Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Cyber Security and Insurance Coverage: Evolving Risks Where More Than Data Is At Stake Cyber Risks – Insurance Coverage and Regulatory Updates for the.

Published byEric Jenkins Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Cyber Security and Insurance Coverage: Evolving Risks Where More Than Data Is At Stake Cyber Risks – Insurance Coverage and Regulatory Updates for the."— Presentation transcript:

1 1 Cyber Security and Insurance Coverage: Evolving Risks Where More Than Data Is At Stake Cyber Risks – Insurance Coverage and Regulatory Updates for the Offshore Energy and Marine Sectors Cefor Annual Seminar Oslo 9 April 2015 Glenn Legge James Brown Legge, Farrow, Kimmitt, McGrath & Brown, L.L.P. www.leggefarrow.com

2 2 Concerns about exposure to cyber attacks in the marine and offshore energy sectors. Enhanced government oversight and corporate obligations to protect against increasing risk of cyber attacks. U.S. Coast Guard (USCG) and Department of Homeland Security (DHS) proposed regulations for marine and offshore energy sectors. Insurance coverage issues arising from exclusions for cyber risks. New contractual allocation clauses for cyber risks. Path Forward Issues to be Addressed

3 3 2014 – Hackers caused a floating energy facility off the coast of West Africa to list, forcing temporary shut down. 20 June 2014 – AnonGhost announced it had launched a barrage of cyber-attacks on energy companies in the Middle East and the United States. Later identified as “Operation Petrol”. 2 July 2014 – DHS’s ICS-CERT warned of malicious software used by “a Russian hacking group – ‘Energetic Bear’ or ‘Dragonfly’ – targeting the energy sector and related industries.” 10 December 2014 – ICS-CERT identified a variant of the Black Energy malware that targeted GE Cimplicity and Siemens WinCC SCADA programs. 30 January 2015 – ICS-CERT identified a remote exploit vulnerability affecting Cobham Sailor 900 VSAT, a maritime satellite broadband product and allowing attacker to bypass passwords. Cyber attacks - Is the Offshore Energy Next? Is Next Now?

4 4 Enhanced Government Oversight to Manage Risks of Cyber Attacks June 2013 – Executive Order 13636 Improving Critical Infrastructure Cybersecurity. February 2014 – Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 National Institute of Standards and Technology (NIST). February 2014 – DHS/DOE Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG – C2M2) – Version 1.1. July 2014 – DHS Insurance Industry Working Session Readout Report. June 2014 – SEC Commissioner Aguilar Addresses Corporate Obligations Concerning Cyber Risks. December 2014 – DHS/USCG issue notice of proposed cybersecurity regulations.

5 5 Enhanced Government Oversight to Manage Risks of Cyber Attacks Executive Order 13636, Improving Critical Infrastructure Cybersecurity Adoption of the Cybersecurity Framework (“Framework”). Market-based incentives to encourage the development of cyber insurance. Litigation risk mitigation for entities that adopt the Framework and meet reasonable insurance requirements. Legal benefits may include limited indemnity, higher burdens of proof, or limited penalties; case consolidations; case transfers to a single federal court. Insurance options could include a requirement for the purchase of private market liability insurance in order to apply for these liability protections and legal benefits. Executive Order 13636, June 12, 2013.

6 6 Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks DHS Insurance Industry Working Session Readout Report, Insurance for Cyber-Related Critical Infrastructure Loss: Key Issues, July 2014.

7 7 Enhanced Government Oversight to Manage Risks of Cyber Attacks DHS Insurance Industry Working Session – July 2014 Round table meetings with insurance industry – Oct. 2012 to Nov. 2013. Report on energy sector insurance: o Exclusion CL380 described as an exemption clause that is “commonplace in property insurance written for energy sector companies.” o Underwriters recognized the need to develop data templates to assess risks. o Recognized the existence of several energy sector data sets that include failure scenarios that could assist in creating underwriting data templates.

8 8 12 December 2014 – USCG/DHS issued notice of public meeting and requested comments on: Developing cybersecurity assessment methods for vessels and facilities regulated by the USCG; and Cybersecurity vulnerabilities that could cause a Transportation Security Incident (TSI) = “a security incident resulting in a significant loss of life, environmental damage, transportation system disruption, or economic disruption in a particular area.” USCG invited public comments in developing standards, guidelines, and best practices to protect maritime critical infrastructure, which are due by April 15, 2015. Numerous entities have already provided comment and we expect further industry involvement in the development of proposed regulations given the recent deadline extension. Most Recent U.S. Regulatory Activity

9 9 28 November 2014 – USCG/DHS issued notice of proposed rulemaking: To establish minimum standards for computer controlled dynamic positioning (DP) systems on MODUs and vessels working on the US Outer Continental Shelf (OCS). Catastrophic incidents resulting from loss of control of DP systems during Critical OCS Activities : o A loss of position on a MODU during well-control operations could result in a subsea spill that is difficult to contain. o A logistics vessel could lose position and strike a floating or fixed facility, thereby causing damage to the gas export riser, which may result in an explosion, a loss of life, or an environmental event. USCG invited public comments which are due by 27 May 2015. Most Recent U.S. Regulatory Activity

10 10 Insurance Coverage for Cyber Attacks on the Energy Sector – Where is it? Type of losses and policies that may be involved in a cyber attack: LossPolicy Property of the company or third partiesProperty/Liability Pollution damages/liabilityLiability/OEE Well control and re-drill expensesCOW/OEE Business interruption, contingent business interruption and lost or delayed production of company or third parties Property/Liability Loss of intellectual property, trade secrets and financial information Cyber Risk Remediating damage to computer systemsCyber Risk Bodily injury or death claims of employees or third partiesLiability Regulatory fines and/or penaltiesCyber Risk Shareholder suitsD&O

11 11 CL380

12 12 New Contractual Risk Allocation Clauses for Cyber Risks in the Offshore Energy Sector Contractual indemnity for damage arising from virus/malware that was delivered via contractor’s devices, computers or software. Indemnity obligations extend to property damage, environmental impairment, bodily injury/death resulting from virus/malware. Restricted use of wireless connections and storage devices. Requirements that contractors comply with minimum standards to protect the networks and computer resources of the contractors/service companies that may be involved in work for owners/operators. Would a violation of these contractual obligations impact liability coverage?

13 13 Path Forward Good News U.S. government is using regulations, commercial, financial and legal incentives to: o Encourage companies to implement measures to prevent cyber attacks. o Encourage the creation of insurance programs to respond to cyber attacks. o Asking for input from stakeholders. History of offshore energy and marine companies and insurers have worked closely on conceptually challenging risks (Welcar 2001). Existing risk assessment templates can be used to assess cyber risks/cyber attacks - require insured to exercise appropriate levels of due care and diligence (OEE, EED 8/86) Bad News Insurance coverage for energy sector cyber attacks is still a nascent risk market. Unlike some other risks, cyber attacks continue to evolve at a rapid pace.  Conceptually challenging risk allocation scenarios and damage models – involving multiple types of coverages and underwriting disciplines.

14 14 Glenn Legge is a partner in Legge Farrow that has represented energy companies and their insurers for over 30 years. Mr. Legge focuses his practice in the areas of commercial litigation, including energy, marine, construction and insurance coverage matters. He represents operators, contractors, service companies and insurers involved in offshore exploration, production, development, construction and decommissioning matters. Mr. Legge has tried numerous cases to verdict, has arbitrated commercial disputes through award and enforcement and has argued cases before Texas appellate courts in the 1st, 5th and 14th Districts, the Texas Supreme Court and the United States Court of Appeals for the Fifth Circuit. In the last four years he has had the honor of obtaining significant victories for the London insurance market in two matters before the Texas Supreme Court, including the only reported opinion in the U.S. interpreting the Welcar 2001 terms. You can contact Mr. Legge at glennlegge@leggefarrow.com.glennlegge@leggefarrow.com Author

15 15 Cyber Security and Insurance Coverage: Evolving Risks Where More Than Data Is At Stake Cyber Risks – Insurance Coverage and Regulatory Updates for the Offshore Energy and Marine Sectors Cefor Annual Seminar Oslo 9 April 2015 Glenn Legge James Brown Legge, Farrow, Kimmitt, McGrath & Brown, L.L.P. www.leggefarrow.com

Download ppt "1 Cyber Security and Insurance Coverage: Evolving Risks Where More Than Data Is At Stake Cyber Risks – Insurance Coverage and Regulatory Updates for the."

Similar presentations

3 rd AIDA Europe Conference Amsterdam, 26-27 May, 2011 26 th May 2011, Working Party Civil Liability TOPIC: “Should there be mandatory liability insurance.

3 rd AIDA Europe Conference Amsterdam, May, th May 2011, Working Party Civil Liability TOPIC: “Should there be mandatory liability insurance.
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
Service Sector Contracting Malcolm Mackay, Partner, Litigation, Brodies LLP Eve Brazier, Contracts Specialist, Oil & Gas, Brodies LLP.

Service Sector Contracting Malcolm Mackay, Partner, Litigation, Brodies LLP Eve Brazier, Contracts Specialist, Oil & Gas, Brodies LLP.
1 Why Your Corporate Insurance and Risk Management Program May not Respond to a Cyber Attack In House Counsel Summit Series November 6, 2014 Glenn R. Legge.

1 Why Your Corporate Insurance and Risk Management Program May not Respond to a Cyber Attack In House Counsel Summit Series November 6, 2014 Glenn R. Legge.
LNG USA 2005 IQPC Houston, Texas November 9, 2005 Bruce F. Kiely Baker Botts L.L.P. Washington, D.C.

LNG USA 2005 IQPC Houston, Texas November 9, 2005 Bruce F. Kiely Baker Botts L.L.P. Washington, D.C.
Cyber Insurance Today: Lots of Interest, Lots of Product Innovation, and Lots of Risk Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling,

Cyber Insurance Today: Lots of Interest, Lots of Product Innovation, and Lots of Risk Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling,
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
M&A & Insurance Mergers & Acquisitions Capabilities Presentation RIMS Fairfield/Westchester Chapter May 14 th, 2013.

M&A & Insurance Mergers & Acquisitions Capabilities Presentation RIMS Fairfield/Westchester Chapter May 14 th, 2013.
Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.
Security Issues on Campus: Government Initiatives Rodney J. Petersen University of Maryland Educause/Internet2 Security Task Force Copyright Rodney J.

Security Issues on Campus: Government Initiatives Rodney J. Petersen University of Maryland Educause/Internet2 Security Task Force Copyright Rodney J.
ENVIRONMENTAL LIABILITY IN GREECE THE LEGAL FRAMEWORK & THE ROLE OF FINANCIAL GUARANTEES/ INSURANCE PRODUCTS TO COVER OPERATORS’ RESPONSIBILITIES UNDER.

ENVIRONMENTAL LIABILITY IN GREECE THE LEGAL FRAMEWORK & THE ROLE OF FINANCIAL GUARANTEES/ INSURANCE PRODUCTS TO COVER OPERATORS’ RESPONSIBILITIES UNDER.
TERRORISM / POLITICAL VIOLENCE SOLUTIONS FAIR International Insurance Conference on Political Violence 12-13 April 2010 – Karachi Daniel O’Connell

TERRORISM / POLITICAL VIOLENCE SOLUTIONS FAIR International Insurance Conference on "Political Violence" April 2010 – Karachi Daniel O’Connell
K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.

K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Session 16: Distribution of Geospatial Data 1 Distribution of Geospatial Data in the Public Environment Hazard Mapping and Modeling.

Session 16: Distribution of Geospatial Data 1 Distribution of Geospatial Data in the Public Environment Hazard Mapping and Modeling.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
REGULATORY LEGAL AND CONTRACTUAL ASPECTS OF PPP IN WATER AJAY RAGHAVAN Counsel Training Workshop, Bhopal, February 2009.

REGULATORY LEGAL AND CONTRACTUAL ASPECTS OF PPP IN WATER AJAY RAGHAVAN Counsel Training Workshop, Bhopal, February 2009.
Marine Industry Day 2015 Sector Command Center (24 hours): (504) 365-2200 National Response Center: 1-800-424-8802 Website:

Marine Industry Day 2015 Sector Command Center (24 hours): (504) National Response Center: Website:
Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, 2013 11:30 am – 12:30 pm.

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.

Similar presentations

Ads by Google