insurance coverage issues arising from exclusions for cyber risks. New contractual allocation clauses for cyber risks. Path Forward Issues to be Addressed

– Hackers caused a floating energy facility off the coast of West Africa to list, forcing temporary shut down. 20 June 2014 – AnonGhost announced it had launched a barrage of cyber-attacks on energy companies in the Middle East and the United States. Later identified as “Operation Petrol”. 2 July 2014 – DHS’s ICS-CERT warned of malicious software used by “a Russian hacking group – ‘Energetic Bear’ or ‘Dragonfly’ – targeting the energy sector and related industries.” 10 December 2014 – ICS-CERT identified a variant of the Black Energy malware that targeted GE Cimplicity and Siemens WinCC SCADA programs. 30 January 2015 – ICS-CERT identified a remote exploit vulnerability affecting Cobham Sailor 900 VSAT, a maritime satellite broadband product and allowing attacker to bypass passwords. Cyber attacks - Is the Offshore Energy Next? Is Next Now?

4 Enhanced Government Oversight to Manage Risks of Cyber Attacks June 2013 – Executive Order Improving Critical Infrastructure Cybersecurity. February 2014 – Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 National Institute of Standards and Technology (NIST). February 2014 – DHS/DOE Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG – C2M2) – Version 1.1. July 2014 – DHS Insurance Industry Working Session Readout Report. June 2014 – SEC Commissioner Aguilar Addresses Corporate Obligations Concerning Cyber Risks. December 2014 – DHS/USCG issue notice of proposed cybersecurity regulations.

5 Enhanced Government Oversight to Manage Risks of Cyber Attacks Executive Order 13636, Improving Critical Infrastructure Cybersecurity Adoption of the Cybersecurity Framework (“Framework”). Market-based incentives to encourage the development of cyber insurance. Litigation risk mitigation for entities that adopt the Framework and meet reasonable insurance requirements. Legal benefits may include limited indemnity, higher burdens of proof, or limited penalties; case consolidations; case transfers to a single federal court. Insurance options could include a requirement for the purchase of private market liability insurance in order to apply for these liability protections and legal benefits. Executive Order 13636, June 12, 2013.

6 Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks DHS Insurance Industry Working Session Readout Report, Insurance for Cyber-Related Critical Infrastructure Loss: Key Issues, July 2014.

7 Enhanced Government Oversight to Manage Risks of Cyber Attacks DHS Insurance Industry Working Session – July 2014 Round table meetings with insurance industry – Oct to Nov Report on energy sector insurance: o Exclusion CL380 described as an exemption clause that is “commonplace in property insurance written for energy sector companies.” o Underwriters recognized the need to develop data templates to assess risks. o Recognized the existence of several energy sector data sets that include failure scenarios that could assist in creating underwriting data templates.

8 12 December 2014 – USCG/DHS issued notice of public meeting and requested comments on: Developing cybersecurity assessment methods for vessels and facilities regulated by the USCG; and Cybersecurity vulnerabilities that could cause a Transportation Security Incident (TSI) = “a security incident resulting in a significant loss of life, environmental damage, transportation system disruption, or economic disruption in a particular area.” USCG invited public comments in developing standards, guidelines, and best practices to protect maritime critical infrastructure, which are due by April 15, Numerous entities have already provided comment and we expect further industry involvement in the development of proposed regulations given the recent deadline extension. Most Recent U.S. Regulatory Activity

9 28 November 2014 – USCG/DHS issued notice of proposed rulemaking: To establish minimum standards for computer controlled dynamic positioning (DP) systems on MODUs and vessels working on the US Outer Continental Shelf (OCS). Catastrophic incidents resulting from loss of control of DP systems during Critical OCS Activities : o A loss of position on a MODU during well-control operations could result in a subsea spill that is difficult to contain. o A logistics vessel could lose position and strike a floating or fixed facility, thereby causing damage to the gas export riser, which may result in an explosion, a loss of life, or an environmental event. USCG invited public comments which are due by 27 May Most Recent U.S. Regulatory Activity

10 Insurance Coverage for Cyber Attacks on the Energy Sector – Where is it? Type of losses and policies that may be involved in a cyber attack: LossPolicy Property of the company or third partiesProperty/Liability Pollution damages/liabilityLiability/OEE Well control and re-drill expensesCOW/OEE Business interruption, contingent business interruption and lost or delayed production of company or third parties Property/Liability Loss of intellectual property, trade secrets and financial information Cyber Risk Remediating damage to computer systemsCyber Risk Bodily injury or death claims of employees or third partiesLiability Regulatory fines and/or penaltiesCyber Risk Shareholder suitsD&O

11 CL380

12 New Contractual Risk Allocation Clauses for Cyber Risks in the Offshore Energy Sector Contractual indemnity for damage arising from virus/malware that was delivered via contractor’s devices, computers or software. Indemnity obligations extend to property damage, environmental impairment, bodily injury/death resulting from virus/malware. Restricted use of wireless connections and storage devices. Requirements that contractors comply with minimum standards to protect the networks and computer resources of the contractors/service companies that may be involved in work for owners/operators. Would a violation of these contractual obligations impact liability coverage?

13 Path Forward Good News U.S. government is using regulations, commercial, financial and legal incentives to: o Encourage companies to implement measures to prevent cyber attacks. o Encourage the creation of insurance programs to respond to cyber attacks. o Asking for input from stakeholders. History of offshore energy and marine companies and insurers have worked closely on conceptually challenging risks (Welcar 2001). Existing risk assessment templates can be used to assess cyber risks/cyber attacks - require insured to exercise appropriate levels of due care and diligence (OEE, EED 8/86) Bad News Insurance coverage for energy sector cyber attacks is still a nascent risk market. Unlike some other risks, cyber attacks continue to evolve at a rapid pace.  Conceptually challenging risk allocation scenarios and damage models – involving multiple types of coverages and underwriting disciplines.

14 Glenn Legge is a partner in Legge Farrow that has represented energy companies and their insurers for over 30 years. Mr. Legge focuses his practice in the areas of commercial litigation, including energy, marine, construction and insurance coverage matters. He represents operators, contractors, service companies and insurers involved in offshore exploration, production, development, construction and decommissioning matters. Mr. Legge has tried numerous cases to verdict, has arbitrated commercial disputes through award and enforcement and has argued cases before Texas appellate courts in the 1st, 5th and 14th Districts, the Texas Supreme Court and the United States Court of Appeals for the Fifth Circuit. In the last four years he has had the honor of obtaining significant victories for the London insurance market in two matters before the Texas Supreme Court, including the only reported opinion in the U.S. interpreting the Welcar 2001 terms. You can contact Mr. Legge at Author

15 Cyber Security and Insurance Coverage: Evolving Risks Where More Than Data Is At Stake Cyber Risks – Insurance Coverage and Regulatory Updates for the Offshore Energy and Marine Sectors Cefor Annual Seminar Oslo 9 April 2015 Glenn Legge James Brown Legge, Farrow, Kimmitt, McGrath & Brown, L.L.P.