L O C K T O N C O M P A N I E S , L L P

CRITICAL INFRASTRUCTURE

So what is “critical infrastructure”? The order is vague on that point. It states only that:

[C]ritical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

At least with respect to infrastructure that is “at greatest risk,” the U.S. Department of Homeland Security (DHS) will flesh this out in the next few months. The order directs the DHS to use a “risk-based approach” to identify infrastructure for which a cybersecurity incident could result in “catastrophic regional or national effects on public health or safety, economic security, or national security.” The order specifically excludes commercial information technology products and consumer information technology services. The DHS list of critical infrastructure “at greatest risk” will be published on or before July 12, 2013.

INFORMATION SHARING

One of the primary goals of the order is to assure that the U.S. government shares information about cyber threats with private sector entities. To that end, the order instructs the U.S. Attorney General and the Secretary of Homeland Security to produce unclassified reports about threats against specific targeted entities. Classified reports must also be given to targeted entities that are allowed to receive them.

During his State of the Union address to the Congress on February 12, 2013 President Barack Obama announced that he had issued an executive order entitled “Improving Critical Infrastructure Cybersecurity.” The order is intended to promote the sharing of cybersecurity information held by the federal government with critical infrastructure companies, to develop a framework for reducing cyber risks, and to encourage companies to comply with the framework. The order could have significant consequences for the companies affected by it.

William A BoeckSenior Vice President,

Insurance & Claims CounselGlobal Technology &

Privacy Practice

+1 816 960 9670wboeck@lockton.com

444 W. 47TH STREET, SUITE 900 | KANSAS CITY, MO 64112 | 816.960.9000 | WWW.LOCKTON.COM

OPERATIONS

William A. Boeck

Senior Vice President

wboeck@lockton.com

 

 

 

 

 

 

Professional Profile

 

William is a Senior Vice President and Insurance and Claims Counsel with Lockton Financial Services.  He is located in the Lockton’s Kansas City office. 

 

Before joining Lockton in 2006, Bill spent over 19 years handling claims for insurers and representing insurers in private legal practice in connection with complex claims under Directors and Officers Liability, Errors and Omissions Liability, Employment Practices Liability, Fiduciary, Crime and Fidelity, and other policies.  At Lockton, Bill uses his experience to assure that clients’ policies are drafted to avoid coverage disputes and to maximize available coverage.  Bill also focuses on assisting clients to resolve difficult claims. 

 

 

 

Current and Previous Positions

 

Lockton Companies, LLC 

Senior Vice President, Insurance and Claims Counsel, Lockton Financial Services 

 

St. Paul Travelers (Professional Errors and Omissions Claim Unit) 

Specialty Claim Attorney and National Practice Leader for Fiduciary Liability Coverage 

 

Marsh USA, Inc. (Financial and Professional (FINPRO) Practice Group) 

Vice President, Senior Client Advisor and Claims Advocate 

 

Arter & Hadden LLP 

Of Counsel 

 

Sedgwick, Detert, Moran & Arnold LLP 

Partner 

 

 

Education

CYBERSECURITY EXECUTIVE ORDER: WHAT WE KNOW AND WHAT WE DON’T

Lockton Global Technology & Privacy Risks Practice February 2013

February 2013 Lockton Global Technology & Privacy Risks Practice

In addition to sharing information with targeted entities the executive order also expands the Enhanced Cybersecurity Services program. That voluntary program allows the government to share classified cyber threat and technical information with defense industries. Going forward the program will include all critical infrastructure companies.

The order encourages, but does not require, private sector companies to share cybersecurity information with the federal government.

CYBER RISK REDUCTION FRAMEWORK

The order requires the U.S. Department of Commerce to lead efforts to create a framework to reduce cybersecurity risks to critical infrastructure. The Cybersecurity Framework will consist of standards, methodologies, procedures, and processes based on consensus standards and best practices across multiple industry sectors that are designed to help critical infrastructure companies identify, assess, and mitigate cyber risks.

The Framework will include guidance for measuring an entity’s performance in implementing the Framework.

The Framework will be created with the input of relevant federal agencies and critical infrastructure companies. The process will be open for public review and comment.

A preliminary draft of the Cybersecurity Framework will be released on or before October 10, 2013. The final version will be published by February 12, 2014.

VOLUNTARY PROGRAM FOR ADOPTION OF CYBERSECURITY FRAMEWORK

The third primary focus of the executive order is the creation of a program for critical infrastructure companies and other interested entities to voluntarily comply with the Cybersecurity Framework. Federal agencies with responsibility for specific industry sectors will review the Framework and create implementation guidance and supplemental materials to address industry-specific risks.

The order requires the DHS to create incentives for companies to participate in the voluntary program. It isn’t clear what form the incentives might take, though recommendations must be made not later than June 12, 2013.

Cybersecurity standards incorporated into the Framework may also be used in federal acquisition planning and contract administration. Recommendations in that regard will be made by June 12, 2013. Emphasis will be placed on promoting consistency in procurement requirements related to cybersecurity.

RISKS AND UNANSWERED QUESTIONS

The federal government’s sharing of cyber threat information certainly will benefit the companies that receive it. They will gain a better sense of their real and perceived vulnerabilities and of the cybersecurity issues they need to prioritize.

The government’s sharing of information also creates potential risks, however. The classified and unclassified reports regarding threats against specific entities may shine an uncomfortable light on a company’s exposure and any lack of preparation for cyber incidents.

In guidance given by the Securities and Exchange Commission (SEC) in October 2011, companies are advised to disclose information to investors about the company’s cyber exposures, the steps taken to prepare for cyber events, and the costs incurred to prevent incidents. (A full discussion of the SEC’s guidance can be found here.1)

As companies receive more information, particularly unclassified information, from the federal government they and their directors and officers will come under increased scrutiny by their shareholders and the SEC. In the event the disclosures are alleged to have been lacking, and/or the company is alleged to have been physically or financially unprepared for a cyber event, actions by shareholders or the SEC can be expected.

One significant question raised by the executive order is whether the forthcoming Cybersecurity Framework will add to or change compliance obligations already faced by critical infrastructure companies. Healthcare companies are a good example in view of the order’s specific focus on the effect of cybersecurity incidents on public health. The U.S. Department of Health and Human Services (HHS) recently released its final rule modifying the HIPAA2 Privacy, Security, and Enforcement Rules, and the HITECH3 Act’s breach notification rule relating to protected health information. (Detailed discussions of the final rule can be found here.4)

The compliance obligations created by the final rule may or may not be consistent with what will be contained in the Cybersecurity Framework. While it seems unlikely that the Framework will contradict the HIPAA/HITECH final rule, it is certainly possible that the Framework will create additional obligations that companies will be incentivized to undertake.

Although compliance with the Cybersecurity Framework will be voluntary, it may prove difficult to ignore. It is not hard to imagine that regulators, customers, investors, and even insurance underwriters will take a dim view of any company’s refusal to participate in a program designed to reduce cyber risk. As noted above, compliance ultimately may be required of companies doing business with the federal government.

FINAL THOUGHTS

President Obama’s executive order is the most recent example of growing efforts on the part of governments around the world to address cybersecurity risks. The European Commission’s recently announced cyber strategy entitled “An Open, Safe and Secure Cyberspace” is designed to achieve many of the same goals of the executive order. Similarly, the Financial Services Authority (FSA) in the United Kingdom is reviewing financial institutions with a view toward providing cybersecurity guidance for the financial services sector.

The increased attention of governments and regulators such as the SEC and FSA to cybersecurity issues is certain to force companies to do the same. Smart managers will assure that their companies stay well informed and adopt best practices concerning cyber risk with an eye toward emerging government views and guidance on the subject.

Smart managers will also assure that their companies are financially prepared for a cybersecurity event if and when it happens. Part of that preparation will include obtaining adequate insurance coverage. Cyber coverage has evolved significantly over the past few years. It can cover aspects of the risk that were nearly impossible to insure before. The coverage can, and in many cases should, be highly customized each year to meet the changing risks a company faces.

February 2013 Lockton Global Technology & Privacy Risks Practice

GTPPA division of Lockton Companies LLP. Authorised and regulated by the Financial Services Authority. A Lloyd’s brokerRegistered in England & Wales at The St Botolph Building, 138 Houndsditch, London, EC3A 7AG, Company No. OC353198LLP 990 - Feb 13www.lockton.com

1 Available at http://www.lockton.com/Resource_/PageResource/MKT/Cyber%20Guidance%20revised.pdf.2 The Health Insurance Portability and Accountability Act.3 The Health Information Technology for Economic and Clinical Health Act.4 Available at http://www.lockton.com/Insights-And-Publications/White-Papers/Final-HIPAAHITECH-Rule-Released.