Why Your Corporate Insurance/Risk Management

Report
Why Your Corporate Insurance and Risk
Management Program May not Respond to a
Cyber Attack
In House Counsel Summit Series
November 6, 2014
Glenn R. Legge
www.leggefarrow.com
1
Concerns About a Cyber Related 9/11
“As the country becomes ever more dependent on digital services
for the functioning of critical infrastructure, business, education,
finances, communications, and social connections, the Internet’s
vulnerabilities are outpacing the nation’s ability to secure it.”
“We are at September
preparedness.”
10th
levels
in
terms
of
cyber
-- Reflections on the Tenth Anniversary of the 9/11 Commission
Report – The Bipartisan Policy Center – July 2014
2
Issues to be Addressed
Current cyber threats to the energy industry.
Corporate management’s enhanced obligations to protect against
cyber threats and provide adequate insurance.
Current coverage wordings that address cyber-risks.
Current coverage exclusions for cyber-risks, including CL380 and
the new ISO provisions and how they may be challenged in the
courts.
Emerging contractual risk allocation terms to address damages
arising from cyber-risks.
3
Recent Examples of Cyber Attacks or Data
Breaches on Retail and Financial Companies
2013 – Target Corporation – 40 million credit and debit card accounts.
$200 million to reissue 21.8 million credit and debit cards.
2014 – Neiman Marcus – 350,000 payment cards.
2014 – Home Depot – 56 million debit and credit cards.
2014 – JP Morgan Chase – 76 million households, 7 million small
businesses.
2014 – eBay – personal records of 233 million users.
4
Energy Sector – Exposure to Cyber Attack
Massive use of Big Data – data sets so large and complex that it
becomes difficult to process using on-hand data management tools
or traditional data processing applications.
Big Data managed by “supervisory control and data acquisition”
(SCADA) and “industrial control systems” (ICS).
Shareholder pressure to improve returns and reduce costs by
increasing operational efficiencies through use of IT.
Broad geographic distribution of facilities requires use of IT.
Energy sector is the focus of cyber intrusions from governmentbased cyber attackers and non-government groups.
5
U.S. Government’s
Early Response to Cyber Threats
In May 2013, after recognizing various
probable cyber risks, the US
Department of Commerce
commissioned the National Institute of
Standards and Technology (NIST) to
issue guidelines for SCADA and ICS
systems.
6
U.S. Government’s
Early Response to Cyber Threats
NIST recognized various probable risks resulting from a cyber attack or data
breach.
Unauthorized changes to instructions, commands, or alarm
thresholds, which could damage, disable, or shut down equipment,
create environmental impacts, and/or endanger human life;
Inaccurate information sent to system operators, either to disguise
unauthorized changes, or to cause the operators to initiate
inappropriate actions, which could have various negative effects; and
Interference with the operation of safety systems, which could
endanger human life.
NIST Special Publication 800-82, Revision1.
7
Is the Energy Sector Next? Is Next Now?
August 2012 - Shamoon malware contaminated up to 30,000 computers at Saudi
Aramco. Days later, the computer systems at Quatar-based RasGas were infected
by a virus, shutting down the company’s website.
June 20, 2014 – A network of hackers called AnonGhost announced it had
launched a barrage of cyber-attacks on international energy companies in the
Middle East and the United States. Symantec, the IT security company, identified
this emerging cyber-threat as Operation Petrol.
July 2, 2014 – The Department of Homeland Security's Industrial Control Systems
Cyber Emergency Response Team (ICS-CERT) warned energy companies of
malicious software used by “a Russian hacking group known as ‘Energetic Bear’
or ‘Dragonfly’ . . . that primarily targets the energy sector and related industries.”
November 3, 2014 – DHS’s ICS-CERT identified a sophisticated malware that has
compromised numerous ICS using a variant of the Black Energy malware. Black
Energy variant targeted GE Cimplicity and Siemens WinCC SCADA programs.
8
Is the Energy Sector Next? Is Next Now?
Who uses Big Data in the Energy Sector?
Deepwater Exploration & Production (E&P) - Real time downhole data
sensors – temperature, pressure, vibration, flowmeters and subsea control
modules.
Onshore E&P - Remote monitoring and control of well sites.
Midstream Transportation - Remote detection and control systems.
Monitoring high pressure/high temperature and corrosion.
Maritime Transportation - Security and vessel traffic control, GPS aided
functions and ECDIS navigation systems.
Refining & Petrochemical - Processing of hydrocarbons/chemicals,
predictive maintenance of equipment/machinery, supply chain and distribution
chain.
9
Enhanced Corporate Responsibility to Manage Risks
for Cyber Attacks - US Perspective
Executive Order 13636 Improving Critical Infrastructure Cybersecurity, 12
June 2013.
Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0
National Institute of Standards and Technology (NIST), 12 Feb. 2014.
DHS/DOE Oil and Natural Gas Subsector Cybersecurity Capability Maturity
Model (ONG – C2M2) – Version 1.1 – February 2014.
DHS Insurance Industry Working Session Readout Report – Insurance for
Cyber-Related Critical Infrastructure Loss: Key Issues – July 2014.
SEC Commissioner Aguilar’s Addresses New York Stock Exchange
Members Regarding Corporate Obligations Concerning Cyber Risks– June
2014.
10
Enhanced Corporate Responsibility to Manage Risks
for Cyber Attacks - US Perspective
Executive Order 13636, Improving Critical Infrastructure Cybersecurity
Adoption of the Cybersecurity Framework (“Framework”)
Market-based incentives to encourage the development of cyber insurance.
Litigation risk mitigation for entities that adopt the Framework and meet
reasonable insurance requirements.
Legal benefits may include limited indemnity, higher burdens of proof, or
limited penalties; case consolidations; case transfers to a single federal court.
Insurance options could include a requirement for the purchase of private
market liability insurance in order to apply for these liability protections and
legal benefits.
Executive Order 13636, 12 June 2013.
11
Enhanced Corporate Responsibility to Manage Risks
for Cyber Attacks - US Perspective
NIST - Framework for Improving Critical Infrastructure Cybersecurity
Encourages development of voluntary standards and processes for
industry concerning critical infrastructure to address cyber risks.
Urges corporate management to focus on cyber risk management.
NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version
1, 12 Feb. 2014.
12
Enhanced Corporate Responsibility to Manage Risks
for Cyber Attacks - US Perspective
DHS/DOE Oil and Natural Gas Subsector,
Cybersecurity Capability Maturity Model (ONG – C2M2)
C2M2 program address the “unique characteristics of the oil and natural gas
subsector.”
C2M2 program can be used to:
Strengthen cybersecurity capabilities in the ONG sector.
Enable ONG organizations to effectively and consistently evaluate and
benchmark cybersecurity capabilities.
Share knowledge and best practices within the ONG sector as a means to
improve cybersecurity.
104 references and comments on “risk management.”
Oil and Natural Gas Subsector, Cybersecurity Capability Maturity Model (ONG-C2M2), Version 1.1, Feb. 2014
13
Enhanced Corporate Responsibility to Manage Risks
for Cyber Attacks - US Perspective
DHS Insurance Industry Working
Session Readout Report,
Insurance for Cyber-Related
Critical Infrastructure Loss: Key
Issues, July 2014.
14
Enhanced Corporate Responsibility to Manage Risks
for Cyber Attacks - US Perspective
DHS Insurance Industry Working Session – July 2014
Round table meetings with insurance industry – Oct. 2012 to Nov. 2013.
Report on energy sector insurance:
Exclusion CL380 described as an exemption clause that is “…
commonplace in property insurance written for energy sector
companies.”
Recognized the existence of several energy sector data sets that
include failure scenarios that could assist in creating underwriting data
templates.
15
Enhanced Corporate Responsibility to Manage Risks
for Cyber Attacks - US Perspective
SEC Commissioner Aguilar
addresses New York Stock
Exchange members
regarding corporate
obligations concerning
cyber risks – June 2014
16
Enhanced Corporate Responsibility to Manage Risks
for Cyber Attacks - US Perspective
SEC’s Recommendations to New York Stock Exchange Members – June 2014
June 10, 2014 – SEC Commissioner Aguilar advised :
That “ensuring the adequacy of a company’s cybersecurity measures
needs to be a critical part of a board of director’s risk oversight
responsibilities.”
Best practices include the review and assessment of corporate
insurance policies.
From the SEC’s perspective, directors and officers of publicly traded
companies have an obligation to review and assess the adequacy of
insurance coverage that would respond to a cyber-attack. Ariel Yehezkel &
Thomas Michael, Cybersecurity: Breaching the Boardroom, THE METROPOLITAN CORPORATE
COUNSEL, April 2014.
Directors and Officers (D&O) liability insurance policies often exclude
coverage for failure to procure/maintain adequate insurance coverage.
17
Energy Industry’s Response to Threat
of Cyber Attack
Increased concern about insurance coverage for cyber attack/data
breach.
Oil and Natural Gas – Information Sharing and Analysis Center (ONGISAC)
Members – Upstream, midstream and downstream energy
companies and contractors.
Goal – “[T]o provide shared intelligence on cyber incidents,
threats, vulnerabilities, and associated responses present
throughout our industry.”
Anonymous information sharing through an ONG-ISAC secure
web platform.
Coordinated response among ONG-ISAC members.
ABI Research projected costs to guard oil and gas infrastructure
against cyber attacks will be $1.87 billion in 2018.
18
Insurance Coverage for Cyber Attacks on the Energy
Sector – Where is it?
Type of losses and policies that may be involved in a cyber attack:
Loss
Policy
Property of the company or third parties
Property/Liability
Pollution damages/liability
Liability/OEE
Well control and re-drill expenses
COW/OEE
Business interruption, contingent business interruption
and lost or delayed production of company or third parties
Property/Liability
Loss of intellectual property, trade secrets and financial
information
Cyber Risk
Remediating damage to computer systems
Cyber Risk
Bodily injury or death claims of employees or third parties
Liability
Regulatory fines and/or penalties
Cyber Risk
Shareholder suits
D&O
19
Coverage for Cyber Attack Under
Available Policies
Cyber Risk Policies
Limited cyber-risk insurance policies provide coverage for first party and
third party claims with relatively low limits ($10-25 million).
Coverages:
Forensic analysis, remediation of data systems, notification to
customers, public affairs/public relations and notification to third
parties.
Loss of intellectual property, financial information, and proprietary
data of the insured.
London market coverages have provided some property damage and
business interruption coverages.
Property damage, environmental impairment and bodily injury/loss of life
are not covered under most cyber risk policies.
20
Coverage for Cyber Attack Under
Available Policies
D&O Policies
Provide some coverage to corporate management and the entity for
securities claims related to alleged failures to mitigate cyber risks.
Coverage for damages to property of the corporation or third
parties will not be provided under most D&O policies.
Many D&O policies have exclusions for cyber risks.
D&O policies will not provide coverage for property damage,
environmental impairment or business interruption.
Many D&O policies exclude coverage for failure to procure and
maintain adequate insurance coverage.
21
Coverage for Cyber Attack Under
Available Policies
Property Insurance
Provides coverage for company’s physical assets and business
interruption/contingent business interruption.
Often excludes losses resulting from cyber risks/cyber attacks.
US Courts are divided regarding whether damage to software/computer
systems are “physical damage to tangible property.”
American Gur. & Liab. Ins. Co. v. Ingram Micro, Inc., Civ. 99-185 TUC ACM,
2000 WL 726789, (D. Ariz. 2000) (Corruption of electronic data was physical
damage to tangible property);
Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App.—
Tyler 2003, no pet.) (Damage to data is loss of tangible property).
Ward Gen. Ins. Servs., Inc. v. Emp’rs Fire Ins. Co., 7 Cal. Rptr. 3d 844, 851
(Cal. Ct. App. 2004) (Loss suffered by plaintiff was a loss of information.
Plaintiff did not lose the tangible material of the storage medium.)
22
Coverage for Cyber Attack Under
Available Policies
Upstream Energy Insurance Facilities
Oil Insurance Limited (OIL) is a Bermuda-based mutual insurance
program for the energy industry.
Coverage includes property damage, control of well, redrill, and
pollution coverage.
Some degree of coverage for cyber attacks on its members – but not
war risks.
The aggregate limits of OIL coverage is $750 million per event.
Chrysalis is a specialized excess insurance program underwritten by
London market insurers.
Provides coverage similar to those provided under OIL, including
some coverage for cyber attacks.
Chrysalis also provides up to $125 million per occurrence for cyberattacks.
23
Coverage for Cyber Attack Under
Available Policies
Commercial General Liability Insurance (CGL)
Property Damage – Coverage A
Is damage to electronic data “property damage”?
Magnetic Data, Inc. v. St. Paul Fire and Marine Ins. Co., 83 A.3d 664
(Conn. App. 2014) – electronic data erased from hard drive was
intangible and not covered under “property damage” definition.
After 2001, many policies exempted “electronic data” from “property
damage” definition.
After 2004, ISO wording excluded “[d]amages arising out of the loss of,
loss of use of, damage to, corruption of, inability to access, or inability
to manipulate electronic data.”
“Electronic Data Liability” Endorsement reintroduced “electronic data”
into the definition of “property damage.
24
Coverage for Cyber Attack Under
Available Policies
Commercial General Liability Insurance (CGL)
Personal and Advertising Injury Liability – Coverage B
“Personal and advertising injury” includes
“Oral or written publication, in any manner, of material that violates a
person’s right of privacy.”
Coverage for loss of personally identifiable information (PII).
Zurich American Insurance v. Sony Corporation, No. 651982-2011 (N.Y.
Sup. Ct. Feb. 24, 2014). Court ruled that Coverage B of the CGL policy applied
to publication of Sony customers’ confidential information. Because the
disclosures were made by the hackers, and not Sony, the insurer had no duty to
defend the insured or pay for damages.
Netscape Communications Corp. v. Federal Insurance Co., 343 Fed.
App’x 271 (9th Cir. 2009). SmartDownload software collected claimants’
internet usage and used information for advertising. Court found claims within
“personal injury” coverage and ruled that insurer had duty to defend the insured.
Court did not require a disclosure of PII to a third party.
25
Cyber Risk Exclusions
ISO 2004 Electronic Data Exclusion
ISO 2014 Data Breach Exclusions
CL 380 Cyber Risk Exclusion
NMA 2915 – Cyber Exclusion
NMA 2914 – Electronic Data Endorsement A
26
ISO 2004 Electronic Data Exclusion and Definition
CG 00 01 12 04 (2004 CGL Form)
2. Exclusions
This insurance does not apply to: p. Electronic Data
(2) Damages arising out of the loss of, loss of use of, damage to, corruption of,
inability to access, or inability to manipulate "electronic data" that does
not result from physical injury to tangible property.
...
However, this exclusion does not apply to liability for damages because of "bodily injury."
2004 Revised Definition of Property Damage
For the purposes of this insurance, electronic data is not tangible property.
As used in this definition, electronic data means information, facts or programs stored as or on,
created or used on, or transmitted to or from computer software, including systems and
applications software, hard or floppy disks, CO-ROMS, tapes, drives, cells, data processing
devices or any other media which are used with electronically controlled equipment.
27
2014 ISO Data Breach Exclusions
CG 04 37 05 14
A. Exclusion 2.p. of Coverage A – Bodily Injury And Property Damage Liability in Section I –
Coverages is replaced by the following:
2. Exclusions
This insurance does not apply to:
p. Electronic Data Access Or Disclosure Of Confidential Or Personal Information And Data-related
Liability Damages arising out of:
(1) Any access to or disclosure of any person's or organization's confidential or personal
information, including patents, trade secrets, processing methods, customer lists, financial
information, credit card information, health information or any other type of nonpublic information;
or
(2) Damages arising out of tThe loss of, loss of use of, damage to, corruption of, inability to access,
or inability to manipulate "electronic data" that does
not result from physical injury to tangible property.
...
However, unless Paragraph (1) above applies, this exclusion does not apply to liability for damages
because of "bodily injury".
28
CL380
INSTITUTE CYBER ATTACK EXCLUSION CLAUSE
1.1 Subject only to clause 1.2 below, in no case shall this insurance cover loss
damage liability or expense directly or indirectly caused by or contributed to by
or arising from the use or operation, as a means for inflicting harm, of any
computer, computer system, computer software program, malicious code,
computer virus or process or any other electronic system.
1.2 Where this clause is endorsed on policies covering risks of war, civil war,
revolution, rebellion, insurrection, or civil strife arising therefrom, or any hostile
act by or against a belligerent power, or terrorism or any person acting from a
political motive, Clause 1.1 shall not operate to exclude losses (which would
otherwise be covered) arising from the use of any computer, computer system
or computer software program or any other electronic system in the launch
and/or guidance system and/or firing mechanism of any weapon or missile.
CL380
10/11/03
29
NMA 2915
ELECTRONIC DATA
1. Electronic Data Exclusion
Notwithstanding any provision to the contrary within the Policy or any endorsement thereto, it is
understood and agreed as follows:
a)
This Policy does not insure, loss, damage, destruction, distortion, erasure, corruption or
alteration of ELECTRONIC DATA from any cause whatsoever (including but not limited to
COMPUTER VIRUS) or loss of use, reduction in functionality, cost, expense of whatsoever
nature resulting therefrom, regardless of any other cause or event contributing concurrently
or in any other sequence to the loss.
* * *
b) However, in the event that a peril listed below results from any of the matters described in
paragraph (a) above, this policy, subject to all of its terms, conditions and exclusions, will
cover physical damage occurring during the policy period to property insured by this policy
directly caused by such listed peril.
Listed Perils
Fire
Explosion
30
Contractual Risk Allocation for Cyber Risks
Cyber risk allocation scheme needs something more than “at law” contribution
clause.
“Knock for knock” scheme may not be applicable to damages arising from cyber
attacks.
Risk allocation based upon “emanation” or means of entry. Suitable for a “bring
your own device” environment between operators and contractors?
Representations/warranties/certifications that software/hardware/devices used in
performance of services is free of any virus/malicious code/malware.
Representations/warranties to promptly notify customer of discovery of any
“cyber incidents” or compromised cyber security events prior to/after the
performance of services.
Requirements that contractor have liability insurance that would cover damages
resulting from cyber attacks? No policy exclusions?
31
Insurance Coverage for Cyber Attacks/Cyber
Risks in the Energy Sector - Path Forward
Good News
U.S. government is considering use of commercial, financial and legal incentives to:
Encourage companies to implement measures to prevent cyber attacks.
Encourage the creation of insurance programs to respond to cyber attacks.
The energy sector and the insurance market have worked closely for years on
conceptually challenging risks.
Specialists in energy insurance and cyber security can provide the means to conduct
risk assessments of companies/insureds.
Existing risk assessment templates can be used to address cyber risks and create
safeguards to prevent them.
Bad News
Insurance coverage for energy sector cyber attacks is still a nascent risk market.
Unlike some other risks, cyber attacks continue to evolve at a rapid pace.
32
Authors
Glenn Legge For 30 years Mr. Legge has practiced in the areas of commercial litigation, including energy,
marine, construction, insurance coverage and trade secrets disputes. He represents operators, contractors,
service companies and insurers involved in onshore and offshore energy, construction, environmental and
regulatory matters. Mr. Legge has tried numerous cases to verdict, has arbitrated commercial disputes through
award and enforcement and has argued cases before Texas appellate courts in the 1st, 5th and 14th Districts,
the Texas Supreme Court and the United States Court of Appeals for the Fifth Circuit. In the last four years he
has had the honor of obtaining significant victories in two matters before the Texas Supreme Court involving
onshore and offshore construction and insurance coverage disputes. You can contact Mr. Legge at
[email protected]
Jeanie Tate Goodwin is a Senior Associate at Legge Farrow. Her practice includes maritime personal injury
and casualty matters, as well as representing energy companies in complex, commercial litigation. In addition,
she has substantial experience in insurance law, including both first party and third party coverage matters. In
the first quarter of 2015, she will join Catlin’s legal department on secondment in London. You can reach
Jeanie at [email protected]
Jacob Esparza is a Senior Associate in Legge Farrow that has represented energy companies and their
insurers for nearly 10 years. He handles complex litigation involving contractual risk allocation issues in the onand offshore energy industries. Mr. Esparza also successfully represents foreign and domestic insurers in
coverage and bad faith litigation stemming from various commercial coverages, including energy, liability,
property, cargo, motor carrier and business interruption. In 2014, Mr. Esparza was selected to the Super
Lawyers "Texas Rising Stars" List for the Energy and Natural Resources, Insurance Coverage and
Transportation/Maritime practices. You can contact Mr. Esparza at [email protected]
33
Why Your Corporate Insurance and Risk
Management Program May not Respond to a
Cyber Attack
34
In House Counsel Summit Series
November 6, 2014
Glenn R. Legge
www.leggefarrow.com
34

similar documents