Cyber Risks and Considerations for the Marine Insurance Industry Joseph G. Grasso David L. Hall February 26, 2015

Transcription

1 Cyber Risks and Considerations for the Marine Insurance Industry Joseph G. Grasso David L. Hall February 26, 2015 American Marine Insurance Forum

2 CYBER RISKS AND CONSIDERATIONS FOR THE MARINE INSURANCE INDUSTRY 2 Topics Nature of marine and non-marine cyber risks Increased government oversight re: cyber security Cyber exposure in the marine and energy sectors Governmental regulation of cybersecurity, including U.S. Coast Guard (USCG) and Department of Homeland Security (DHS) Insurance coverage for cyber-risks, and exclusions

3 CYBER RISKS AND CONSIDERATIONS FOR THE MARINE INSURANCE INDUSTRY 3 Cyber 9/11 As the country becomes ever more dependent on digital services for the functioning of critical infrastructure, business, education, finances, communications, and social connections, the Internet s vulnerabilities are outpacing the nation s ability to secure it. We are at September 10th levels in terms of cyber preparedness. Reflections on the Tenth Anniversary of the 9/11 Commission Report The Bipartisan Policy Center July 2014.

4 CYBER RISKS AND CONSIDERATIONS FOR THE MARINE INSURANCE INDUSTRY 4 Notable Recent Cyber Attacks 2011 Sony Corporation Confidential information from 77 million+ PlayStation network accounts Global Payments, Inc. 1.5 million card accounts. $90 million in costs Target Corporation 40 million credit and debit card accounts. $200 million to reissue 21.8 million credit and debit cards Neiman Marcus 350,000 payment cards Home Depot 56 million debit and credit cards JP Morgan Chase 76 million households, 7 million small businesses ebay personal records of 233 million users Anthem Blue Cross

5 CYBER RISKS AND CONSIDERATIONS FOR THE MARINE INSURANCE INDUSTRY 5 Factors at Work Big Data: data sets so large and complex that traditional data management tools and data processing applications are inadequate. Big Data managed by supervisory control and data acquisition (SCADA) and industrial control systems (ICS). Shareholder pressure to improve returns and reduce costs by increasing reliance on operational IT. Virtual world: geographic distribution of infrastructure (and maritime assets) requires use of IT. Increasing automation on board vessels Energy sector is targeted for cyber intrusions.

6 CYBER RISKS AND CONSIDERATIONS FOR THE MARINE INSURANCE INDUSTRY Who Uses Big Data in Marine Sectors? 6 Deepwater Exploration & Production (E&P) Onshore E&P Midstream Transportation Maritime Transportation Refining & Petrochemical Non-Marine/Non-Energy

7 CYBER RISKS AND CONSIDERATIONS FOR THE MARINE INSURANCE INDUSTRY 7 Deepwater Exploration Vessels/MODUs GPS/DP requirements. Real time downhole data sensors temperature, pressure, vibration, flowmeters and acoustic. Remote control and monitoring of subsea control modules.

8 Components of a Software Intensive System Controlled Systems 8

9 CYBER RISKS AND CONSIDERATIONS FOR THE MARINE INSURANCE INDUSTRY 9 Maritime Transportation Security and vessel traffic control GPS aided systems ECDIS navigation systems Smart containers

10 10 Potential Threats to the Marine Sector University of Texas researchers demonstrated in July 2013 that it is possible to change a vessel s direction by interfering with its GPS signal to cause the onboard navigation systems to falsely interpret a vessel s position and heading Hacker caused a floating oil platform off Africa to tilt to one side, forcing temporary shutdown. (Note this story is all over the Internet, and in the IMO report, but I was unable to verify the actual platform.) Somali pirates employed hackers to infiltrate a shipping company s cyber systems to identify vessels passing through the Gulf of Aden with valuable cargoes and minimal on-board security which led to the hijacking of at least one vessel All examples from a report submitted by Canada to the IMO in July 2014 (

11 11 Threats to the Marine Sector (continued) Denial of service attacks (initiating a very high number of requests to a system to overwhelm it and cause it to cease operating) against ports have been reported (Houston being one of them) Efforts to gain unauthorized access to wireless Internet networks in ports have been reported Studies by the Brookings Institute and the European Union agency for Network and Information Security both concluded that there is very little awareness of cybersecurity issues in the maritime transportation sector and few initiatives underway to enhance cybersecurity. All examples from a report submitted by Canada to the IMO in July 2014 (

12 CYBER RISKS AND CONSIDERATIONS FOR THE MARINE INSURANCE INDUSTRY 12 Data Breach Requirements 47 different state rules on data breach reporting. Most states require notice to those whose private information is affected. Some states require reporting to state attorney general, which could trigger investigation of the company s cybersecurity programs. Notification to insurers? Federal guidelines and requirements: a patch work quilt. Federal Trade Commission (FTC) enforcement NIST Framework Other agencies are starting to weigh in: DoD and SEC Federal legislation has been debated without success

13 CYBER RISKS AND CONSIDERATIONS FOR THE MARINE INSURANCE INDUSTRY 13 Data Breach Requirements (continued) Reporting creates complex relationship between reporting companies, regulators, and insurers. Fees/costs are significant Are they covered? What about fines?

14 CYBER RISKS AND CONSIDERATIONS FOR THE MARINE INSURANCE INDUSTRY 14 Growing Federal Interest 12 June 2013 Executive Order Improving Critical Infrastructure Cybersecurity. 12 Feb 2014 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 National Institute of Standards and Technology (NIST). What is the safe harbor? What is the duty of care?

15 15 Growing Federal Interest (continued) Feb 2014 DHS/DOE Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG C2M2) Version 1.1. June 2014 SEC Commissioner Aguilar Addresses New York Stock Exchange Members Regarding Corporate Obligations Concerning Cyber Risks. July 2014 DHS Insurance Industry Working Session Readout Report Insurance for Cyber-Related Critical Infrastructure Loss: Key Issues.

16 U.S. Government s Response to Cyber Threats 16 In May 2013, the US Department of Commerce commissioned NIST to issue guidelines for SCADA and ICS systems. Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects Interference with the operation of safety systems, which could endanger human life

17 Corporate Responsibility to Manage Risks for Cyber Attacks 17 DHS Insurance Industry Working Session Readout Report, Insurance for Cyber- Related Critical Infrastructure Loss: Key Issues, July 2014.

18 U.S. Government s Response to Cyber Threats 12 December 2014 USCG and DHS issued notice of public meeting and requested comments on: 18 Developing cybersecurity assessment methods for vessels and facilities regulated by the USCG; and Cybersecurity vulnerabilities that could cause a Transportation Security Incident (TSI). TSI = a security incident resulting in a significant loss of life, environmental damage, transportation system disruption, or economic disruption in a particular area. USCG invited public comments in developing standards, guidelines, and best practices to protect maritime critical infrastructure.

19 U.S. Government s Response to Cyber Threats December 2014 USCG and DHS requested public comments on: Identifying and addressing cyber-related vulnerabilities. What cyber-dependent systems, commonly used in the maritime industry, could lead or contribute to a TSI if exploited by an adversary? Are there existing cybersecurity assurance programs in use by industry that the USCG could recognize? How can vessel and facility operators reliably demonstrate that critical cyber-systems meet appropriate technical or procedural standards? Do classification societies, protection and indemnity clubs, or insurers recognize cybersecurity best practices that could help the maritime industry and the USCG address cybersecurity risks?

20 20 Coverage for Cyber Risks Cyber Risk Policies Limited cyber-risk insurance policies provide coverage for first party property and limited third party claims with relatively low limits. Coverages: Forensic analysis, remediation of data systems, notification to customers, public affairs/public relations and notification to third parties. Loss of intellectual property, financial information, and proprietary data of the insured. London market coverages have provided some property damage and business interruption coverages.

21 21 Coverage for Cyber Risks Property Insurance Provides coverage for company s physical assets and business interruption/contingent business interruption. Often EXCLUDES losses resulting from cyber risks/cyber attacks. US Courts are divided regarding whether damage to software/computer systems are physical damage to tangible property. Am. Guarantee & Liab. Ins. Co. v. Ingram Micro, Inc., No. CIV TUC ACM, 2000 WL (D. Ariz. 2000) (Corruption of electronic data was physical damage to tangible property). Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. Tyler 2003, no pet.) (Damage to data is loss of tangible property). Ward Gen. Ins. Servs., Inc. v. Emp rs Fire Ins. Co., 7 Cal. Rptr. 3d 844 (Cal. Ct. App. 2004) (Loss suffered by plaintiff was a loss of information. Plaintiff did not lose the tangible material of the storage medium).

22 22 Coverage for Cyber Risks D&O Policies Provide some coverage to corporate management and the entity for securities claims related to alleged failures to mitigate cyber risks. Many D&O policies have exclusions for cyber risks. Most D&O policies will NOT provide coverage for property damage, environmental impairment or business interruption. Many D&O policies do not cover officer and director liability for failure to provide/purchase adequate insurance.

23 23 Coverage for Cyber Risks Commercial General Liability Insurance (CGL) Property Damage Coverage A Is damage to electronic data property damage? Magnetic Data, Inc. v. St. Paul Fire & Marine Ins. Co., 442 N.W.2d 153 (Minn. 1989) electronic data erased from hard drive was intangible and not covered under property damage definition. After 2001, many policies exempted electronic data from property damage definition. After 2004, ISO wording excluded [d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data. Electronic Data Liability Endorsement reintroduced electronic data into the definition of property damage.

24 24 Coverage for Cyber Risks Commercial General Liability Insurance (CGL) Personal and Advertising Injury Liability Coverage B Personal and advertising injury includes: Oral or written publication, in any manner, of material that violates a person s right of privacy. Coverage for loss of personally identifiable information (PII). Zurich Am. Ins. v. Sony Corp., No (N.Y. Sup. Ct. Feb. 24, 2014). Coverage B of the CGL policy applied to publication of Sony customers confidential information. Because the disclosures were made by the hackers, and not Sony, insurer had no duty to defend insured or pay damages. Netscape Commc ns Corp. v. Fed. Ins. Co., 343 Fed. App x 271 (9th Cir. 2009). SmartDownload software collected claimants internet usage and used information for advertising. Court found claims within personal injury coverage and ruled insurer had duty to defend insured. Court did not require a disclosure of PII to a third party.

25 25 Cyber Risk Exclusions ISO 2004 Electronic Data Exclusion. ISO 2014 Data Breach Exclusions. CL 380 Cyber Risk Exclusion. NMA2914 & NMA2915 Exclusions. AIMU?

26 26 Cyber Risk Exclusions Ambiguity? Judicial Treatment of Insurance Policies Courts construe insurance policies according to general rules of contract construction to ascertain the parties intent. They examine the entire agreement and seek to harmonize and give effect to all provisions so that none are meaningless. Gilbert Tex. Constr., L.P. v. Underwriters at Lloyd s London, 327 S.W.3d 118, 126 (Tex. 2010). Ambiguity in exclusions: The court must adopt the construction of an exclusionary clause urged by the insured as long as that construction is not unreasonable, even if the construction urged by the insurer appears to be more reasonable or a more accurate reflection of the parties' intent. Nat l Union Fire Ins. Co. of Pittsburgh, Pa. v. Hudson Energy Co., 811 S.W.2d 552, 555 (Tex. 1991).

27 ISO 2004 Electronic Data Exclusion and Definition 27 CG (2004 CGL Form) 2. Exclusions This insurance does not apply to: p. Electronic Data (2) Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate "electronic data" that does not result from physical injury to tangible property.... However, this exclusion does not apply to liability for damages because of "bodily injury."

28 ISO 2004 Electronic Data Exclusion and Definition (continued) 2004 Revised Definition of Property Damage 28 For the purposes of this insurance, electronic data is not tangible property. As used in this definition, electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CO-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.

29 ISO 2004 Electronic Data Exclusion and Definition (continued) 29 CG (2004 CGL Form) Exclusion of damages arising out of the: Loss of use of electronic data ; Corruption of electronic data ; Inability to manipulate electronic data ; and Does not result from the physical injury to tangible property. Definition of electronic data includes: Information; Programs; Used on or transmitted from computer software, including systems applications software, or any other media which are used with electronically controlled equipment.

30 ISO 2004 Electronic Data Exclusion and Definition (continued) No mention of virus or malicious use of electronic data. 30 Low level of ambiguity/broad level of applicability.

31 ISO Data Breach Exclusions Effective 1 May Various formats and applications: Liability (CGL) Coverage A & B. Property. Umbrella. Excess.

32 32 ISO Data Breach Exclusions CG A. Exclusion 2.p. of Coverage A Bodily Injury And Property Damage Liability in Section I Coverages is replaced by the following: 2. Exclusions This insurance does not apply to: p. Electronic Data Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability Damages arising out of:

33 33 ISO Data Breach Exclusions (continued) (1) Any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or (2) Damages arising out of tthe loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate "electronic data" that does not result from physical injury to tangible property.... However, unless Paragraph (1) above applies, this exclusion does not apply to liability for damages because of "bodily injury".

34 34 ISO Data Breach Exclusions CG New heading Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability. Introduces issue of ambiguity concerning the contextual interpretation of exclusion. Intended application data breach or physical damage caused by cyber risk? New damages wording Patents, trade secrets, customer lists, financial information, credit card information. Introduces issue of ambiguity concerning exclusion of damages that do not necessarily arise from disclosure or publication of confidential, proprietary, financial information PII.

35 35 ISO Data Breach Exclusions (continued) Intent and focus of 2014 exclusions is on damages resulting from data breach/disclosure, not property damage, pollution, redrill/replacement, environmental remediation, bodily injury or death. Insurer has the burden of proving the application of an exclusion.

36 36 CL380 Exclusion INSTITUTE CYBER ATTACK EXCLUSION CLAUSE 1.1 Subject only to clause 1.2 below, in no case shall this insurance cover loss damage liability or expense directly or indirectly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software program, malicious code, computer virus or process or any other electronic system. 1.2 Where this clause is endorsed on policies covering risks of war, civil war, revolution, rebellion, insurrection, or civil strife arising therefrom, or any hostile act by or against a belligerent power, or terrorism or any person acting from a political motive, Clause 1.1 shall not operate to exclude losses (which would otherwise be covered) arising from the use of any computer, computer system or computer software program or any other electronic system in the launch and/or guidance system and/or firing mechanism of any weapon or missile. 10/11/03 CL380

37 37 CL380 Exclusion As a means for inflicting harm When and by whom is this determined? o In U.S. courts causation and/or intent is most often determined by the trier of fact jury or judge. o Under a liability policy, a duty to defend is often triggered by the claim wording and the policy wording 8 Corners Rule. o Usually, extrinsic evidence is not considered in determining if an insurer has a duty to defend.

38 38 CL380 Exclusion (continued) Insurer has the burden of proving the application of an exclusion. What if there is no finding that virus/code was sent for the purpose of inflicting harm?

39 39 CL380 Exclusion Malice is determined by trier of fact. Clear and convincing evidence. Higher standard than preponderance of evidence. Under a liability policy, the insurer s duty to defend may be determined before a finding or admission of malice. Contra proferentem favoring the insured. Webopedia, Wikipedia and Symantec provide references to malicious code that are broader than legally focused interpretation.

40 40 NMA 2914/NMA2915 Exclusions 1. Electronic Data Exclusion ELECTRONIC DATA Notwithstanding any provision to the contrary within the Policy or any endorsement thereto, it is understood and agreed as follows: a. This policy does not insure loss, damage, destruction, distortion, erasure, corruption or alteration of ELECTRONIC DATA from any cause whatsoever (including but not limited to COMPUTER VIRUS) or loss of use, reduction in functionality, cost, expense of whatsoever nature resulting therefrom, regardless of any other cause or event contributing concurrently or in any other sequence to the loss. * * *

41 41 NMA 2914/NMA2915 Exclusions (continued) b. However, in the event that a peril listed below results from any of the matters described in paragraph (a) above, this policy, subject to all of its terms, conditions and exclusions, will cover physical damage occurring during the policy period to property insured by this policy directly caused by such listed peril. Listed Perils Fire Explosion

42 42 What about ISO Conditional Exclusion of Terrorism? When is a cyber attack an act of terrorism? ISO CG Conditional Exclusion of Terrorism Relating to Disposition of Federal Terrorism Risk Insurance Act (TRIA)? Excludes coverage for any injury or damage caused by terrorism o Terrorism = commission or threat of an act that interferes with or disrupts an electronic communications, information or mechanical system.

43 43 What about ISO Conditional Exclusion of Terrorism? (continued) If one or more of following elements are involved in the act of terrorism o Radioactive, pathogenic, biological, poisonous or chemical materials. o Total insured property damages exceeds $25 million. o Bodily injury or death involving 50 or more persons.

44 Insurance Coverage for Cyber Risks in the Marine Sector - Path Forward Good(?) News 44 U.S. government is considering use of regulations, commercial, financial and legal incentives to: Encourage companies to implement measures to prevent cyber attacks. Encourage the creation of insurance programs to respond to cyber attacks. Asking for input from insurers.

45 Insurance Coverage for Cyber Risks in the Marine Sector - Path Forward Good(?) News (continued) Many marine and energy companies have sophisticated safeguards/systems to prevent cyber attacks. The marine and energy sector and the global insurance market have worked closely for years on conceptually challenging risks. 45 Existing risk assessment templates can be used to assess cyber risks/cyber attacks, require appropriate safeguards and provide reasonable coverage.

46 Insurance Coverage for Cyber Risks in the Marine Sector - Path Forward Bad(?) News 46 Insurance coverage for marine sector cyber attacks is still a nascent risk market. Unlike some other risks, cyber attacks continue to evolve at a rapid pace. Conceptually challenging risk scenarios and damage models involving multiple types of coverages and underwriting disciplines. Affordability of insurance products? Initial cybersecurity regulations may be undesirable if insureds and insurers do not engage in regulatory commenting process.

47 47 Special thanks to: Tony Cowie, Swiss Re Glenn Legge, Legge Farrow

48 48 Questions?

49 Contact Information Joseph G. Grasso David L. Hall

50 This presentation is a summary of legal principles. Nothing in this presentation constitutes legal advice, which can only be obtained as a result of a personal consultation with an attorney. The information published here is believed accurate at the time of publication, but is subject to change and does not purport to be a complete statement of all relevant issues.