Liability Management Evolving Cyber and Physical Security Standards and the SAFETY Act

Similar documents
The Cybersecurity Framework and the SAFETY Act a Primer for Temple Business School

The SAFETY Act: Providing Critical Liability Protections for Cyber and Physical Security Efforts

Field/Customer FAQs. What is the SAFETY Act?

CYBERSECURITY RISK MANAGEMENT

ENSURING SECURITY IN AND FACILITATING INTERNATIONAL TRADE. Measures toward enhancing maritime cybersecurity. Submitted by Canada SUMMARY

Maritime Insurance Cyber Security Framing the Exposure. Tony Cowie May 2015

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

Big Data As a Threat? An Alternative Approach to Cybersecurity

THE HUMAN FACTOR AT THE CORE OF FEDERAL CYBERSECURITY

DEPARTMENT OF HOMELAND SECURITY

Legislative Language

MARITIME CRITICAL INFRASTRUCTURE PROTECTION. DHS Needs to Better Address Port Cybersecurity

Cyber-Insurance Metrics and Impact on Cyber-Security

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

HEALTH CARE AND CYBER SECURITY:

Executive Summary. Cybersecurity cannot be completely solved, and will remain a risk we must actively manage.

THE RISK OF CYBER-ATTACK TO THE MARITIME SECTOR

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Security and Privacy

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

CYBER SECURITY INDUSTRY GUIDELINES

DEPARTMENT OF HOMELAND SECURITY

Subject: Critical Infrastructure Identification, Prioritization, and Protection

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

Attachment A. Identification of Risks/Cybersecurity Governance

December 17, 2003 Homeland Security Presidential Directive/Hspd-7

MEASURES TO ENHANCE MARITIME SECURITY. Industry guidelines on cyber security on board ships. Submitted by ICS, BIMCO, INTERTANKO and INTERCARGO

Middle Class Economics: Cybersecurity Updated August 7, 2015

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Anatomy of a Hotel Breach

MSC Security Program Security in the Logistics Supply Chain

Cyber Insurance and Your Data Ted Claypoole, Partner, Womble Carlyle and Jack Freund, PhD, InfoSec Mgr, TIAA-CREF

Cyber Security Strategy

Cyber-insurance: Understanding Your Risks

OCIE CYBERSECURITY INITIATIVE

Cybersecurity in the maritime and offshore industry

Partnership for Cyber Resilience

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

New York State Energy Planning Board. Cyber Security and the Energy Infrastructure

Statement for the Record. The Honorable Janet Napolitano. Secretary United States Department of Homeland Security

Cybersecurity The role of Internal Audit

Corporate Spying An Overview

DEPARTMENT OF HOMELAND SECURITY

v. 03/03/2015 Page ii

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

EY Cyber Security Hacktics Center of Excellence

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Water Sector Approach to Cybersecurity Risk Management

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

DEPARMTMENT OF HOMELAND SECURITY AUTHORIZATION BILL FOR FY 2008 AND FY 2009 SECTION-BY-SECTION

Energy Cybersecurity Regulatory Brief

In an age where so many businesses and systems are reliant on computer systems,

Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy

CHAPTER 121 STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL RECORDS ACCESS

S. ll IN THE SENATE OF THE UNITED STATES

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Port of Long Beach 1249 Pier F Avenue Long Beach, CA (562)

MEDICAL DEVICE Cybersecurity.

Cybersecurity Awareness. Part 1

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Cyberprivacy and Cybersecurity for Health Data

Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA)

Assessing the Effectiveness of a Cybersecurity Program

Risk and responsibility in a hyperconnected world: Implications for enterprises

GAO COMBATING TERRORISM. Observations on Options to Improve the Federal Response. Testimony

Cyber Security: Threat & The Maritime Environment Cyber Security: now byting the maritime industry

Testimony of PETER J. BESHAR. Executive Vice President and General Counsel. Marsh & McLennan Companies

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

TEXAS HOMELAND SECURITY STRATEGIC PLAN : PRIORITY ACTIONS

Course Title: HSE-101 Introduction to Homeland Security Prerequisites: None Credit Hours: 3 lectures, 3 hours

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Cyber Risks in the Boardroom

Transcription:

Liability Management Evolving Cyber and Physical Security Standards and the SAFETY Act JULY 17, 2014 2013 Venable LLP 1

Agenda 1. Security Risks affecting the Maritime Transportation System (MTS) 2. The SAFETY Act as an effective risk management tool 3. SAFETY Act coverage for physical security and cybersecurity practices 4. Questions 2

Importance of U.S. Ports to National Security and Economy Ports, waterways and vessels handle billions of dollars in cargo annually, and an attack on our nation s marine transportation system could have dire consequences. Ports are inherently vulnerable to terrorist attacks because of their size, general proximity to metropolitan areas, the volume of cargo being processed, and the ready access the ports have to transportation links into the United States. An attack on a large port could also have a widespread impact on the broader global supply chain... and the world economy. Statement of Stephen L. Caldwell Director, Homeland Security and Justice Before the Committee on Homeland Security and Governmental Affairs, U.S. Senate June 4, 2014 3

Security Risks affecting the MTS Physical security risks are well-documented (terrorist attacks on ports and vessels, piracy, etc.) Cyber-risks are less understood but are increasing in frequency and severity MTS is not currently subject to mandatory cybersecurity regulation, but increased regulation could be imminent Area, vessel, and facility security assessments all currently require consideration of radio and telecommunication systems, including computer systems and networks. This could become more prescriptive under the Maritime Transportation Security Act (MTSA) 4

IT Dependency Leads to Potential Vulnerability Per GAO, port owners and operators rely on several forms of information and communications systems to operate Terminal Operating Systems Industrial Control Systems (ICS) Business Operations Systems Access Control and Monitoring Systems Vessels rely on technologies such as GPS, marine Automatic Identification System (AIS), and Electronic Chart Display and Information System (ECDIS) These technologies are not always secure and can lead to attacks and compromises. 5

Examples of Technologies Used in Maritime Ports 6

Cyber Vulnerabilities Are Not Well Understood A 2013 Brookings report found that only 1 of 6 ports reviewed had conducted vulnerability assessments; none had an incident response plan. GAO reports that area maritime security plans (AMSPs) and facility security plans (FSPs) reviewed provided only limited consideration of cyber-risks Guidance for developing AMSPs and FSPs to be updated in 2014 to require basic considerations of cyber issues 7

The Cyber Threat is Real Per DHS, the severity of cyber-related threats has only recently been recognized Actual attacks show that cyber-attacks are not merely hypothetical Antwerp port hack Oil rig attacks Attacks on ships facilitated by data resulting from hack Known vulnerabilities in ICS, GPS, AIS, and ECDIS could soon be exploited by threat actors (terrorists, organized crime, hacktivists, etc.) 8

Port of Antwerp A Case Study From 2011 to 2013, drug traffickers concealed an unknown quantity of heroin and cocaine with street value of over $210 million inside shipping containers Traffickers recruited computer hackers to infiltrate IT systems at Port of Antwerp that controlled the movement and location of containers Hackers e-mailed malware to staff at the Port that enabled hackers to get remote access; when malware discovered and removed, traffickers broke into offices and installed data interception hardware and key loggers Armed with this information, traffickers located the containers, sent in drivers to pick them up, and erased the data to cover their actions 9

Stakes Are High Economic impact of a successful attack could be substantial. Per GAO, U.S. maritime ports handle more than $1.3 trillion in cargo annually Cyber attacks against oil and gas infrastructure alone will cost energy companies close to $1.9 billion by 2018 Some attacks could also result in loss of life and/or environmental catastrophe 10

Why Worry About Cyber in the Absence of Explicit Regulation? Lawsuits Negligence Breach of contract Shareholder Regulatory enforcement actions Criminal actions Share price considerations for public companies Not to mention first party costs to contain reputational harm, etc. 11

The SAFETY Act The SAFETY Act (Support Anti-Terrorism by Fostering Effective Technologies Act) Enacted as part of the Homeland Security Act of 2002, Public Law 107-296 (Title VIII, Subtitle G, Secs. 861-65) Implementing regulation at 6 C.F.R. Part 25 Intended to encourage the development and deployment of anti-terrorism technologies by creating systems of risk and litigation management Technologies include: Products, devices, equipment Services both supporting and stand alone services Cyber-related items Information technologies and networks Integrated Systems 12

Scope of the Act Applies to an act of terrorism, which is may include cyber terrorism An act of terrorism is defined by DHS as: Unlawful Causes harm, including financial harm, to a person, property, or entity, in the United States ; and Uses or attempts to use instrumentalities, weapons or other methods designed or intended to cause mass destruction, injury or other loss to citizens or institutions of the United States Includes attacks committed by domestic terrorists May include attacks on foreign soil, if harm is to a person, property or entity in the United States 13

Levels of SAFETY Act Protection Certification High degree of confidence in continued effectiveness Designation Proven effective Developmental, Testing and Evaluation Designation ( DTED ) Additional evidence needed to prove effectiveness 14

Benefits of Protections Certification - All the benefits of Designation - Government Contractor Defense Designation - Liability cap at a pre-determined insurance level - Exclusive jurisdiction in Federal court - Consolidation of claims - No joint and several liability for noneconomic damages - Bar on noneconomic damages unless plaintiff suffers physical harm - No punitive damages and prejudgment interest - Plaintiff s recovery reduced by collateral sources DTED - Same as Designation, but for a shorter duration (3 yrs) 15

Obtaining SAFETY Act Protections The Applicant s Role Internal Assessment of Technology - Document -Enhance Prepare Application Submit Application to OSAI Completeness Review (30 days) OSAI/DHS s Process Technical & Economic Review / Requests for Information DHS Decision OSAI/DHS Review Time = 120 days (total) 16

SAFETY Act Coverage of Physical and Cyber Security Plans SAFETY Act covers products and services that a seller provides to others and itself, i.e. its own physical and cybersecurity programs. Covered entities are encouraged to base their programs on accepted standards, particularly in the cyber context, in order to: Provide a baseline against which practices can be compared for purposes of application Corroborate that the plan is effective and otherwise reasonable 17

Choosing the Right Standard In most instances, entities will have an array of guidelines, standards, and frameworks from which to choose. Main criteria is reputation and wide level of acceptance Often indicated by ANSI accreditation, propagation by trusted sources, etc. In some cases, regulations may be used as the basis for a program 18

The NIST Cybersecurity Framework In the cyber context, implementation of the NIST Cybersecurity Framework is highly encouraged as part of the program sought to be covered by the SAFETY Act. Developed per direction of EO 13636 Emphasizes risk management Flexible and scalable Relies on existing standards, guidelines and other resources to achieve desired security outcomes. 19

The Framework is a Good Fit for MTS OSAI is part of DHS, which is responsible for the voluntary program associated with Framework (C-Cubed) Coast Guard strongly encourages review of Framework in ALCOAST 122/14 and is seeking feedback on its applicability to the MTS. FEMA s 2014 Port Security Grant Program guidance encourages applicants to propose projects to assist in implementing Framework 20

SAFETY Coverage Makes Business Sense Even in the absence of an act of terrorism, the SAFETY Act provides numerous benefits: Lower insurance premiums Gov. approval of security program can serve as a defense against lawsuits Gov. seal of approval can be a boon in the marketplace By purchasing SAFETY covered technologies/services, entities can also receive additional liability protections. 21

Questions? 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information