1

Cyber Security and Insurance Coverage: Evolving Risks Where More Than

Data Is At Stake

Cyber Risks – Insurance Coverage and Regulatory Updates for the Offshore

Energy and Marine Sectors

Cefor Annual SeminarOslo

9 April 2015

Glenn Legge James Brown

Legge, Farrow, Kimmitt, McGrath & Brown, L.L.P.

www.leggefarrow.com

2

• Concerns about exposure to cyber attacks in the marine and offshore energy sectors.

• Enhanced government oversight and corporate obligations to protect against increasing risk of cyber attacks.

• U.S. Coast Guard (USCG) and Department of Homeland Security (DHS) proposed regulations for marine and offshore energy sectors.

• Insurance coverage issues arising from exclusions for cyber risks.

• New contractual allocation clauses for cyber risks.

• Path Forward

Issues to be Addressed

3

• 2014 – Hackers caused a floating energy facility off the coast of West Africa to list, forcing temporary shut down.

• 20 June 2014 – AnonGhost announced it had launched a barrage of cyber-attacks on energy companies in the Middle East and the United States. Later identified as “Operation Petrol”.

• 2 July 2014 – DHS’s ICS-CERT warned of malicious software used by “a Russian hacking group – ‘Energetic Bear’ or ‘Dragonfly’ – targeting the energy sector and related industries.”

• 10 December 2014 – ICS-CERT identified a variant of the Black Energy malware that targeted GE Cimplicity and Siemens WinCC SCADA programs.

• 30 January 2015 – ICS-CERT identified a remote exploit vulnerability affecting Cobham Sailor 900 VSAT, a maritime satellite broadband product and allowing attacker to bypass passwords.

Cyber attacks - Is the Offshore Energy Next? Is Next Now?

4

Enhanced Government Oversight to Manage Risks of Cyber Attacks

• June 2013 – Executive Order 13636 Improving Critical Infrastructure Cybersecurity.

• February 2014 – Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 National Institute of Standards and Technology (NIST).

• February 2014 – DHS/DOE Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG – C2M2) – Version 1.1.

• July 2014 – DHS Insurance Industry Working Session Readout Report.

• June 2014 – SEC Commissioner Aguilar Addresses Corporate Obligations Concerning Cyber Risks.

• December 2014 – DHS/USCG issue notice of proposed cybersecurity regulations.

5

Enhanced Government Oversight to Manage Risks of Cyber Attacks

Executive Order 13636, Improving Critical Infrastructure Cybersecurity

• Adoption of the Cybersecurity Framework (“Framework”).

• Market-based incentives to encourage the development of cyber insurance.

• Litigation risk mitigation for entities that adopt the Framework and meet reasonable insurance requirements.

• Legal benefits may include limited indemnity, higher burdens of proof, or limited penalties; case consolidations; case transfers to a single federal court.

• Insurance options could include a requirement for the purchase of private market liability insurance in order to apply for these liability protections and legal benefits.

Executive Order 13636, June 12, 2013.

6

Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks

DHS Insurance Industry Working Session Readout Report, Insurance for Cyber-Related Critical Infrastructure Loss: Key Issues, July 2014.

7

Enhanced Government Oversight to Manage Risks of Cyber Attacks

DHS Insurance Industry Working Session – July 2014

• Round table meetings with insurance industry – Oct. 2012 to Nov. 2013.

• Report on energy sector insurance:

o Exclusion CL380 described as an exemption clause that is “commonplace in property insurance written for energy sector companies.”

o Underwriters recognized the need to develop data templates to assess risks.

o Recognized the existence of several energy sector data sets that include failure scenarios that could assist in creating underwriting data templates.

8

12 December 2014 – USCG/DHS issued notice of public meeting and requested comments on:

• Developing cybersecurity assessment methods for vessels and facilities regulated by the USCG; and

• Cybersecurity vulnerabilities that could cause a Transportation Security Incident (TSI) = “a security incident resulting in a significant loss of life, environmental damage, transportation system disruption, or economic disruption in a particular area.”

• USCG invited public comments in developing standards, guidelines, and best practices to protect maritime critical infrastructure, which are due by April 15, 2015.

• Numerous entities have already provided comment and we expect further industry involvement in the development of proposed regulations given the recent deadline extension.

Most Recent U.S. Regulatory Activity

9

28 November 2014 – USCG/DHS issued notice of proposed rulemaking:

• To establish minimum standards for computer controlled dynamic positioning (DP) systems on MODUs and vessels working on the US Outer Continental Shelf (OCS).

• Catastrophic incidents resulting from loss of control of DP systems during Critical OCS Activities :

o A loss of position on a MODU during well-control operations could result in a subsea spill that is difficult to contain.

o A logistics vessel could lose position and strike a floating or fixed facility, thereby causing damage to the gas export riser, which may result in an explosion, a loss of life, or an environmental event.

• USCG invited public comments which are due by 27 May 2015.

Most Recent U.S. Regulatory Activity

10

Insurance Coverage for Cyber Attacks on the Energy Sector – Where is it?

Type of losses and policies that may be involved in a cyber attack:

Loss Policy

Property of the company or third parties Property/Liability

Pollution damages/liability Liability/OEE

Well control and re-drill expenses COW/OEE

Business interruption, contingent business interruption and lost or delayed production of company or third parties

Property/Liability

Loss of intellectual property, trade secrets and financial information

Cyber Risk

Remediating damage to computer systems Cyber Risk

Bodily injury or death claims of employees or third parties Liability

Regulatory fines and/or penalties Cyber Risk

Shareholder suits D&O

11

CL380

INSTITUTE CYBER ATTACK EXCLUSION CLAUSE 1.1 Subject only to clause 1.2 below, in no case shall this insurance cover loss damage liability or expense directly or indirectly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software program, malicious code, computer virus or process or any other electronic system.

 1.2 Where this clause is endorsed on policies covering risks of war, civil war, revolution, rebellion, insurrection, or civil strife arising therefrom, or any hostile act by or against a belligerent power, or terrorism or any person acting from a political motive, Clause 1.1 shall not operate to exclude losses (which would otherwise be covered) arising from the use of any computer, computer system or computer software program or any other electronic system in the launch and/or guidance system and/or firing mechanism of any weapon or missile.

 10/11/03CL380

12

New Contractual Risk Allocation Clauses for Cyber Risks in the Offshore Energy Sector

• Contractual indemnity for damage arising from virus/malware that was delivered via contractor’s devices, computers or software.

• Indemnity obligations extend to property damage, environmental impairment, bodily injury/death resulting from virus/malware.

• Restricted use of wireless connections and storage devices.

• Requirements that contractors comply with minimum standards to protect the networks and computer resources of the contractors/service companies that may be involved in work for owners/operators.

• Would a violation of these contractual obligations impact liability

coverage?

13

Path Forward

Good News

• U.S. government is using regulations, commercial, financial and legal incentives to:

o Encourage companies to implement measures to prevent cyber attacks.o Encourage the creation of insurance programs to respond to cyber attacks.o Asking for input from stakeholders.

• History of offshore energy and marine companies and insurers have worked closely on conceptually challenging risks (Welcar 2001).

• Existing risk assessment templates can be used to assess cyber risks/cyber attacks - require insured to exercise appropriate levels of due care and diligence (OEE, EED 8/86)

Bad News

• Insurance coverage for energy sector cyber attacks is still a nascent risk market.

• Unlike some other risks, cyber attacks continue to evolve at a rapid pace.

Conceptually challenging risk allocation scenarios and damage models – involving multiple types of coverages and underwriting disciplines.

14

Glenn Legge is a partner in Legge Farrow that has represented energy companies and their insurers for over 30 years. Mr. Legge focuses his practice in the areas of commercial litigation, including energy, marine, construction and insurance coverage matters. He represents operators, contractors, service companies and insurers involved in offshore exploration, production, development, construction and decommissioning matters. Mr. Legge has tried numerous cases to verdict, has arbitrated commercial disputes through award and enforcement and has argued cases before Texas appellate courts in the 1st, 5th and 14th Districts, the Texas Supreme Court and the United States Court of Appeals for the Fifth Circuit. In the last four years he has had the honor of obtaining significant victories for the London insurance market in two matters before the Texas Supreme Court, including the only reported opinion in the U.S. interpreting the Welcar 2001 terms. You can contact Mr. Legge at glennlegge@leggefarrow.com.

Author

15

15

Cyber Security and Insurance Coverage: Evolving Risks Where More Than

Data Is At Stake

Cyber Risks – Insurance Coverage and Regulatory Updates for the Offshore

Energy and Marine Sectors

Cefor Annual SeminarOslo

9 April 2015

Glenn Legge James Brown

Legge, Farrow, Kimmitt, McGrath & Brown, L.L.P.

www.leggefarrow.com