Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
willistowerswatson.com
© 2019 Willis Towers Watson. All rights reserved.
Cyber Risks, an Oil & Gas industry problem?
2019 Latin American Oil & Gas Risks Seminar | Rio de Janeiro, Brazil
June 11th, 2019
Marcela VisbalRegional Cyber Leader, Latam WTW
willistowerswatson.com
What we have heard about Cyber Risk
© 2017 Willis Towers Watson. All rights reserved.
Malicious attackBreach/ disclosure of
confidential information
(personal & corporate
information)
Interruption/ disruption of
computer systems (owned
or third party)
Financial and reputational
harm
Claims from third party
▪ Third party legal
proceedings
▪ Regulatory investigation &
defence costs
▪ Incident response costs
▪ Regulatory fines
▪ Business Interruption: Loss
of net profit
▪ Business Interruption:
Increased costs of working
▪ Data loss and unusable
computer systems
▪ Ransom payments
▪ First party financial loss
Non-Malicious attack (e.g. Human
error)
Security System failure
Threats to
computer
systemsImpact
Potential
Outcomes
willistowerswatson.com
Is Cyber Risk only related to Privacy?
3© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Loss of Data
Computer Systems
Cyber
Risk?
Third party Claims
Fines and Penalties
Investigations
willistowerswatson.com
¿Are Cyber Risks a threat to
the Oil & Gas industry?
4© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
willistowerswatson.com 5© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
SYSTEM FAILURE
HACKERS
HACKTIVISTS
NEGLIGENCE
ERRORS
EXTORTION
MALICIOUS INSIDER
CYBER RISKS¿Are they?
willistowerswatson.com
Global Cyber Incidents
Global view
6© 2019 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
6
Data Breach & Malware Korea
Hydro & Nuclear Power
Corporation (Dec 2014)
The attackers sent 5,986
phishing emails containing
malware to 3,571 KHNP
employees between December
9 and 12, 2014. South Korea
blamed North Korea for the
data breach of the 94 items.
Malicious Insider/Privilege
misuse (Jan 2015)
Former employee of the US
Department of Energy
charged with trying to steal
and sell US nuclear secrets to
foreign governments. Charles
Harvey Eccleston was
sentenced to 18 months for an
attempted e-mail “spear-
phishing” attack in January
2015 that targeted dozens of
DOE employee e-mail
accounts.
British Gas Data Breach
(October 2015)
Email addresses and
passwords of 2,200 of it's
customers appeared online.
British Gas were adamant that
this was not an internal leak
but instead a breach/security
failure.
Stuxnet Worm Attack on Iranian
Nuclear Facilities (2010)
Over 15 facilities were attacked and
infiltrated by the Stuxnet worm. The
attack was initiated by an
employee’s USB drive. One of the
affected industrial facilities was the
Natanz nuclear facility. Although
Iran has not released specific details
regarding the effects of the attack, it
is currently estimated that the
Stuxnet worm destroyed 984
uranium enriching centrifuges.
Ohio Nuclear Power
Plant Virus (2003)
A slammer worm infection
took the safety monitoring
system offilne for 8 hours.
Fortunately, the plant was
already offline due to
maintenance and the
secondary backup
monitoring system was
unaffected by the virus.
Russia Gas Extraction
Company (2000)
Hackers gained control of gas
pipelines. Through access of the
switchboard, the flow of
individual gas pipelines could
have been modified and could
have caused widespread
disruption.
willistowerswatson.com
Technology now allows entire oil and gas networks to be operated remotely, but connecting
that infrastructure via the internet has also opened the door for hackers and computer viruses
to target anything from refineries to pipelines
Industrial Internet of Things (IIOT)
Cyber Risks go beyond privacy and data protection
willistowerswatson.com
Industrial Control Systems are also Vulnerable
OT under
Risk
Increased
connectivity
between IT and OT
Legacy industrial control
systems: New Systems
are build on top of legacy
systems and this may
result in outdated
protection measures and
contain unknown
vulnerabilities
The automation of
Industrial Control
Systems (ICS) and
Supervisory Control and
Data Acquisition
(SCADA) systems opens
up the potential for an
attacker to take over key
equipment and systems
with the ability to cause
devastation to
operations.
An attack on energy infrastructure
has the potential to cross to the
physical world.
Dependence of the network to operate
Oil & Gas
Target industry,
due to its economic
relevance.
willistowerswatson.com
So, ¿what´s next?
9© 2018 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Transfer
▪ After identifying your risk, knowing and
understanding your protections, training your
employees and having a global look at your
insurance program: get a cyber risk policy,
Understand
Training
Protection
• How are you protected?
• Be aware of your securities
• Not only cyber securities, also physical
• Have a BCP and a DRP and test them
Identification
▪ What are your critical digital assets (data,
applications, industrial control systems)
▪ Where are they located & who has access to
them?
▪ Human risk is a big issue to worry about, be sure
to train your employees
▪ Understand your current insurance program
▪ Know that you can have gaps, or silent cyber
coverages.
▪ Be aware of the affirmative risk you will transfer
willistowerswatson.com
Understand your current insurance program
Watch out for silent cyber
▪ Silent Cyber: Silence on cyber can lead to uncertain or disputed response
▪ Exclusions may partially or completely prevent response:▪ CL-380
▪ NMA-2914/15
▪ Cyber Terrorism exclusion
▪ War exclusion: “Loss or damage caused by hostile action in time of peace…”
10
Understand
Property:
Casualty:
Most likely to have a silent cyber cover, but still can be found affirmative
exclusions.
Other:
D&O: Not likely to have exclusions, but its suggested to have affirmative cover to
Brazil´s Data Protection Law
Crime: Not likely to have exclusions.
willistowerswatson.com
Standard Cyber Solution
+ +
▪ Network Security Liability
▪ Privacy Liability
▪ Multimedia Liability
▪ Notification costs
Third Party
• Network Interruption
• Data Restoration Costs
• Cyber extortion
First Party
▪ Forensic Costs
▪ Legal Expenses
▪ Reputational Harm
Expenses
Transfer
willistowerswatson.com
Updated Cyber Solutions for Oil & Gas Industry
12© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Transfer
Solution
❖ Affirmative coverage for damage to physical
property caused by a cyber peril, in the cyber
policy. Usually through a buy back of he
exclusions.
❖ Covering Business interruption from Physical
and Non-physical events.
❖ Revised wording definitions business
operations, not just the computer network
❖ Coverage for loss of income and expense due
to a system failure (administrative, not just
security failure)
Transfer
willistowerswatson.com
Updated Cyber Solutions for Oil & Gas Industry
13© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Transfer
Solution
❖ Extended coverage to include loss of
income and expense due to a security
failure or system failure of a 3rd party
provider.
❖ Broadened Terrorism coverage to
affirmatively cover cyber terrorism (War
exclusion should be reviewed).
❖ A franchise deductible provision can be
negotiated, to have a wider business
interruption cover.
❖ Loss of profit due to a reputational
damage.
Transfer
willistowerswatson.com
And don’t forget… RECOVERY!
Security Transfer Recovery
Be aware on how your
company will react:▪ Claims protocol
▪ Forensic experts
▪ Legal Advice
▪ Reputational damage
advice
▪ General experts
Transfer your risk with
a cyber policy that
adjusts to your needs:▪ Include updated
coverages for Oil & Gas
Industry
Improve your security▪ Identify
▪ Protect
▪ Trainings
willistowerswatson.comwillistowerswatson.com
Thank you