This article appears in the July 2021 issue of The PIOGA Press.

By Steven Franckhauser JD, CIPP/US, General Counsel and Chief Data Privacy Officer Bertison-George LLC
and Mercy Komar, CIC, CyRM, MLIS at L. Calvin Jones

Energy businesses are attacked on many fronts and by many foes including data thieves and cyber pirates. For an industry under siege by those who enjoy the fruits of the energy industry efforts, yet ridicule the calloused hands of its labors, adding one more foe could tip the scales from healthy business to extinction. In blatant recognition of the digitized security threat, the 7th Cyber Yankee training exercise by the National Guard recently simulated a cyberattack that took out “critical” utilities across the United States. We should applaud and copy their efforts.

Now is your time to combat the loss of data. To do so, you must adopt a data safety and protection program concentrating on human behavior and education and which identifies and prioritizes your risks. Failing to act will imperil your operations. With rampant confusion, where is the clarity of purpose and action to be found? It can be found in educating people on safety measures and behavior modification.

Data privacy and cyber security are two inextricably related concepts. Data privacy is the broadly scoped concept of protecting and limiting distribution of data/information whether it belongs to a business, client or vendor. “Cyber Security” is the common expression describing the protection of data used, stored or transmitted in a digitized format.

Public perception has created a false narrative and fertile fields for harvesting stolen data. The false narrative is that data privacy relies entirely on technical solutions since cyber security is a purely technical problem. The converse is true. Cyber security is a human behavioral problem masquerading as a technical problem. Here is how we know this to be true:

The leading causes of data breaches are 1) human error, 2) physical theft/loss of device, 3) phishing {43 percent of data breaches worldwide}, 4) stolen or weak credentials, 5) application/OS vulnerabilities, 6) malicious cyber-attacks and 7) social engineering.

Businesses and organizations are imperiled by a scourge of data theft due largely these seven poor privacy practices. As privacy laws proliferate and cybersecurity measures grow, it is incumbent upon leaders to view data as a “raw material” and assess where that raw material best resides within their data spectrum. Determining how, when, and what protections are most useful within reasonable budgetary and human resource constraints offers the most efficient route to sustainable data management best practices and data protection. Relying on purely technical defenses ignores the leading causes of data theft and enlists you in a perpetual arms’ race.

An infamous and parallel congressional lesson in energy history

A 30-year-old example offers a chilling reminder of what can happen when energy companies fail to act. Responding to the Exxon Valdez oil spill, the U.S. Congress enacted the Oil Pollution Act of 1990 (OPA) to strengthen the Environmental Protection Agency’s power to prevent oil spills. The OPA assigned financial liability for cleanup costs, defined responsible parties, and created a fund for damages and remediation. Unfortunately, these measures created financial burdens too massive for many smaller companies to afford. While larger entities possessed the financial capacity to self-insure and exploit the tax benefits of self-insuring, lesser capitalized companies folded their tents. Almost overnight, environmental impairment liability insurance (EIL) was out of the financial reach of many “mom and pop” gas stations, and they closed their doors. Does the same fate await smaller energy companies seeking cyber security insurance?

The onslaught of ransomware attacks, data theft and cyber espionage has transformed cyber security insurance from a bull to a bear market. Applications are being reexamined under revised and far more stringent underwriting guidelines. Meanwhile, data privacy and security have become core elements of business operations.

Insurance and the actual price of ransomware

Ransom payment figures are mere fodder for the media as they represent only one-third of the overall cost of a data breach!

While Colonial Pipeline recently paid a $4 million ransom, that figure pales by comparison to the cumulative sums sought by their vendors under a hastily filed class action suit, rampant data destruction, computer bricking and overall loss of income. Ultimately, Colonials’ damages will easily exceed the $15 million aggregate limits on their cyber risk policy.

Alarmingly, directors and officers insurance is now a target for lawsuits and attorneys seeking to secure lucrative damages in data breach claims.

Current cyber risk policy renewals are taking a 20-40 percent increase, with D&O policies following closely behind. This trend will continue as greedy, newly formed cyber specialty companies have entered the fray by persuading SMB’s they can secure cheaper coverage. These companies will be able to secure coverage, but they will soon be overwhelmed with under-reserved and underpriced losses far more quickly than their predecessors who had the cushion of five years for the liability tail to develop. This is already being seen in the case of three-year tech startup Corvus, now rewriting their book of business with limited aggregates and higher deductibles.

Lagging in security demands, insurance carriers have begun to compel multi-factor authentication along with additional demands to even obtain quotes. Meanwhile, larger insureds are facing more expensive renewals with less limits and restrictive endorsements! Some carriers are adding pointless tandem additional coverages in the hopes that insureds will be duped into believing they have received value.

Until now, insurers have tampered only with ransom and crime coverages. You should expect more changes when pending state and federal bills are enacted into law.

Under the radar, in late 2020 the Treasury Departments’ Office of Foreign Assets Control (OFAC) issued an advisory clearly stating that any payment made to a sanctioned entity (including those under the duress of a ransomware attack) would violate federal sanctions regulations. Conversely, should you ignore the ransom demands, your business is precariously perched as you try to claw your way back into business. The business interruption and dependent business interruption clauses are by far the most important and often overlooked sections of cyber policies. You need a good security coach to help you determine where your money should be spent in your cyber risk policy.

What can energy businesses do to help prepare?

The threshold questions for smaller energy-based businesses are, how can we weather the storm, and what are the long-term implications of data theft?

Weathering the storm requires an adjustment in attitude, and realization that the “storm” is here to stay. With insurance in place, you are better poised to adjust your business (and personal) culture to make data protection a matter of routine. We suggest you adopt these basic tenants:

  • Your business IS a data business engaged in the energy sector.
  • Educating your employees, vendors and customers about data protection is essential.
  • Eventually, you will lose data or have it stolen. Prepare to quickly respond and recover.
  • Making your business a less attractive target for data theft is a victory.

Useful data privacy and protection and cyber security boils down to the quality of leadership. If leaders adopt a laissez faire attitude, their businesses will be in the sights of data pirates. Conversely, if data is treated as a “crown jewel” then you will simultaneously guard your treasure and exploit its benefits.

The need for data inventory and classification

Data privacy protection analysis is contingent upon what type of data you possess and what you do with the data. The lack of a single, comprehensive data privacy law in the United States requires you to deal with a collage of state and federal business sector and medium specific laws. Navigation of these laws is manageable once you know what you have. Here is a list of the sources of data most likely under your care, custody and control:

  • Proprietary business data such as pricing, profit, loss, methods, etc.
  • Employee-centric data including personally identifiable information such as SSNs, bank account numbers and personally identifiable health information
  • Vendor information and data including data along the supply chain

Selecting data privacy and digital security measures

You should mesh data privacy and digital security into a comprehensive program. The most vital measures you can take are educating and training your people to value data as never before. Combining education, preparation and data protection in human terms with support from your technical arsenal is your best and most affordable option. After all, mega funded entities suffer tremendous breaches even with multiple technical defenses because of bad privacy practices and human and control vulnerabilities. One size does not fit all, but all successful data privacy and cyber security measures launch from the same pad of organizational education and awareness.

Business leaders must take the initiative by gaining the knowledge necessary to understand data privacy and cyber security on a broader scale if they are to protect their markets, their data and ultimately their businesses. Leaders explore their vulnerabilities and seek those who offer help.

>> Return to the Latest News and Blog index page >>

Want to continue to get all the insider oil and gas news? Become a PIOGA member and you’ll get access to The PIOGA Press monthly newsletter, the PIOGA eWeekly e-newsletter and many other member benefits. Click here to learn more and join today!