1

Why Your Corporate Insurance and Risk Management Program May not Respond to a

Cyber Attack

In House Counsel Summit SeriesNovember 6, 2014

Glenn R. Leggewww.leggefarrow.com

2

“As the country becomes ever more dependent on digital services for the functioning of critical infrastructure, business, education, finances, communications, and social connections, the Internet’s vulnerabilities are outpacing the nation’s ability to secure it.”

“We are at September 10th levels in terms of cyber preparedness.”

-- Reflections on the Tenth Anniversary of the 9/11 Commission Report – The Bipartisan Policy Center – July 2014

Concerns About a Cyber Related 9/11

3

Current cyber threats to the energy industry.

Corporate management’s enhanced obligations to protect against cyber threats and provide adequate insurance.

Current coverage wordings that address cyber-risks.

Current coverage exclusions for cyber-risks, including CL380 and the new ISO provisions and how they may be challenged in the courts.

Emerging contractual risk allocation terms to address damages arising from cyber-risks.

Issues to be Addressed

4

2013 – Target Corporation – 40 million credit and debit card accounts. $200 million to reissue 21.8 million credit and debit cards.

2014 – Neiman Marcus – 350,000 payment cards.

2014 – Home Depot – 56 million debit and credit cards.

2014 – JP Morgan Chase – 76 million households, 7 million small businesses.

2014 – eBay – personal records of 233 million users.

Recent Examples of Cyber Attacks or Data Breaches on Retail and Financial Companies

5

Massive use of Big Data – data sets so large and complex that it becomes difficult to process using on-hand data management tools or traditional data processing applications.

Big Data managed by “supervisory control and data acquisition” (SCADA) and “industrial control systems” (ICS).

Shareholder pressure to improve returns and reduce costs by increasing operational efficiencies through use of IT.

Broad geographic distribution of facilities requires use of IT.

Energy sector is the focus of cyber intrusions from government-based cyber attackers and non-government groups.

Energy Sector – Exposure to Cyber Attack

6

In May 2013, after recognizing various probable cyber risks, the US Department of Commerce commissioned the National Institute of Standards and Technology (NIST) to issue guidelines for SCADA and ICS systems. 

U.S. Government’sEarly Response to Cyber Threats

7

NIST recognized various probable risks resulting from a cyber attack or data breach.

Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life;

Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects; and

Interference with the operation of safety systems, which could endanger human life.

 

NIST Special Publication 800-82, Revision1.

U.S. Government’sEarly Response to Cyber Threats

8

August 2012 - Shamoon malware contaminated up to 30,000 computers at Saudi Aramco. Days later, the computer systems at Quatar-based RasGas were infected by a virus, shutting down the company’s website.

June 20, 2014 – A network of hackers called AnonGhost announced it had launched a barrage of cyber-attacks on international energy companies in the Middle East and the United States. Symantec, the IT security company, identified this emerging cyber-threat as Operation Petrol.

July 2, 2014 – The Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned energy companies of malicious software used by “a Russian hacking group known as ‘Energetic Bear’ or ‘Dragonfly’ . . . that primarily targets the energy sector and related industries.”

November 3, 2014 – DHS’s ICS-CERT identified a sophisticated malware that has compromised numerous ICS using a variant of the Black Energy malware. Black Energy variant targeted GE Cimplicity and Siemens WinCC SCADA programs.

Is the Energy Sector Next? Is Next Now?

9

Who uses Big Data in the Energy Sector?

Deepwater Exploration & Production (E&P) - Real time downhole data sensors – temperature, pressure, vibration, flowmeters and subsea control modules.

Onshore E&P - Remote monitoring and control of well sites.

Midstream Transportation - Remote detection and control systems. Monitoring high pressure/high temperature and corrosion.

Maritime Transportation - Security and vessel traffic control, GPS aided functions and ECDIS navigation systems.

Refining & Petrochemical - Processing of hydrocarbons/chemicals, predictive maintenance of equipment/machinery, supply chain and distribution chain.

Is the Energy Sector Next? Is Next Now?

10

Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective

Executive Order 13636 Improving Critical Infrastructure Cybersecurity, 12 June 2013.

Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 National Institute of Standards and Technology (NIST), 12 Feb. 2014.

DHS/DOE Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG – C2M2) – Version 1.1 – February 2014.

DHS Insurance Industry Working Session Readout Report – Insurance for Cyber-Related Critical Infrastructure Loss: Key Issues – July 2014.

SEC Commissioner Aguilar’s Addresses New York Stock Exchange Members Regarding Corporate Obligations Concerning Cyber Risks– June 2014.

11

Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective

Executive Order 13636, Improving Critical Infrastructure Cybersecurity

Adoption of the Cybersecurity Framework (“Framework”)

Market-based incentives to encourage the development of cyber insurance.

Litigation risk mitigation for entities that adopt the Framework and meet reasonable insurance requirements.

Legal benefits may include limited indemnity, higher burdens of proof, or limited penalties; case consolidations; case transfers to a single federal court.

Insurance options could include a requirement for the purchase of private market liability insurance in order to apply for these liability protections and legal benefits.

Executive Order 13636, 12 June 2013.

12

Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective

NIST - Framework for Improving Critical Infrastructure Cybersecurity

Encourages development of voluntary standards and processes for industry concerning critical infrastructure to address cyber risks.

Urges corporate management to focus on cyber risk management.

NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1, 12 Feb. 2014.

13

Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective

DHS/DOE Oil and Natural Gas Subsector,

Cybersecurity Capability Maturity Model (ONG – C2M2)

C2M2 program address the “unique characteristics of the oil and natural gas subsector.”

C2M2 program can be used to:

Strengthen cybersecurity capabilities in the ONG sector.

Enable ONG organizations to effectively and consistently evaluate and benchmark cybersecurity capabilities.

Share knowledge and best practices within the ONG sector as a means to improve cybersecurity.

104 references and comments on “risk management.”

Oil and Natural Gas Subsector, Cybersecurity Capability Maturity Model (ONG-C2M2), Version 1.1, Feb. 2014

14

Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective

DHS Insurance Industry Working Session Readout Report, Insurance for Cyber-Related Critical Infrastructure Loss: Key Issues, July 2014.

15

Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective

DHS Insurance Industry Working Session – July 2014

Round table meetings with insurance industry – Oct. 2012 to Nov. 2013.

Report on energy sector insurance:

Exclusion CL380 described as an exemption clause that is “… commonplace in property insurance written for energy sector companies.”

Recognized the existence of several energy sector data sets that include failure scenarios that could assist in creating underwriting data templates.

16

Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective

SEC Commissioner Aguilar addresses New York Stock Exchange members regarding corporate obligations concerning cyber risks – June 2014

17

Enhanced Corporate Responsibility to Manage Risks for Cyber Attacks - US Perspective

SEC’s Recommendations to New York Stock Exchange Members – June 2014

June 10, 2014 – SEC Commissioner Aguilar advised :

That “ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.”

Best practices include the review and assessment of corporate insurance policies.

From the SEC’s perspective, directors and officers of publicly traded companies have an obligation to review and assess the adequacy of insurance coverage that would respond to a cyber-attack. Ariel Yehezkel & Thomas Michael, Cybersecurity: Breaching the Boardroom, THE METROPOLITAN CORPORATE COUNSEL, April 2014.

Directors and Officers (D&O) liability insurance policies often exclude coverage for failure to procure/maintain adequate insurance coverage.

18

Energy Industry’s Response to Threat of Cyber Attack

Increased concern about insurance coverage for cyber attack/data breach.Oil and Natural Gas – Information Sharing and Analysis Center (ONG-ISAC)

Members – Upstream, midstream and downstream energy companies and contractors.Goal – “[T]o provide shared intelligence on cyber incidents, threats, vulnerabilities, and associated responses present throughout our industry.”Anonymous information sharing through an ONG-ISAC secure web platform.Coordinated response among ONG-ISAC members.

ABI Research projected costs to guard oil and gas infrastructure against cyber attacks will be $1.87 billion in 2018.

19

Insurance Coverage for Cyber Attacks on the Energy Sector – Where is it?

Type of losses and policies that may be involved in a cyber attack:

Loss Policy

Property of the company or third parties Property/Liability

Pollution damages/liability Liability/OEE

Well control and re-drill expenses COW/OEE

Business interruption, contingent business interruption and lost or delayed production of company or third parties

Property/Liability

Loss of intellectual property, trade secrets and financial information

Cyber Risk

Remediating damage to computer systems Cyber Risk

Bodily injury or death claims of employees or third parties Liability

Regulatory fines and/or penalties Cyber Risk

Shareholder suits D&O

20

Coverage for Cyber Attack Under Available Policies

Cyber Risk Policies

Limited cyber-risk insurance policies provide coverage for first party and third party claims with relatively low limits ($10-25 million).

Coverages:Forensic analysis, remediation of data systems, notification to customers, public affairs/public relations and notification to third parties.Loss of intellectual property, financial information, and proprietary data of the insured.London market coverages have provided some property damage and business interruption coverages.

Property damage, environmental impairment and bodily injury/loss of life are not covered under most cyber risk policies.

21

Coverage for Cyber Attack Under Available Policies

D&O Policies

Provide some coverage to corporate management and the entity for securities claims related to alleged failures to mitigate cyber risks.

Coverage for damages to property of the corporation or third parties will not be provided under most D&O policies.

Many D&O policies have exclusions for cyber risks.

D&O policies will not provide coverage for property damage, environmental impairment or business interruption.

Many D&O policies exclude coverage for failure to procure and maintain adequate insurance coverage.

22

Coverage for Cyber Attack Under Available Policies

Property Insurance

Provides coverage for company’s physical assets and business interruption/contingent business interruption.

Often excludes losses resulting from cyber risks/cyber attacks.

US Courts are divided regarding whether damage to software/computer systems are “physical damage to tangible property.”

American Gur. & Liab. Ins. Co. v. Ingram Micro, Inc., Civ. 99-185 TUC ACM, 2000 WL 726789, (D. Ariz. 2000) (Corruption of electronic data was physical damage to tangible property); Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App.—Tyler 2003, no pet.) (Damage to data is loss of tangible property). Ward Gen. Ins. Servs., Inc. v. Emp’rs Fire Ins. Co., 7 Cal. Rptr. 3d 844, 851 (Cal. Ct. App. 2004) (Loss suffered by plaintiff was a loss of information. Plaintiff did not lose the tangible material of the storage medium.)

23

Coverage for Cyber Attack Under Available Policies

Upstream Energy Insurance Facilities

Oil Insurance Limited (OIL) is a Bermuda-based mutual insurance program for the energy industry.

Coverage includes property damage, control of well, redrill, and pollution coverage. Some degree of coverage for cyber attacks on its members – but not war risks. The aggregate limits of OIL coverage is $750 million per event.

Chrysalis is a specialized excess insurance program underwritten by London market insurers.

Provides coverage similar to those provided under OIL, including some coverage for cyber attacks. Chrysalis also provides up to $125 million per occurrence for cyber-attacks.

24

Coverage for Cyber Attack Under Available Policies

Commercial General Liability Insurance (CGL)Property Damage – Coverage A

Is damage to electronic data “property damage”?

Magnetic Data, Inc. v. St. Paul Fire and Marine Ins. Co., 83 A.3d 664 (Conn. App. 2014) – electronic data erased from hard drive was intangible and not covered under “property damage” definition.

After 2001, many policies exempted “electronic data” from “property damage” definition.

After 2004, ISO wording excluded “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”

“Electronic Data Liability” Endorsement reintroduced “electronic data” into the definition of “property damage.

25

Coverage for Cyber Attack Under Available Policies

Commercial General Liability Insurance (CGL)Personal and Advertising Injury Liability – Coverage B

“Personal and advertising injury” includes “Oral or written publication, in any manner, of material that violates a person’s right of privacy.”Coverage for loss of personally identifiable information (PII).

Zurich American Insurance v. Sony Corporation, No. 651982-2011 (N.Y. Sup. Ct. Feb. 24, 2014). Court ruled that Coverage B of the CGL policy applied to publication of Sony customers’ confidential information. Because the disclosures were made by the hackers, and not Sony, the insurer had no duty to defend the insured or pay for damages.

Netscape Communications Corp. v. Federal Insurance Co., 343 Fed. App’x 271 (9th Cir. 2009). SmartDownload software collected claimants’ internet usage and used information for advertising. Court found claims within “personal injury” coverage and ruled that insurer had duty to defend the insured. Court did not require a disclosure of PII to a third party.

26

Cyber Risk Exclusions

ISO 2004 Electronic Data Exclusion

ISO 2014 Data Breach Exclusions

CL 380 Cyber Risk Exclusion

NMA 2915 – Cyber Exclusion

NMA 2914 – Electronic Data Endorsement A

27

ISO 2004 Electronic Data Exclusion and Definition CG 00 01 12 04 (2004 CGL Form)

2. ExclusionsThis insurance does not apply to: p. Electronic Data  (2) Damages arising out of the loss of, loss of use of, damage to, corruption of,inability to access, or inability to manipulate "electronic data" that doesnot result from physical injury to tangible property.

. . .

However, this exclusion does not apply to liability for damages because of "bodily injury." 2004 Revised Definition of Property Damage For the purposes of this insurance, electronic data is not tangible property.  As used in this definition, electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CO-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.

28

2014 ISO Data Breach ExclusionsCG 04 37 05 14

A. Exclusion 2.p. of Coverage A – Bodily Injury And Property Damage Liability in Section I – Coverages is replaced by the following: 2. ExclusionsThis insurance does not apply to:p. Electronic Data Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability Damages arising out of:

(1) Any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or

(2) Damages arising out of tThe loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate "electronic data" that doesnot result from physical injury to tangible property.

. . .

However, unless Paragraph (1) above applies, this exclusion does not apply to liability for damages because of "bodily injury". 

29

CL380

INSTITUTE CYBER ATTACK EXCLUSION CLAUSE 1.1 Subject only to clause 1.2 below, in no case shall this insurance cover loss damage liability or expense directly or indirectly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software program, malicious code, computer virus or process or any other electronic system.

 1.2 Where this clause is endorsed on policies covering risks of war, civil war, revolution, rebellion, insurrection, or civil strife arising therefrom, or any hostile act by or against a belligerent power, or terrorism or any person acting from a political motive, Clause 1.1 shall not operate to exclude losses (which would otherwise be covered) arising from the use of any computer, computer system or computer software program or any other electronic system in the launch and/or guidance system and/or firing mechanism of any weapon or missile.

 CL38010/11/03

30

NMA 2915

ELECTRONIC DATA 1. Electronic Data ExclusionNotwithstanding any provision to the contrary within the Policy or any endorsement thereto, it is understood and agreed as follows:

a) This Policy does not insure, loss, damage, destruction, distortion, erasure, corruption or alteration of ELECTRONIC DATA from any cause whatsoever (including but not limited to COMPUTER VIRUS) or loss of use, reduction in functionality, cost, expense of whatsoever nature resulting therefrom, regardless of any other cause or event contributing concurrently or in any other sequence to the loss.

* * * b) However, in the event that a peril listed below results from any of the matters described in

paragraph (a) above, this policy, subject to all of its terms, conditions and exclusions, will cover physical damage occurring during the policy period to property insured by this policy directly caused by such listed peril.

Listed PerilsFireExplosion

31

Contractual Risk Allocation for Cyber Risks

Cyber risk allocation scheme needs something more than “at law” contribution clause.

“Knock for knock” scheme may not be applicable to damages arising from cyber attacks.

Risk allocation based upon “emanation” or means of entry. Suitable for a “bring your own device” environment between operators and contractors?

Representations/warranties/certifications that software/hardware/devices used in performance of services is free of any virus/malicious code/malware.

Representations/warranties to promptly notify customer of discovery of any “cyber incidents” or compromised cyber security events prior to/after the performance of services.

Requirements that contractor have liability insurance that would cover damages resulting from cyber attacks? No policy exclusions?

32

Insurance Coverage for Cyber Attacks/Cyber Risks in the Energy Sector - Path Forward

Good News

U.S. government is considering use of commercial, financial and legal incentives to:Encourage companies to implement measures to prevent cyber attacks.Encourage the creation of insurance programs to respond to cyber attacks.

The energy sector and the insurance market have worked closely for years on conceptually challenging risks.

Specialists in energy insurance and cyber security can provide the means to conduct risk assessments of companies/insureds.

Existing risk assessment templates can be used to address cyber risks and create safeguards to prevent them.

Bad News

Insurance coverage for energy sector cyber attacks is still a nascent risk market.

Unlike some other risks, cyber attacks continue to evolve at a rapid pace.

33

Glenn Legge For 30 years Mr. Legge has practiced in the areas of commercial litigation, including energy, marine, construction, insurance coverage and trade secrets disputes. He represents operators, contractors, service companies and insurers involved in onshore and offshore energy, construction, environmental and regulatory matters. Mr. Legge has tried numerous cases to verdict, has arbitrated commercial disputes through award and enforcement and has argued cases before Texas appellate courts in the 1st, 5th and 14th Districts, the Texas Supreme Court and the United States Court of Appeals for the Fifth Circuit. In the last four years he has had the honor of obtaining significant victories in two matters before the Texas Supreme Court involving onshore and offshore construction and insurance coverage disputes. You can contact Mr. Legge at glennlegge@leggefarrow.com.

Jeanie Tate Goodwin is a Senior Associate at Legge Farrow. Her practice includes maritime personal injury and casualty matters, as well as representing energy companies in complex, commercial litigation.  In addition, she has substantial experience in insurance law, including both first party and third party coverage matters. In the first quarter of 2015, she will join Catlin’s legal department on secondment in London. You can reach Jeanie at jgoodwin@leggefarrow.com.

Jacob Esparza is a Senior Associate in Legge Farrow that has represented energy companies and their insurers for nearly 10 years. He handles complex litigation involving contractual risk allocation issues in the on- and offshore energy industries. Mr. Esparza also successfully represents foreign and domestic insurers in coverage and bad faith litigation stemming from various commercial coverages, including energy, liability, property, cargo, motor carrier and business interruption. In 2014, Mr. Esparza was selected to the Super Lawyers "Texas Rising Stars" List for the Energy and Natural Resources, Insurance Coverage and Transportation/Maritime practices.  You can contact Mr. Esparza at jesparza@leggefarrow.com.

Authors

34

34

Why Your Corporate Insurance and Risk Management Program May not Respond to a

Cyber Attack

In House Counsel Summit SeriesNovember 6, 2014

Glenn R. Leggewww.leggefarrow.com