Cyber Risk and the Utility Industry

Transcription

1 Cyber Risk and the Utility Industry

2 Imran Ahmad Lawyer, Cassels Brock & Blackwell LLP

3 Canadian Legal Landscape Personal Information Protection and Electronic Documents Act (PIPEDA) Federal legislation that governs the collection, use and disclosure of personal information PIPEDA applies in all provinces except Quebec, BC and Alberta, where substantially similar privacy laws have been enacted PIPEDA applies to all organizations that handle personal information in the course of their commercial activities Certain provinces have health-specific privacy laws

4 Canadian Legal Landscape PIPEDA Personal Information includes any factual or subjective information, recorded or not, about an identifiable individual Includes age, name, ID numbers, income, ethnic origin, medical records, credit records, etc. Does not include an employee s name, title, business address, or phone number, use of information for personal purposes, information collected by federal or provincial government organizations under the Privacy Act, etc.

5 Canadian Legal Landscape Digital Privacy Act Digital Privacy Act, came into force on June 18, 2015 and amends PIPEDA in important ways Requires mandatory reporting of security breach by organizations Maximum fines of $100k for failure to report breach Allows organization-to-organization disclosure of personal information for investigating breaches Mandatory breach reporting regime is not yet in force

6 Cybersecurity in Canada On July 22, 2015, the Government of Canada allocated an additional $142.6 million over five years towards Canada s Cyber Security Strategy Economic Action Plan 2015 proposes to provide $94.4 million over the next five years to protect Canada s essential cyber systems and critical infrastructure

7 Cybersecurity in Canada Action Plan for Critical Infrastructure: A Renewed Action Plan ( ) Strategic Objectives: 1. Sustain and enhance partnerships 2. Share and protect information 3. Implement an All-Hazards Risk Management Approach

8 Cyber-Security Policy Collaboration and information-sharing with critical infrastructure sectors and private sector partners is our best defence to protect our essential cyber systems. Hon. Steven Blaney, Minister of Public Safety and Emergency Preparedness, July 22, 2015

9 Canada: A Target for Cyber Threats Canada has been involved in contentious international issues, potentially raising the risk of cyber attack: Sanctions on Russian entities and individuals in response to Ukrainian conflict Active in US-led air operations to counter ISIS in Syria and Iraq Criticism of China for alleged involvement in cyber attacks and cyber spying

10 US Approach to Cybersecurity Legislative Changes Protecting Cyber Networks Act passed in the House of Representatives in April 2015 Cybersecurity Information Sharing Act goes before the Senate for vote in September, 2015 Existing law from Federal Information Security Management Act (2002), Homeland Security Act (2002), Federal Trade Commission Act, Cyber Security Research and Development Act (2002) Executive Order of Feb. 12, 2013 Improving Critical Infrastructure Cybersecurity NIST Framework for Improving Critical Infrastructure Cybersecurity, 2014 Department of Homeland Security Responsible for protection of critical infrastructure, information technology, and communication networks National Cybersecurity and Communications Integration Center (NCCIC)

11 2015 US State of Cybercrime Survey Survey of 500 executives from US businesses, law enforcement services, and government agencies Co-sponsored by PwC, CSO, the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and the United States Secret Service 79% of respondents said they detected a security incident in the past 12 months 76% of respondents said they are more concerned about cybersecurity this year than in the previous 12 months

12 2015 US State of Cybercrime Survey Source: PwC, US cybersecurity: Progress Stalled: Key findings from the 2015 US State of Cybercrime Survey, July 2015,

13 2015 US State of Cybercrime Survey Source: PwC, US cybersecurity: Progress Stalled: Key findings from the 2015 US State of Cybercrime Survey, July 2015,

14 The Utilities Sector According to data from the Department of Homeland Security, more than 50% of investigated cyber incidents from October 2012 to May 2013 occurred within the energy sector Specifically at risk are power and utility companies, which provide heat and electricity to homes and businesses across the US. Insurance Business America Magazine, August 14, 2015

15 Data Breach Statistics Over 1 billion data records were compromised globally in 2014 (Gemalto, February 12, 2015) 348 million identities exposed as a result of data breaches in 2014 (Symantec, April 2015) Hope for the best but prepare for the worst Having a plan in place and a team capable of implementing it can be of crucial importance

16 Canadian Cyber Incident Response Centre: Mitigation Strategies 1. Use application whitelisting to help prevent malicious software and unapproved programs from running 2. Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office 3. Patch operating system vulnerabilities 4. Restrict administrative privileges to operating systems and applications based on user duties

17 Dawn R. Simmons Vice President, Underwriting Cyber AEGIS Insurance Services, Inc.

18 AEGIS Cyber Product Strategy Transition of cyber portfolio from Syndicate to mutual July 1, 2015 Underwriting team dedicated to AEGIS members Dawn Simmons, Vice President Ho-Tay Ma, Underwriting Officer Improve consistency in underwriting, pricing, and coverage for our members Rollout of CyberResilience+ policy form with additional clarifications

19 AEGIS Underwriting Process AEGIS questionnaire and conference call approach AEGIS has partnered with Cylance to develop a customized evaluation process for our members Cylance team has in-depth knowledge of and experience in the critical infrastructure industry

20 Cyber Coverage Spectrum for Power & Utility Clients Power & Utility Cyber Exposures Cyber Coverage Spectrum Complexity of Insurance Solutions Data / privacy breach 1 st party costs Data / privacy breach 3 rd party liability IT security breach liability Privacy regulatory Investigations cost Cyber extortion Cyber terrorism OT security liability Security breach regulatory investigations (IT or OT) Business interruption (IT or OT) Contingent BI (critical vendors) Physical damage Extended regulatory shutdown Commonly addressed Tailored solutions Evolving solutions

21 AEGIS Cyber Resilience Product Overview Traditional Cyber IT Security and Privacy Liability for both 1 st party remediation costs and 3 rd party liability Privacy Regulatory Action Data Restoration IT Business Income / Extra Expense Physical Damage Excluded Cyber Terrorism / Cyber Warfare CyberResilience+ Extend coverage to include Operational Technology Failure to supply Security breaches in addition to privacy related FERC, NERC, & NRC Fines and penalties where insurable Coverage triggers Software programming errors Natural disasters Extended Coverage triggers Critical Vendor Coverage Failure to Supply Options for DIC / Wrap Coverage: Bodily Injury / Property Damage Exclusion limited to physical war

22 AEGIS Cyber Advantage Provide best in class coverage tailored for the energy sector $50 million in dedicated capacity to AEGIS members Dedicated risk service partners with Industry knowledge and expertise to serve AEGIS members Access to AEGIS erisk Hub for loss control and risk management services

23 Ho-Tay Ma Underwriting Officer Cyber AEGIS Insurance Services, Inc.

24 Data Breach Best Practices When? Pre-Breach Best Practice Build cyber monitoring team Test security measures Educate and train employees Address supply chain risks Cyber insurance coverage Prepare a response plan

25 Policy Services AEGIS eriskhub Incident Roadmap AEGIS Vendor Partners News Center Learning Center Security Training Risk Manager Tools

26 Data Breach Best Practices When? During/Post-Breach Best Practice Implement response plan Quarantine the breach Assess the damage Determine the source Preserve the crown jewels Evaluate ongoing risk Coordinate with legal counsel

27 Claims Plan Notify your carrier Notify legal counsel Utilize a Data Breach Coach Review of law and duties Navigate the jurisdictional requirements Notice to governmental authorities Manage public relations

28 Claims Resources Depending on the breach, the following services may be required: Notice Fulfillment Forensic Expense Credit Monitoring Identity Monitoring Data Asset Restoration Public Relations

29 Claim Scenario Data Breach Situation: A disgruntled employee seeks to harm their employer by stealing credit card data via an unprotected USB outlet. The employee successfully downloads personal information on 1M households. Potential Policy triggers: 3 rd party damages and related defense costs 1 st party remediation services Data asset restoration PCI fines and penalties Loss and reputation mitigation

30 Claim Scenario Data Breach Target Data Breach Situation: In Q4, malware was inserted into the point-of-sale system and approximately 40 million credit/debit cards stolen As of 1/31/15, Target recorded $252M in pretax Data Breach related expenses, which is partially offset by $90M in expected insurance proceeds $67M settlement with VISA in August 2015 Source: Target Corporation Annual Report.

31 Claim Scenario Operational Technology Situation: Wanting to test the critical infrastructure security of a power generator, a rogue state transfers malicious code via a robust social engineering scheme and causes system-wide failures Policy triggers: 3 rd party damages and related defense costs 1 st party remediation services Failure to supply Business Interruption Data asset restoration PCI fines and penalties Loss and reputation mitigation

32 Claim Scenario Operational Technology Source: Meserve, Jeanne. Staged cyber attack reveals vulnerability in power grid. Online video clip. Youtube. 27 Sept

33 Claim Scenario Operational Technology EurActiv breach situation: A denial of service attack was sent from an unknown source and was followed by a botnet Internet domain was blocked for a few hours and all s/connectivity from the internet was blocked Electricity supplies were not affected Source: Neslen, Arthur. European renewable power grid rocked by cyber-attack. Euractive.com., 10, December 2012.

34 Questions? Imran Ahmad, Lawyer Cassels Brock & Blackwell LLP Business Phone: (416) Greg Eskins Marsh and McLennon Business Phone: (416) Dawn R. Simmons AEGIS Insurance Services, Inc. Business Phone: (201) Ho-Tay Ma AEGIS Insurance Services, Inc. Business Phone: (201) This document and the information in it is for illustration only and does not constitute legal advice. The information is subject to changes in the law and the interpretation thereof. This document is not a substitute for legal or other professional advice. Users should consult legal counsel for advice regarding the matters discussed herein.