Cyber Risks, an Oil & Gas industry problem?€¦ · Technology now allows entire oil and gas networks to be operated remotely, but connecting that infrastructure via the internet

willistowerswatson.com

© 2019 Willis Towers Watson. All rights reserved.

Cyber Risks, an Oil & Gas industry problem?

2019 Latin American Oil & Gas Risks Seminar | Rio de Janeiro, Brazil

June 11th, 2019

Marcela VisbalRegional Cyber Leader, Latam WTW


What we have heard about Cyber Risk

© 2017 Willis Towers Watson. All rights reserved.

Malicious attackBreach/ disclosure of

confidential information

(personal & corporate

information)

Interruption/ disruption of

computer systems (owned

or third party)

Financial and reputational

harm

Claims from third party

▪ Third party legal

proceedings

▪ Regulatory investigation &

defence costs

▪ Incident response costs

▪ Regulatory fines

▪ Business Interruption: Loss

of net profit

▪ Business Interruption:

Increased costs of working

▪ Data loss and unusable

computer systems

▪ Ransom payments

▪ First party financial loss

Non-Malicious attack (e.g. Human

error)

Security System failure

Threats to

computer

systemsImpact

Potential

Outcomes


Is Cyber Risk only related to Privacy?

3© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.

Loss of Data

Computer Systems

Cyber

Risk?

Third party Claims

Fines and Penalties

Investigations


¿Are Cyber Risks a threat to

the Oil & Gas industry?


willistowerswatson.com 5© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.

SYSTEM FAILURE

HACKERS

HACKTIVISTS

NEGLIGENCE

ERRORS

EXTORTION

MALICIOUS INSIDER

CYBER RISKS¿Are they?


Global Cyber Incidents

Global view


6

Data Breach & Malware Korea

Hydro & Nuclear Power

Corporation (Dec 2014)

The attackers sent 5,986

phishing emails containing

malware to 3,571 KHNP

employees between December

9 and 12, 2014. South Korea

blamed North Korea for the

data breach of the 94 items.

Malicious Insider/Privilege

misuse (Jan 2015)

Former employee of the US

Department of Energy

charged with trying to steal

and sell US nuclear secrets to

foreign governments. Charles

Harvey Eccleston was

sentenced to 18 months for an

attempted e-mail “spear-

phishing” attack in January

2015 that targeted dozens of

DOE employee e-mail

accounts.

British Gas Data Breach

(October 2015)

Email addresses and

passwords of 2,200 of it's

customers appeared online.

British Gas were adamant that

this was not an internal leak

but instead a breach/security

failure.

Stuxnet Worm Attack on Iranian

Nuclear Facilities (2010)

Over 15 facilities were attacked and

infiltrated by the Stuxnet worm. The

attack was initiated by an

employee’s USB drive. One of the

affected industrial facilities was the

Natanz nuclear facility. Although

Iran has not released specific details

regarding the effects of the attack, it

is currently estimated that the

Stuxnet worm destroyed 984

uranium enriching centrifuges.

Ohio Nuclear Power

Plant Virus (2003)

A slammer worm infection

took the safety monitoring

system offilne for 8 hours.

Fortunately, the plant was

already offline due to

maintenance and the

secondary backup

monitoring system was

unaffected by the virus.

Russia Gas Extraction

Company (2000)

Hackers gained control of gas

pipelines. Through access of the

switchboard, the flow of

individual gas pipelines could

have been modified and could

have caused widespread

disruption.


Technology now allows entire oil and gas networks to be operated remotely, but connecting

that infrastructure via the internet has also opened the door for hackers and computer viruses

to target anything from refineries to pipelines

Industrial Internet of Things (IIOT)

Cyber Risks go beyond privacy and data protection


Industrial Control Systems are also Vulnerable

OT under

Risk

Increased

connectivity

between IT and OT

Legacy industrial control

systems: New Systems

are build on top of legacy

systems and this may

result in outdated

protection measures and

contain unknown

vulnerabilities

The automation of

Industrial Control

Systems (ICS) and

Supervisory Control and

Data Acquisition

(SCADA) systems opens

up the potential for an

attacker to take over key

equipment and systems

with the ability to cause

devastation to

operations.

An attack on energy infrastructure

has the potential to cross to the

physical world.

Dependence of the network to operate

Oil & Gas

Target industry,

due to its economic

relevance.


So, ¿what´s next?


Transfer

▪ After identifying your risk, knowing and

understanding your protections, training your

employees and having a global look at your

insurance program: get a cyber risk policy,

Understand

Training

Protection

• How are you protected?

• Be aware of your securities

• Not only cyber securities, also physical

• Have a BCP and a DRP and test them

Identification

▪ What are your critical digital assets (data,

applications, industrial control systems)

▪ Where are they located & who has access to

them?

▪ Human risk is a big issue to worry about, be sure

to train your employees

▪ Understand your current insurance program

▪ Know that you can have gaps, or silent cyber

coverages.

▪ Be aware of the affirmative risk you will transfer


Understand your current insurance program

Watch out for silent cyber

▪ Silent Cyber: Silence on cyber can lead to uncertain or disputed response

▪ Exclusions may partially or completely prevent response:▪ CL-380

▪ NMA-2914/15

▪ Cyber Terrorism exclusion

▪ War exclusion: “Loss or damage caused by hostile action in time of peace…”

10

Understand

Property:

Casualty:

Most likely to have a silent cyber cover, but still can be found affirmative

exclusions.

Other:

D&O: Not likely to have exclusions, but its suggested to have affirmative cover to

Brazil´s Data Protection Law

Crime: Not likely to have exclusions.


Standard Cyber Solution

+ +

▪ Network Security Liability

▪ Privacy Liability

▪ Multimedia Liability

▪ Notification costs

Third Party

• Network Interruption

• Data Restoration Costs

• Cyber extortion

First Party

▪ Forensic Costs

▪ Legal Expenses

▪ Reputational Harm

Expenses

Transfer


Updated Cyber Solutions for Oil & Gas Industry


Transfer

Solution

❖ Affirmative coverage for damage to physical

property caused by a cyber peril, in the cyber

policy. Usually through a buy back of he

exclusions.

❖ Covering Business interruption from Physical

and Non-physical events.

❖ Revised wording definitions business

operations, not just the computer network

❖ Coverage for loss of income and expense due

to a system failure (administrative, not just

security failure)

Transfer


Updated Cyber Solutions for Oil & Gas Industry


Transfer

Solution

❖ Extended coverage to include loss of

income and expense due to a security

failure or system failure of a 3rd party

provider.

❖ Broadened Terrorism coverage to

affirmatively cover cyber terrorism (War

exclusion should be reviewed).

❖ A franchise deductible provision can be

negotiated, to have a wider business

interruption cover.

❖ Loss of profit due to a reputational

damage.

Transfer


And don’t forget… RECOVERY!

Security Transfer Recovery

Be aware on how your

company will react:▪ Claims protocol

▪ Forensic experts

▪ Legal Advice

▪ Reputational damage

advice

▪ General experts

Transfer your risk with

a cyber policy that

adjusts to your needs:▪ Include updated

coverages for Oil & Gas

Industry

Improve your security▪ Identify

▪ Protect

▪ Trainings

willistowerswatson.comwillistowerswatson.com

Thank you

Documents

Cyber Risks, an Oil & Gas industry problem?€¦ · Technology now allows entire oil and gas networks to be operated remotely, but connecting that infrastructure via the internet