Cyber Risk and the Utility Industry

Cyber Risk and the Utility Industry

Imran Ahmad Lawyer, Cassels Brock & Blackwell LLP

Canadian Legal Landscape Personal Information Protection and Electronic Documents Act (PIPEDA) Federal legislation that governs the collection, use and disclosure of personal information PIPEDA applies in all provinces except Quebec, BC and Alberta, where substantially similar privacy laws have been enacted PIPEDA applies to all organizations that handle personal information in the course of their commercial activities Certain provinces have health-specific privacy laws

Canadian Legal Landscape PIPEDA Personal Information includes any factual or subjective information, recorded or not, about an identifiable individual Includes age, name, ID numbers, income, ethnic origin, medical records, credit records, etc. Does not include an employee s name, title, business address, or phone number, use of information for personal purposes, information collected by federal or provincial government organizations under the Privacy Act, etc.

Canadian Legal Landscape Digital Privacy Act Digital Privacy Act, came into force on June 18, 2015 and amends PIPEDA in important ways Requires mandatory reporting of security breach by organizations Maximum fines of $100k for failure to report breach Allows organization-to-organization disclosure of personal information for investigating breaches Mandatory breach reporting regime is not yet in force

Cybersecurity in Canada On July 22, 2015, the Government of Canada allocated an additional $142.6 million over five years towards Canada s Cyber Security Strategy Economic Action Plan 2015 proposes to provide $94.4 million over the next five years to protect Canada s essential cyber systems and critical infrastructure

Cybersecurity in Canada Action Plan for Critical Infrastructure: A Renewed Action Plan (2014-2017) Strategic Objectives: 1. Sustain and enhance partnerships 2. Share and protect information 3. Implement an All-Hazards Risk Management Approach

Cyber-Security Policy Collaboration and information-sharing with critical infrastructure sectors and private sector partners is our best defence to protect our essential cyber systems. Hon. Steven Blaney, Minister of Public Safety and Emergency Preparedness, July 22, 2015

Canada: A Target for Cyber Threats Canada has been involved in contentious international issues, potentially raising the risk of cyber attack: Sanctions on Russian entities and individuals in response to Ukrainian conflict Active in US-led air operations to counter ISIS in Syria and Iraq Criticism of China for alleged involvement in cyber attacks and cyber spying

US Approach to Cybersecurity Legislative Changes Protecting Cyber Networks Act passed in the House of Representatives in April 2015 Cybersecurity Information Sharing Act goes before the Senate for vote in September, 2015 Existing law from Federal Information Security Management Act (2002), Homeland Security Act (2002), Federal Trade Commission Act, Cyber Security Research and Development Act (2002) Executive Order 13636 of Feb. 12, 2013 Improving Critical Infrastructure Cybersecurity NIST Framework for Improving Critical Infrastructure Cybersecurity, 2014 Department of Homeland Security Responsible for protection of critical infrastructure, information technology, and communication networks National Cybersecurity and Communications Integration Center (NCCIC)

2015 US State of Cybercrime Survey Survey of 500 executives from US businesses, law enforcement services, and government agencies Co-sponsored by PwC, CSO, the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and the United States Secret Service 79% of respondents said they detected a security incident in the past 12 months 76% of respondents said they are more concerned about cybersecurity this year than in the previous 12 months

2015 US State of Cybercrime Survey Source: PwC, US cybersecurity: Progress Stalled: Key findings from the 2015 US State of Cybercrime Survey, July 2015, www.pwc.com/cybersecurity.

2015 US State of Cybercrime Survey Source: PwC, US cybersecurity: Progress Stalled: Key findings from the 2015 US State of Cybercrime Survey, July 2015, www.pwc.com/cybersecurity.

The Utilities Sector According to data from the Department of Homeland Security, more than 50% of investigated cyber incidents from October 2012 to May 2013 occurred within the energy sector Specifically at risk are power and utility companies, which provide heat and electricity to homes and businesses across the US. Insurance Business America Magazine, August 14, 2015

Data Breach Statistics Over 1 billion data records were compromised globally in 2014 (Gemalto, February 12, 2015) 348 million identities exposed as a result of data breaches in 2014 (Symantec, April 2015) Hope for the best but prepare for the worst Having a plan in place and a team capable of implementing it can be of crucial importance

Canadian Cyber Incident Response Centre: Mitigation Strategies 1. Use application whitelisting to help prevent malicious software and unapproved programs from running 2. Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office 3. Patch operating system vulnerabilities 4. Restrict administrative privileges to operating systems and applications based on user duties

Dawn R. Simmons Vice President, Underwriting Cyber AEGIS Insurance Services, Inc.

AEGIS Cyber Product Strategy Transition of cyber portfolio from Syndicate to mutual July 1, 2015 Underwriting team dedicated to AEGIS members Dawn Simmons, Vice President Ho-Tay Ma, Underwriting Officer Improve consistency in underwriting, pricing, and coverage for our members Rollout of CyberResilience+ policy form with additional clarifications

AEGIS Underwriting Process AEGIS questionnaire and conference call approach AEGIS has partnered with Cylance to develop a customized evaluation process for our members Cylance team has in-depth knowledge of and experience in the critical infrastructure industry

Cyber Coverage Spectrum for Power & Utility Clients Power & Utility Cyber Exposures Cyber Coverage Spectrum Complexity of Insurance Solutions Data / privacy breach 1 st party costs Data / privacy breach 3 rd party liability IT security breach liability Privacy regulatory Investigations cost Cyber extortion Cyber terrorism OT security liability Security breach regulatory investigations (IT or OT) Business interruption (IT or OT) Contingent BI (critical vendors) Physical damage Extended regulatory shutdown Commonly addressed Tailored solutions Evolving solutions

AEGIS Cyber Resilience Product Overview Traditional Cyber IT Security and Privacy Liability for both 1 st party remediation costs and 3 rd party liability Privacy Regulatory Action Data Restoration IT Business Income / Extra Expense Physical Damage Excluded Cyber Terrorism / Cyber Warfare CyberResilience+ Extend coverage to include Operational Technology Failure to supply Security breaches in addition to privacy related FERC, NERC, & NRC Fines and penalties where insurable Coverage triggers Software programming errors Natural disasters Extended Coverage triggers Critical Vendor Coverage Failure to Supply Options for DIC / Wrap Coverage: Bodily Injury / Property Damage Exclusion limited to physical war

AEGIS Cyber Advantage Provide best in class coverage tailored for the energy sector $50 million in dedicated capacity to AEGIS members Dedicated risk service partners with Industry knowledge and expertise to serve AEGIS members Access to AEGIS erisk Hub for loss control and risk management services

Ho-Tay Ma Underwriting Officer Cyber AEGIS Insurance Services, Inc.

Data Breach Best Practices When? Pre-Breach Best Practice Build cyber monitoring team Test security measures Educate and train employees Address supply chain risks Cyber insurance coverage Prepare a response plan

Policy Services AEGIS eriskhub Incident Roadmap AEGIS Vendor Partners News Center Learning Center Security Training Risk Manager Tools

Data Breach Best Practices When? During/Post-Breach Best Practice Implement response plan Quarantine the breach Assess the damage Determine the source Preserve the crown jewels Evaluate ongoing risk Coordinate with legal counsel

Claims Plan Notify your carrier Notify legal counsel Utilize a Data Breach Coach Review of law and duties Navigate the jurisdictional requirements Notice to governmental authorities Manage public relations

Claims Resources Depending on the breach, the following services may be required: Notice Fulfillment Forensic Expense Credit Monitoring Identity Monitoring Data Asset Restoration Public Relations

Claim Scenario Data Breach Situation: A disgruntled employee seeks to harm their employer by stealing credit card data via an unprotected USB outlet. The employee successfully downloads personal information on 1M households. Potential Policy triggers: 3 rd party damages and related defense costs 1 st party remediation services Data asset restoration PCI fines and penalties Loss and reputation mitigation

Claim Scenario Data Breach Target Data Breach Situation: In Q4, malware was inserted into the point-of-sale system and approximately 40 million credit/debit cards stolen As of 1/31/15, Target recorded $252M in pretax Data Breach related expenses, which is partially offset by $90M in expected insurance proceeds $67M settlement with VISA in August 2015 Source: Target Corporation. 2014 Annual Report.

Claim Scenario Operational Technology Situation: Wanting to test the critical infrastructure security of a power generator, a rogue state transfers malicious code via a robust social engineering scheme and causes system-wide failures Policy triggers: 3 rd party damages and related defense costs 1 st party remediation services Failure to supply Business Interruption Data asset restoration PCI fines and penalties Loss and reputation mitigation

Claim Scenario Operational Technology Source: Meserve, Jeanne. Staged cyber attack reveals vulnerability in power grid. Online video clip. Youtube. 27 Sept. 2007.

Claim Scenario Operational Technology EurActiv breach situation: A denial of service attack was sent from an unknown source and was followed by a botnet Internet domain was blocked for a few hours and all emails/connectivity from the internet was blocked Electricity supplies were not affected Source: Neslen, Arthur. European renewable power grid rocked by cyber-attack. Euractive.com., 10, December 2012.

Questions? Imran Ahmad, Lawyer Cassels Brock & Blackwell LLP Business Phone: (416) 860-6578 Email: iahmad@casselsbrock.com Greg Eskins Marsh and McLennon Business Phone: (416) 868-2768 Email: Gregory.Eskins@marsh.com Dawn R. Simmons AEGIS Insurance Services, Inc. Business Phone: (201) 508-2629 Email: DawnSimmons@aegislimited.com Ho-Tay Ma AEGIS Insurance Services, Inc. Business Phone: (201) 508-2671 Email:Ho-TayMa@aegislimited.com This document and the information in it is for illustration only and does not constitute legal advice. The information is subject to changes in the law and the interpretation thereof. This document is not a substitute for legal or other professional advice. Users should consult legal counsel for advice regarding the matters discussed herein.