January 2019, Vol. 246, No. 1
Features
Addressing Legal Risk Through SAFETY Act
Legal Perspectives
By Eric Hutchins, Principal, H2 Legal, P.C., and Ted Murphy, Partner, Hunton Andrews Kurth
On the morning of Aug. 15, 2012, most Saudi Aramco employees were home celebrating Ramadan. Suddenly, the few remaining at work noticed problems with their computers. Screens flickered, and files were lost. Not long after, a group called the Cutting Sword of Justice announced it had launched a major cyber-attack, later dubbed “Shamoon,” warning that, “destruction operations … will be completed within a few hours.”
By the time it was over, Saudi Aramco had suffered the worst cyber-attack to date, destroying over 35,000 computers – requiring the company to rebuild its entire corporate network. While the attacks did not successfully target segmented supervisory control and data acquisition (SCADA) systems, repercussions still spread across the infrastructure to create real-world physical impacts. Lacking a system to complete transactions, trucks lined up for miles outside of Saudi Aramco terminals unable to be loaded. After two weeks, the company was forced to give oil away for free to keep it flowing within Saudi Arabia.
Cyber-attacks have long been identified as a significant threat to critical infrastructure owners and operators – one the oil and gas sector saw first-hand in the Shamoon attack. Potential damages from such attacks on the sector continue to increase.
With natural gas supplying an increasing share of not only real-time peaking, but now also baseload, electricity generation capacity, supply disruptions could ripple throughout society to create an economic, public health, and even national security crisis. Oil and gas pipeline owners and operators could face enormous liabilities in these scenarios. Even less catastrophic cyber-attacks can lead to substantial exposure.
Against this backdrop, the Support Anti-terrorism by Fostering Effective Technologies Act (SAFETY Act) is becoming an increasingly viable tool to mitigate escalating cyber-attack risks. The SAFETY Act provides legal protections, including liability caps and immunity, where qualified technologies approved by the Department of Homeland Security (DHS) are deployed against an “act of terrorism.”
Under the SAFETY Act, an act of terrorism need not have a political component but is instead based on factors including the severity of an attack, as determined by the Secretary of Homeland Security. Likewise, qualified technologies under the SAFETY Act are broadly defined to include services like risk management programs.
In September, DHS certified for the first time an internal enterprise-wide cybersecurity risk management program, notably for an energy sector company. Oil and gas companies could seek similar protection from cyber-risks. But how does the SAFETY Act work, and what are the practical benefits of SAFETY Act coverage outside of where an act of terrorism occurs?
Under the SAFETY Act’s implementation regulations, DHS provides two levels of protection for qualified technologies – designation and certification. Designated technologies must show effectiveness with confidence of repeatability. Companies deploying these technologies against acts of terrorism enjoy legal protections including limits on liability and exclusive federal jurisdiction.
Certified technologies must also show proven effectiveness, but with a high confidence of repeatability. In addition to the legal protections for designated technologies, certification provides a rebuttable presumption of immunity from liability resulting from an act of terrorism.
The SAFETY Act provides a statutory shield to protect oil and gas companies against liabilities associated with cyber-attacks by terrorists. As cyber threat actors grow in number and become more sophisticated, this protection becomes an increasingly important tool to mitigate risks that could threaten the existence of even the largest companies.
Oil and gas companies should also consider the significant additional benefits that SAFETY Act coverage of internal cybersecurity programs can provide beyond declared acts of terrorism. After all, the Secretary of Homeland Security has not, to date, declared an event to be an act of terrorism under the SAFETY Act. Indeed, when a company recently attempted to assert SAFETY Act protections in court, DHS responded by posting a notice on its webpage stating that the incident at issue was not declared an act of terrorism.
SAFETY Act-covered technologies can be listed as “approved technologies” on DHS’s SAFETY Act website and receive DHS’s SAFETY Act “seal of approval.” This listing and these markings can be used to market approved technologies to the public. In this way, SAFETY Act coverage of internal cybersecurity programs can provide powerful outside government verification of an oil and gas company’s cybersecurity oversight and controls. This can yield important legal, insurance, and public relations benefits.
SAFETY Act coverage can help establish that a company meets the legal “standard of care” in litigation over response to a cybersecurity incident – even if it is not a declared act of terrorism. Where a company only seeks SAFETY Act coverage of its risk management program, and not its cybersecurity controls, it would still have powerful support in response to challenges against director and senior executive actions in the wake of a cyber-attack. Furthermore, SAFETY Act coverage may reduce insurance costs and expand available scope of coverage. Both before and after an incident, a company can cite DHS’s recognition of its cybersecurity program under the SAFETY Act in response to regulator inquiries or public concerns regarding cybersecurity efforts.
Critical infrastructure is a major target of cyber-attack, and the global oil and gas sector has already experienced some of the most damaging incidents. The SAFETY Act coverage of internal cybersecurity programs can provide oil and gas companies that own and operate critical infrastructure legal protection against worst-case threats, while also providing everyday benefits.
DHS’s recent certification of an energy sector company’s internal enterprise-wide cybersecurity risk management program indicates that other companies could similarly leverage the SAFETY Act to address their legal risk from cyber-attacks in the near future. P&GJ
Comments