NARUC Advised to Consider Liability in Cybersecurity

Feb 14, 2020

A panel at NARUC's Winter Policy Summit on the cybersecurity of natural gas infrastructure waded into the world of insurance.

By Michael Brooks

WASHINGTON — A panel at the National Association of Regulatory Utility Commissioners’ Winter Policy Summit on Monday on the cybersecurity of natural gas infrastructure waded into the world of insurance.

Brian Finch, a partner with Pillsbury Winthrop Shaw Pittman, provided NARUC’s committees on Telecommunications, Critical Infrastructure and Gas with a stark reminder that it’s a matter of when, not if, a cyberattack on critical infrastructure occurs.

“The Defense Department, the Intelligence Community, the National Security Agency — all of whom spend billions of dollars on an annual basis to implement cybersecurity, have some of the smartest minds in the world working on their problems — have a saying: ‘We’ve learned to live with the adversary on the system.’”

The government expects U.S. enemies to penetrate every major defense and weapons system on a daily basis, Finch said, and there’s nothing it can do to prevent it. So too is it with the country’s energy systems.

“There’s no such thing as the elimination of the cyber risk. We are always, always vulnerable, and no matter what we you’ve done, there will always be another methodology, another way to bring risk and effectuate harm.”

Therefore, Finch argued, regulators should consider liability when crafting their requirements for how utilities manage their risk against cyberattacks.

“Sometimes the presumption is that if there is a successful cyberattack, someone must have failed somewhere,” Finch said. “When something does go wrong, is someone liable? … That’s a challenge that you as commissioners … need to contemplate on a daily basis. Is it really someone’s fault that a successful cyberattack occurred? Or should you be looking at, was it one that was inevitable, and did they recover in a sufficient amount of time? …

“We have to make sure that we’re not unintentionally creating new avenues of liability that would unfairly place the blame on entities who, in reality, could do nothing to stop, say, a foreign military.”

NARUC cybersecurity liability — From left to right: Alaska Regulatory Commissioner Robert Pickett; Indiana Utility Regulatory Commissioner Sarah Freeman; Suedeen Kelly, Jenner & Block; Zoe Cadore, American Petroleum Institute; Sharla Artz, Utilities Technology Council; and Brian Finch, Pillsbury Winthrop Shaw Pittman | © *ERO Insider*

Finch encouraged commissioners to look at the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act, signed into law in 2002 in the aftermath of the Sept. 11 terrorist attacks. Among other provisions, the law provides legal liability protections for providers and users of anti-terrorism technologies that are qualified by the Department of Homeland Security.

He noted that law doesn’t cover penalties administered by state agencies, “but it does minimize the likelihood of civil liability.” Finch’s bio on Pillsbury’s website notes that “he has helped more than 150 clients take advantage of SAFETY Act liability protections following terrorist or cyberattacks.” He said that of the estimated 350 entities that have been given protection, he’s aware of only two that for utility security programs.

Alaska Regulatory Commissioner Robert Pickett brought up the surge in ransomware attacks on municipalities last year, ranging from major cities such as Atlanta and Baltimore, to small towns across the country. Pickett said his own community was attacked, costing it about $4 million to $5 million, but their insurance coverage “was totally different from what the people thought they had.”

That prompted Finch to repeat an anecdote he heard from a friend: “‘If you’ve seen one cyber insurance policy, you’ve seen one.’

“There’s no standardization in the industry. Coverage varies widely depending on who you are, what you have to offer and how much you can pay,” he said.

Finch recalled the NotPetya attack of 2017, the victims of which included food producer Mondelēz. Because the perpetrator of the attack had been determined to be the Russian government, the company’s insurance provider did not cover the damages because it was an act of war.

Kansas Corporation Commissioner Dwight Keen asked to what extent are cyber threats state-sponsored, and which countries posed the most threats. Finch listed North Korea, China, Russia and Iran.

But Finch warned that attribution was almost irrelevant when it came to managing risk. He recalled the story of the Russian hacking group known as Turla. The NSA and the U.K.’s Secret Intelligence Service (MI6) had been tracking what they thought were a group of Iranian hackers for 18 months until they realized that the group was actually Russian: Turla had breached an Iranian hacking group and stolen their code and cyber tools to masquerade as them.

FERC & Federal