As we and our sister blogs have previously reported (see here, here, and here), the New York State Department of Financial Services enacted Cybsersecurity Requirements for Financial Services Companies, 23 NYCRR 500, on March 1, 2017. The first certification of compliance with this regulation is due today, February 15, 2018.
In today’s interconnected society, a cyber breach is inevitable. For energy companies in particular, the threat is even more acute as cyber security improvements lag behind the rapid digitalization in oil and gas operations. One recent cyber security report stated that 68% of respondents reported that their organization experienced at least one cyber compromise. And, just last week, it was disclosed that hackers used sophisticated malware, called “Triton,” to take control of a key safety device at a power plant in Saudi Arabia. Find our analysis of this latest attack on the blog here .
In what has been described as a “watershed” cyber incident, hackers recently used sophisticated malware—dubbed Triton—to take control of a key safety device installed at a power plant in Saudi Arabia. One of the few confirmed hacking tools designed to manipulate industrial control systems, this new breach is part of a growing trend in hacking attempts on utilities, production facilities, and other critical infrastructure in the oil and gas industry. The Triton malware attack targeted the Triconex industrial safety technology made by Schneider Electric SE. The attack underscores the importance of mitigating this and other similar risks through cyber and other traditional liability insurance as part of a comprehensive cybersecurity program.
The U.S. District Court for the Middle District of Florida, in Innovak International v. The Hanover Insurance Co., recently granted summary judgment in favor of Hanover Insurance Company finding that it had no duty to defend Innovak against a data breach lawsuit. Innovak, which is a payroll service, suffered a breach of employee personal information, including social security numbers. The employees then filed suit against Innovak alleging it had negligently created a software that allowed personal information to be accessed by third parties. Innovak sought a defense for the lawsuit from its commercial general liability carrier, Hanover Insurance Company. Innovak argued that the employee’s allegations triggered the personal and advertising injury coverage part of the policy, which covers loss arising out of the advertising of the policyholder’s goods or services, invasion of privacy, libel, slander, copyright infringement, and misappropriation of advertising ideas. The court disagreed and found the employees’ allegations did not involve a publication that would trigger coverage under the commercial general liability policy.
In a recent brief filed in the Sixth Circuit, American Tooling Center, Inc. argued that the appellate court should reverse the district court’s decision finding no insurance coverage for $800,000 that American Tooling lost after a fraudster’s email tricked an employee into wiring that amount to the fraudster. As we previously reported here, the district court found the insurance policy did not apply because it concluded that American Tooling did not suffer a “direct loss” that was “directly caused by computer fraud,” as required for coverage under the policy. The district count pointed to “intervening events” like the verification of production milestones, authorization of the transfers, and initiating the transfers without verifying the bank account information and found that those events precluded a “finding of ‘direct’ loss ‘directly caused’ by the use of any computer.”
Insurance giant Allianz Global Corporate & Specialty S.E. announced yesterday that it has launched a blockchain prototype for a global captive insurance program. The project focuses on professional indemnity and property insurance for a customer with a captive insurance program with local subsidiaries in the U.S., China and Switzerland. Captive programs are complex programs used frequently by multinational organizations to self-insure their risks. These organizations create their own self-insurance programs, or ‘captives,’ which aggregate assets or insurance exposures from their global operations. The programs collect premiums from each operating unit much like an ordinary insurer. The captive entity likewise pays out claims as they arise. Allianz administers the captive insurer as a “fronting insurer,” using the insurer’s diverse multi-national network to ensure global reach and compliance. Blockchain technology automatically connects all parties involved in the insurance program by using its distributed ledger technology, which is shared among all program participants and can record transactions and data entries. Updates and changes to the data are shared in real-time across all users. This creates a much faster, transparent, secure and efficient means of distributing information, conducting business processing and recording transactions across multiple parties.
A recent article published by Securityroundtable.org highlights the vulnerabilities businesses face in a world of e-commerce and interconnectivity, and how proper planning through a tailored cybersecurity program that includes – among other components – appropriate insurance coverage for cyber risks can help prevent a successful attack and mitigate the financial impact should one occur. Whether the issue is prevention or risk mitigation, cybersecurity should be at the top of the corporate agenda. As discussed in the Securityroundable.org article, Lisa Sotto, chair of the global privacy and cybersecurity practice of Hunton & Williams, explained at a recent briefing and crisis planning exercise in New York City that “it’s been a complete revolution. The cyber environment has just exploded…We could not have predicted this five years ago. There is no question that cybersecurity is a top priority for C-suites and boards. It is now recognized as a basic risk issue by every company.” Walter Andrews, chair of the insurance coverage practice at Hunton & Williams, addressed the insurability of cybersecurity risks, explaining that, “we’ve seen a sea change in a lot of areas in the last two years…There will always be liability no matter what, but cyber insurance has gone from a product a few companies acquired to one held by almost all. In fact, today regulators and boards require it.” For a recap of the entire briefing and crisis planning exercise, see the full Securityroundtable.org article, which can be found here.
In its third quarter report, insurer Beazley reported a nine-fold increase in social engineering attacks (i.e., deception-based fraud/crime) as compared to the same time last year. So far, the majority of social engineering attacks in 2017 were focused on the professional services sector (18%), followed by financial institutions (9%), higher education (9%) and healthcare (3%). The report also notes continued high rates of unintended disclosure via employee negligence across all sectors (29%), second only to affirmative hacking or malware attacks (34%).
Last week Bloomberg Law launched an online “cyber insurance suite” authored by Hunton attorneys, Walter J. Andrews, Sergio F. Oehninger, and Patrick M. McDermott. The online suite, available here and to Bloomberg subscribers, covers all aspects of cyber insurance, including identifying the major cyber risks and liabilities, applying for and obtaining cyber insurance coverage, and submitting claims under cyber coverages. It also contains an overview of case law evaluating coverage for cyber liabilities under traditional insurance policies and under cyber specific insurance policies. Hunton will regularly update the suite as the risks, coverages, and law continues to develop.