340 likes | 522 Views
Why Your Corporate Insurance and Risk Management Program May not Respond to a Cyber Attack. In House Counsel Summit Series November 6, 2014 Glenn R. Legge www.leggefarrow.com. Concerns About a Cyber Related 9/11.
E N D
Why Your Corporate Insurance and Risk Management Program May not Respond to a Cyber Attack In House Counsel Summit Series November 6, 2014 Glenn R. Legge www.leggefarrow.com
Concerns About a Cyber Related 9/11 • “As the country becomes ever more dependent on digital services for the functioning of critical infrastructure, business, education, finances, communications, and social connections, the Internet’s vulnerabilities are outpacing the nation’s ability to secure it.” • “We are at September 10th levels in terms of cyber preparedness.” -- Reflections on the Tenth Anniversary of the 9/11 Commission Report – The Bipartisan Policy Center – July 2014
Issues to be Addressed • Current cyber threats to the energy industry. • Corporate management’s enhanced obligations to protect against cyber threats and provide adequate insurance. • Current coverage wordings that address cyber-risks. • Current coverage exclusions for cyber-risks, including CL380 and the new ISO provisions and how they may be challenged in the courts. • Emerging contractual risk allocation terms to address damages arising from cyber-risks.
Recent Examples of Cyber Attacks or Data Breaches on Retail and Financial Companies • 2013 – Target Corporation– 40 million credit and debit card accounts. $200 million to reissue 21.8 million credit and debit cards. • 2014 – Neiman Marcus – 350,000 payment cards. • 2014 – Home Depot – 56 million debit and credit cards. • 2014 – JP Morgan Chase – 76 million households, 7 million small businesses. • 2014 – eBay – personal records of 233 million users.
Energy Sector – Exposure to Cyber Attack • Massive use of Big Data – data sets so large and complex that it becomes difficult to process using on-hand data management tools or traditional data processing applications. • Big Data managed by “supervisory control and data acquisition” (SCADA) and “industrial control systems” (ICS). • Shareholder pressure to improve returns and reduce costs by increasing operational efficiencies through use of IT. • Broad geographic distribution of facilities requires use of IT. • Energy sector is the focus of cyber intrusions from government-based cyber attackers and non-government groups.
U.S. Government’s Early Response to Cyber Threats • In May 2013, after recognizing various probable cyber risks, the US Department of Commerce commissioned the National Institute of Standards and Technology (NIST) to issue guidelines for SCADA and ICS systems.
U.S. Government’s Early Response to Cyber Threats NIST recognized various probable risks resulting from a cyber attack or data breach. • Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life; • Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects; and • Interference with the operation of safety systems, which could endanger human life. NIST Special Publication 800-82, Revision1.
Is the Energy Sector Next? Is Next Now? • August 2012 - Shamoon malware contaminated up to 30,000 computers at Saudi Aramco. Days later, the computer systems at Quatar-based RasGas were infected by a virus, shutting down the company’s website. • June 20, 2014– A network of hackers called AnonGhost announced it had launched a barrage of cyber-attacks on international energy companies in the Middle East and the United States. Symantec, the IT security company, identified this emerging cyber-threat as Operation Petrol. • July 2, 2014 – The Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned energy companies of malicious software used by “a Russian hacking group known as ‘Energetic Bear’ or ‘Dragonfly’ . . . that primarily targets the energy sector and related industries.” • November 3, 2014 – DHS’s ICS-CERT identified a sophisticated malware that has compromised numerous ICS using a variant of the Black Energy malware. Black Energy variant targeted GE Cimplicityand Siemens WinCC SCADA programs.
Is the Energy Sector Next? Is Next Now? Who uses Big Data in the Energy Sector? • Deepwater Exploration & Production (E&P) - Real time downhole data sensors – temperature, pressure, vibration, flowmeters and subsea control modules. • Onshore E&P - Remote monitoring and control of well sites. • Midstream Transportation - Remote detection and control systems. Monitoring high pressure/high temperature and corrosion. • Maritime Transportation - Security and vessel traffic control, GPS aided functions and ECDIS navigation systems. • Refining & Petrochemical - Processing of hydrocarbons/chemicals, predictive maintenance of equipment/machinery, supply chain and distribution chain.
Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective • Executive Order 13636 Improving Critical Infrastructure Cybersecurity, 12 June 2013. • Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 National Institute of Standards and Technology (NIST), 12 Feb. 2014. • DHS/DOE Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG – C2M2) – Version 1.1 – February 2014. • DHS Insurance Industry Working Session Readout Report – Insurance for Cyber-Related Critical Infrastructure Loss: Key Issues – July 2014. • SEC Commissioner Aguilar’s Addresses New York Stock Exchange Members Regarding Corporate Obligations Concerning Cyber Risks– June 2014.
Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective Executive Order 13636, Improving Critical Infrastructure Cybersecurity • Adoption of the Cybersecurity Framework (“Framework”) • Market-based incentives to encourage the development of cyber insurance. • Litigation risk mitigation for entities that adopt the Framework and meet reasonable insurance requirements. • Legal benefits may include limited indemnity, higher burdens of proof, or limited penalties; case consolidations; case transfers to a single federal court. • Insurance options could include a requirement for the purchase of private market liability insurance in order to apply for these liability protections and legal benefits. Executive Order 13636, 12 June 2013.
Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective NIST - Framework for Improving Critical Infrastructure Cybersecurity • Encourages development of voluntary standards and processes for industry concerning critical infrastructure to address cyber risks. • Urges corporate management to focus on cyber risk management. NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1, 12 Feb. 2014.
Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective DHS/DOE Oil and Natural Gas Subsector, Cybersecurity Capability Maturity Model (ONG – C2M2) • C2M2 program address the “unique characteristics of the oil and natural gas subsector.” • C2M2 program can be used to: • Strengthen cybersecurity capabilities in the ONG sector. • Enable ONG organizations to effectively and consistently evaluate and benchmark cybersecurity capabilities. • Share knowledge and best practices within the ONG sector as a means to improve cybersecurity. • 104 references and comments on “risk management.” Oil and Natural Gas Subsector, Cybersecurity Capability Maturity Model (ONG-C2M2), Version 1.1, Feb. 2014
Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective DHS Insurance Industry Working Session Readout Report, Insurance for Cyber-Related Critical Infrastructure Loss: Key Issues, July 2014.
Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective DHS Insurance Industry Working Session – July 2014 • Round table meetingswith insurance industry – Oct. 2012 to Nov. 2013. • Reporton energy sector insurance: • Exclusion CL380 described as an exemption clause that is “… commonplace in property insurance written for energy sector companies.” • Recognized the existence of several energy sector data sets that include failure scenarios that could assist in creating underwriting data templates.
Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective SEC Commissioner Aguilar addresses New York Stock Exchange members regarding corporate obligations concerning cyber risks – June 2014
Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective SEC’s Recommendations to New York Stock Exchange Members – June 2014 • June 10, 2014 – SEC Commissioner Aguilar advised: • That “ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.” • Best practices include the review and assessment of corporate insurance policies. • From the SEC’s perspective, directors and officers of publicly traded companies have an obligation to review and assess the adequacy of insurance coverage that would respond to a cyber-attack. Ariel Yehezkel & Thomas Michael, Cybersecurity: Breaching the Boardroom, THE METROPOLITAN CORPORATE COUNSEL, April 2014. • Directors and Officers (D&O) liability insurance policies often excludecoverage for failure to procure/maintain adequate insurance coverage.
Energy Industry’s Response to Threat of Cyber Attack • Increased concern about insurance coverage for cyber attack/data breach. • Oil and Natural Gas – Information Sharing and Analysis Center (ONG-ISAC) • Members – Upstream, midstream and downstream energy companies and contractors. • Goal – “[T]o provide shared intelligence on cyber incidents, threats, vulnerabilities, and associated responses present throughout our industry.” • Anonymous information sharing through an ONG-ISAC secure web platform. • Coordinated response among ONG-ISAC members. • ABI Research projected costs to guard oil and gas infrastructure against cyber attacks will be $1.87 billion in 2018.
Insurance Coverage for Cyber Attacks on the Energy Sector – Where is it? Type of losses and policies that may be involved in a cyber attack:
Coverage for Cyber Attack Under Available Policies • Cyber Risk Policies • Limited cyber-risk insurance policies provide coverage for first party and third party claims with relatively low limits ($10-25 million). • Coverages: • Forensic analysis, remediation of data systems, notification to customers, public affairs/public relations and notification to third parties. • Loss of intellectual property, financial information, and proprietary data of the insured. • London market coverages have provided some property damage and business interruption coverages. • Property damage, environmental impairment and bodily injury/loss of life are not covered under most cyber risk policies.
Coverage for Cyber Attack Under Available Policies • D&O Policies • Provide some coverage to corporate management and the entity for securities claims related to alleged failures to mitigate cyber risks. • Coverage for damages to property of the corporation or third parties will not be provided under most D&O policies. • Many D&O policies have exclusions for cyber risks. • D&O policies will not provide coverage for property damage, environmental impairment or business interruption. • Many D&O policies exclude coverage for failure to procure and maintain adequate insurance coverage.
Coverage for Cyber Attack Under Available Policies • Property Insurance • Provides coverage for company’s physical assets and business interruption/contingent business interruption. • Often excludes losses resulting from cyber risks/cyber attacks. • US Courts are divided regarding whether damage to software/computer systems are “physical damage to tangible property.” • American Gur. & Liab. Ins. Co. v. Ingram Micro, Inc., Civ. 99-185 TUC ACM, 2000 WL 726789, (D. Ariz. 2000) (Corruption of electronic data was physical damage to tangible property); • Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App.—Tyler 2003, no pet.) (Damage to data is loss of tangible property). • Ward Gen. Ins. Servs., Inc. v. Emp’rs Fire Ins. Co., 7 Cal. Rptr. 3d 844, 851 (Cal. Ct. App. 2004) (Loss suffered by plaintiff was a loss of information. Plaintiff did not lose the tangible material of the storage medium.)
Coverage for Cyber Attack Under Available Policies • Upstream Energy Insurance Facilities • Oil Insurance Limited (OIL) is a Bermuda-based mutual insurance program for the energy industry. • Coverage includes property damage, control of well, redrill, and pollution coverage. • Some degree of coverage for cyber attacks on its members – but not war risks. • The aggregate limits of OIL coverage is $750 million per event. • Chrysalis is a specialized excess insurance program underwritten by London market insurers. • Provides coverage similar to those provided under OIL, including some coverage for cyber attacks. • Chrysalis also provides up to $125 million per occurrence for cyber-attacks.
Coverage for Cyber Attack Under Available Policies • Commercial General Liability Insurance (CGL) • Property Damage – Coverage A • Is damage to electronic data “property damage”? • Magnetic Data, Inc. v. St. Paul Fire and Marine Ins. Co., 83 A.3d 664 (Conn. App. 2014) – electronic data erased from hard drive was intangible and not covered under “property damage” definition. • After 2001, many policies exempted “electronic data” from “property damage” definition. • After 2004, ISO wording excluded “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” • “Electronic Data Liability” Endorsement reintroduced “electronic data” into the definition of “property damage.
Coverage for Cyber Attack Under Available Policies • Commercial General Liability Insurance (CGL) • Personal and Advertising Injury Liability – Coverage B • “Personal and advertising injury” includes • “Oral or written publication, in any manner, of material that violates a person’s right of privacy.” • Coverage for loss of personally identifiable information (PII). • Zurich American Insurance v. Sony Corporation, No. 651982-2011 (N.Y. Sup. Ct. Feb. 24, 2014). Court ruled that Coverage B of the CGL policy applied to publication of Sony customers’ confidential information. Because the disclosures were made by the hackers, and not Sony, the insurer had no duty to defend the insured or pay for damages. • Netscape Communications Corp. v. Federal Insurance Co., 343 Fed. App’x 271 (9th Cir. 2009). SmartDownload software collected claimants’ internet usage and used information for advertising. Court found claims within “personal injury” coverage and ruled that insurer had duty to defend the insured. Court did not require a disclosure of PII to a third party.
Cyber Risk Exclusions • ISO 2004 Electronic Data Exclusion • ISO 2014 Data Breach Exclusions • CL 380 Cyber Risk Exclusion • NMA 2915 – Cyber Exclusion • NMA 2914 – Electronic Data Endorsement A
ISO 2004 Electronic Data Exclusion and Definition CG 00 01 12 04 (2004 CGL Form) 2. Exclusions This insurance does not apply to: p. Electronic Data (2) Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate "electronic data" that does not result from physical injury to tangible property. . . . However, this exclusion does not apply to liability for damages because of "bodily injury." 2004 Revised Definition of Property Damage For the purposes of this insurance, electronic data is not tangible property. As used in this definition, electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CO-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.
2014 ISO Data Breach Exclusions CG 04 37 05 14 A. Exclusion 2.p. of Coverage A – Bodily Injury And Property Damage Liability in Section I – Coverages is replaced by the following: 2. Exclusions This insurance does not apply to: p. Electronic DataAccess Or Disclosure Of Confidential Or Personal Information And Data-related Liability Damages arising out of: (1) Any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or (2) Damages arising out of tThe loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate "electronic data" that does not result from physical injury to tangible property. . . . However, unless Paragraph (1) above applies, this exclusion does not apply to liabilityfor damages because of "bodily injury".
CL380 • INSTITUTE CYBER ATTACK EXCLUSION CLAUSE • 1.1 Subject only to clause 1.2 below, in no case shall this insurance cover loss damage liability or expense directly or indirectly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software program, malicious code, computer virus or process or any other electronic system. • 1.2 Where this clause is endorsed on policies covering risks of war, civil war, revolution, rebellion, insurrection, or civil strife arising therefrom, or any hostile act by or against a belligerent power, or terrorism or any person acting from a political motive, Clause 1.1 shall not operate to exclude losses (which would otherwise be covered) arising from the use of any computer, computer system or computer software program or any other electronic system in the launch and/or guidance system and/or firing mechanism of any weapon or missile. • CL380 • 10/11/03
NMA 2915 ELECTRONIC DATA 1. Electronic Data Exclusion Notwithstanding any provision to the contrary within the Policy or any endorsement thereto, it is understood and agreed as follows: This Policy does not insure, loss, damage, destruction, distortion, erasure, corruption or alteration of ELECTRONIC DATA from any cause whatsoever (including but not limited to COMPUTER VIRUS) or loss of use, reduction in functionality, cost, expense of whatsoever nature resulting therefrom, regardless of any other cause or event contributing concurrently or in any other sequence to the loss. * * * b) However, in the event that a peril listed below results from any of the matters described in paragraph (a) above, this policy, subject to all of its terms, conditions and exclusions, will cover physical damage occurring during the policy period to property insured by this policy directly caused by such listed peril. Listed Perils Fire Explosion
Contractual Risk Allocation for Cyber Risks • Cyber risk allocation scheme needs something more than “at law” contribution clause. • “Knock for knock” scheme may not be applicable to damages arising from cyber attacks. • Risk allocation based upon “emanation” or means of entry. Suitable for a “bring your own device” environment between operators and contractors? • Representations/warranties/certifications that software/hardware/devices used in performance of services is free of any virus/malicious code/malware. • Representations/warranties to promptly notify customer of discovery of any “cyber incidents” or compromised cyber security events prior to/after the performance of services. • Requirements that contractor have liability insurance that would cover damages resulting from cyber attacks? No policy exclusions?
Insurance Coverage for Cyber Attacks/Cyber Risks in the Energy Sector - Path Forward • Good News • U.S. government is considering use of commercial, financial and legal incentives to: • Encourage companies to implement measures to prevent cyber attacks. • Encourage the creation of insurance programs to respond to cyber attacks. • The energy sector and the insurance market have worked closely for years on conceptually challenging risks. • Specialists in energy insurance and cyber security can provide the means to conduct risk assessments of companies/insureds. • Existing risk assessment templates can be used to address cyber risks and create safeguards to prevent them. • Bad News • Insurance coverage for energy sector cyber attacks is still a nascent risk market. • Unlike some other risks, cyber attacks continue to evolve at a rapid pace.
Authors Glenn Legge For 30 yearsMr. Legge has practiced in the areas of commercial litigation, including energy, marine, construction, insurance coverage and trade secrets disputes. He represents operators, contractors, service companies and insurers involved in onshore and offshore energy, construction, environmental and regulatory matters. Mr. Legge has tried numerous cases to verdict, has arbitrated commercial disputes through award and enforcement and has argued cases before Texas appellate courts in the 1st, 5th and 14th Districts, the Texas Supreme Court and the United States Court of Appeals for the Fifth Circuit. In the last four years he has had the honor of obtaining significant victories in two matters before the Texas Supreme Court involving onshore and offshore construction and insurance coverage disputes. You can contact Mr. Legge at glennlegge@leggefarrow.com. Jeanie Tate Goodwin is a Senior Associate at Legge Farrow. Her practice includes maritime personal injury and casualty matters, as well as representing energy companies in complex, commercial litigation. In addition, she has substantial experience in insurance law, including both first party and third party coverage matters. In the first quarter of 2015, she will join Catlin’s legal department on secondment in London. You can reach Jeanie at jgoodwin@leggefarrow.com. Jacob Esparza is a Senior Associate in Legge Farrow that has represented energy companies and their insurers for nearly 10 years. He handles complex litigation involving contractual risk allocation issues in the on- and offshore energy industries. Mr. Esparza also successfully represents foreign and domestic insurers in coverage and bad faith litigation stemming from various commercial coverages, including energy, liability, property, cargo, motor carrier and business interruption. In 2014, Mr. Esparza was selected to the Super Lawyers "Texas Rising Stars" List for the Energy and Natural Resources, Insurance Coverage and Transportation/Maritime practices. You can contact Mr. Esparza at jesparza@leggefarrow.com.
Why Your Corporate Insurance and Risk Management Program May not Respond to a Cyber Attack In House Counsel Summit Series November 6, 2014 Glenn R. Legge www.leggefarrow.com