This document summarizes a presentation on cyber risks in the energy industry. It discusses regulatory responses to cyber threats, examples of corporate cybersecurity policies from major energy companies, and key questions insurers have about how companies manage cyber risk. Recent cyberattack trends and litigation are also reviewed. The presentation covers technical vulnerabilities, preventative measures, and the growing legal and financial implications of data breaches for energy companies.

1. Cyber Risks in the
Energy Industry
Presented By:
Lori Nugent, Shareholder
Greenberg Traurig
Jerry Bessette, Associate Director
Navigant Consulting
Tim Christ, VP
Cogent Analytics
#IRMI2018

2. Outline
• Brief overview of Historical and Current Situation
• Regulatory Responses to date
• Corporate Responses to date
• Key Insurer Questions
• Recent Highlights in Investigation
• Recent Case Law/Litigation Trends
• What’s Next?
#IRMI2018

3. #IRMI2018

4. #IRMI2018

5. #IRMI2018

6. #IRMI2018

7. #IRMI2018

8. Regulations
• National Institute of Standards and Technology (NIST) Framework for
Improving Critical Infrastructure Cybersecurity
• US Department of Energy
• NERC CIP standards
• North American Energy Standards Board (NAESB)
• International Atomic Energy Agency (IAEA)
• World Nuclear Association (WNA)
• World Institute for Nuclear Security
#IRMI2018

9. Royal Dutch/Shell
• Our IT systems are increasingly concentrated in terms of geography, number of systems, and key contractors supporting
the delivery of IT services. Shell, like many other multinational companies, is the target of attempts to gain unauthorized
access to our IT systems and our data through various channels, including more sophisticated and coordinated attempts
often referred to as advanced persistent threats. Timely detection is becoming increasingly complex but we seek to detect
and investigate all such security incidents, aiming to prevent their reoccurrence. Disruption of critical IT services, or
breaches of information security, could harm our reputation and have a material adverse effect on our earnings, cash
flows and financial condition.
• Data protection laws apply to Shell and its joint ventures and associates in the vast majority of countries in which we do
business. Over 100 countries have data protection laws and regulations. Additionally, the EU General Data Protection
Regulation, which will be applicable from May 2018, increases penalties up to a maximum of 4% of global annual turnover
for breach of the regulation. Non-compliance with data protection laws could expose us to regulatory investigations, which
could result in fines and penalties. Regulators may also issue orders to stop processing personal data in addition to
imposing fines, which could disrupt operations. We could also be subject to litigation from persons or corporations
allegedly affected by data protection violations. Violation of data protection laws is a criminal offence in some countries,
and individuals can be imprisoned or fined. Any violation of these laws or harm to our reputation could have a material
adverse effect on our earnings, cash flows and financial condition.
• Our insurance subsidiaries provide hazard insurance coverage to other Shell entities and only reinsure a portion of their
risk exposures. Such reinsurance would not provide any material coverage in the event of a large-scale safety and
environmental incident. Similarly, in the event of a material safety and environmental incident, there would be no material
proceeds available from third-party insurance companies to meet our obligations. Therefore, we may incur significant
losses from different types of risks that are not covered by insurance from third-party insurers, potentially resulting in a
material adverse effect on our earnings, cash flows and financial condition.
#IRMI2018

10. Royal Dutch/Shell
SELF-INSURANCE
• Shell mainly relies on self-insurance for many of its risk exposures and capital is set aside
to meet self-insurance obligations (see “Risk factors” on page 15). We seek to ensure
that the capital held to support the self-insurance obligations is at a level at least
equivalent to what would be held in the third-party insurance market. Periodically,
surveys of key assets are undertaken that provide riskengineering knowledge and best
practices to Shell subsidiaries with the aim to reduce their exposure to hazard risks.
Actions identified during these surveys are monitored to completion.
INFORMATION TECHNOLOGY
• Given our reliance on information technology systems for our operations, we
continuously monitor external developments and share information on threats and
security incidents. Shell employees and contract staff are subject to mandatory courses
and regular awareness campaigns, aimed at protecting us against cyber threats. We
periodically review and adapt our disaster recovery plans and security response
processes, and seek to enhance our security monitoring capability. See “Risk factors” on
page 12.
#IRMI2018

11. Valero
• A significant interruption related to our information technology
systems could adversely affect our business.
• Our information technology systems and network infrastructure may
be subject to unauthorized access or attack, which could result in a
loss of sensitive business information, systems interruption, or the
disruption of our business operations. There can be no assurance that
our infrastructure protection technologies and disaster recovery plans
can prevent a technology systems breach or systems failure, which
could have a material adverse effect on our financial position or
results of operations.
#IRMI2018

12. Total SA
#IRMI2018

13. Lukoil
#IRMI2018

14. Key Questions for Insurers
• Is an independent party reviewing, minimum annually, the effectiveness of
the technical and organizational security controls and related processes?
• Does the company have an overview of the critical information? Is the
information adequately protected from end-to-end?
• Does the company have organizational and technical controls in place to
detect, respond, and react to a cyber-attack promptly, including cross-
functional incident response structures and processes?
• Does the company have regular security awareness activities and training
to make employees aware of cyber risks and how to protect critical
information?
• Does the company have a governance structure in place that ensures the
security controls are regularly assessed against the rapidly changing threat
environment, and that the controls are adapted accordingly?
#IRMI2018

15. #IRMI2018

16. Technical Investigator’s Perspective
#IRMI2018
 Attack Vectors
• Phishing, Metasploit, WannaCry, Cloud Services, RDPs
 Vulnerabilities
• Patching, SCADA Systems, Information Control Systems, Internet of Things
 Preventive Measures
• Assessments
• Plans, Policies, and Procedures
• Exercise

17. Legal Perspective
#IRMI2018
 Tipping Point
• Regulation and Litigation
 Responding Well Matters
• Reputation, Perception of Decision Makers, Recovery
 Are You Prepared Financially?
• $225/Record, $7.35 Million/Breach, Your Maximum Probable Loss = ?
 What are Your Proof Points?
• Negligence, Fraud, Unfair Trade Practices, Breach of D&O Duties

18. What’s Next?
#IRMI2018