Cybersecurity is attaining the same level of importance that health, safety and environment issues have in oil and gas over the past 20 years. Over the past 18 months, the U.S. federal government also has undertaken a series of actions regarding cybersecurity issues in the oil and gas sector, Glenn Legge, a partner at Legge, Farrow, Kimmitt, McGrath & Brown LLP, told Rigzone. Through different agencies and the executive branch, the federal government has sought to encourage the private sector to create a more robust cybersecurity network.
Late last year, the U.S. Department of Homeland Security and the U.S. Coast Guard announced that they would develop cybersecurity regulations for the marine and offshore energy sectors. These regulations would address concerns over cyberrisks and vulnerabilities among vessels and facilities subject to the Maritime Transportation Security Act of 2002.
The regulations will create standards and minimum requirements for companies working in the marine and offshore energy industries. Legge said his firm anticipates that some of the proposed regulatory requirements will be drawn from industry cybersecurity standards, as well as recommendations created by the National Institute of Standards and Technology (NIST), a non-regulatory branch of the U.S. Department of Commerce.
Prior to this order, most of the existing regulations have been focused on data breach events, such as the theft of credit card and Social Security numbers, instead of a cyber-attack on offshore infrastructure.
“Unlike exercising oversight over other marine and offshore energy activities, regulating cybersecurity will be very challenging, as industry standards in this area are continually evolving at a rapid rate in response to ever-changing cyber threats,” according to the law firm’s February 2015 newsletter. “The new regulatory framework will have to have some degree of adaptability to oversee cybersecurity in an evolving threat environment.”
Both agencies have asked for comments from industry stakeholders, insurers, protection and indemnity insurance clubs and classification societies. The deadline for comments has been extended to April 15 of this year.
The decision of both agencies to take action may have been partly caused by a June 2014 General Accounting Office (GAO) report that was critical of DHS and USCG on cybersecurity. The report addressed port cybersecurity, but used the Maritime Transportation Security Act (MTSA) as a reference guide to determine the scope of vessels and facilities that will be subject to cybersecurity regulations.
GAO also a report from Australia’s Office of the Inspector of Transportation Security that a cyber-attack can be the most serious threat to offshore oil and gas facilities and land-based production, Legge Farrow noted.
Recognizing the possible consequences of a cyber-attack on critical infrastructure such as oil and gas assets – from damaging, disabling or remotely shutting down drilling rigs and production platforms, negative impacts on the environment to injury and loss of human life — the U.S. Department of Commerce in 2013 issued Executive Order 13636, which sought to provide market-based incentives to encourage the development of cyber insurance. The order also seeks to encourage development of voluntary standards and processes for industry concerning critical infrastructure and for corporate management to focus on cyber risk management.
In return for developing a framework and meeting insurance requirements against cyber-attacks, the U.S. government has indicated that it would be willing to give companies limited indemnity, higher burdens of proof, or limited penalties, as well as case consolidations and case transfers to a single federal court.
Last February, DHS and the U.S. Department of Energy issued the Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2). This program was created to enable energy companies to effectively and consistently evaluate and benchmark their cybersecurity capabilities. It also can be used for knowledge sharing and best practices with the oil and gas sector in order to improve cybersecurity preparedness.
The oil and gas industry has responded to the potential threat of cyber-attacks by forming the Oil and Natural Gas Information Sharing and Analysis Center. The group, which includes upstream, midstream and downstream energy companies and contractors, seeks to provide shared intelligence on cyber incidents, threats, vulnerabilities, and associated responses present throughout the industry. According to ABI Research, the estimated cost of protecting oil and gas infrastructure against cyber-attacks in 2018 is $1.87 billion.
NEED FOR INSURANCE FOR COVER PHYSICAL DAMAGES FROM CYBER-ATTACKS
Over the past two years, the U.S. government also has sought to encourage insurers to provide a reasonable degree of coverage for damages caused by cyber-attacks. At present, many insurance policies currently contain exclusions for damages stemming from cyber-attacks or malicious viruses, Legge said.
“This is a relatively new and fluid area of insurance coverage that is distinct from insurance issues related to data breaches and less tangible damages involving disclosure of personally identifiable information,” according to Legge Farrow’s February 2015 newsletter on energy and maritime matters.
The nature of cyber-attacks will be challenging for insurers, protection and indemnity clubs and classification societies. If insurers agree to provide coverage for property damage/business interruption, limited pollution liability, control of well/redrill and or bodily injury or death due to a cyber-attack, the insured company’s compliance with current cybersecurity standards will likely serve as a threshold issue in determining if such coverage is triggered.
“What is an acceptable standard of cybersecurity today may be significantly altered within a policy or classification period,” according to Legge Farrow. “We anticipate that insurers may require cyber audits or compliance programs to periodically monitor an insured’s cybersecurity programs and verify that new standards are updated as threats are identified, either internally or publically by the Industrial Control System – Cyber Emergency Response Team.”
Risk allocation clauses in the oil and gas industry have evolved to address the risk of cyber-attacks. Nearly every contractor or service company uses their own computers or external devices to monitor and verify the performance and interface of their equipment and services at their customers’ facilities, Legge Farrow reported in its February 2015 newsletter on energy and maritime matters.
“The BYOD [bring your own device approach] is so common that it is difficult to imagine how critical systems would be serviced or monitored in any other manner,” said the firm. “As a result, operators are demanding risk allocation terms that address the damages that could arise from a malicious virus that is delivered via a contractor’s external device.”
Some of the damage models arising from these cyber scenarios could potentially be catastrophic.
“Understandably, some contractors/service companies or equipment providers are reluctant to assume the potential contractual risks and exposures that could arise from the inadvertent introduction of a malicious virus.”
In most risk allocation negotiations, risk is distributed between contractual obligations and indemnities and available insurance coverage. This allocation solution is not available in most circumstances because many insurance policies include exclusions for damages arising from cyber risks or malicious viruses. As a result, the allocation of exposures arising from cyber-attacks is being negotiated on a much smaller playing field with far fewer resources.