SAFETY Act Helps Manage High-impact Cyber and Physical Security Events
By Paul M. Tiao and Brian M. Zimmet, Hunton & Williams LLP
Owners and operators of critical infrastructure face substantial liability risks from cyber and physical security events. The 2015 cyberattack on Ukrainian utilities, which resulted in widespread power outages, and ransomware attacks on electric utilities in the United States and Israel last year, demonstrate that electric utilities remain high on the list of targets for adversaries seeking to use cyber and physical vulnerabilities to initiate high-impact attacks.
Although cyber and physical security protections have improved in recent years, the nature of electric utility operations means that the risks of widespread, high-impact outages from cyber or physical attack are an inherent part of the electric industry. An attack on the bulk electric system that succeeds in causing widespread and sustained power outages is likely to trigger years of government investigations and inquiries into the electric utilities perceived to be responsible for allowing the outage. In addition, there’s a good chance that multiple lawsuits from businesses and individuals affected by the outage will be filed. Because these risks cannot be altogether avoided, they must be managed.
Managing risks arising out of cyber and physical security events can be challenging, even under the best of circumstances. Most utilities rely on state-level outage liability protections that were developed years ago, and in an environment where the bulk power system was less interconnected and the system faced far fewer severe threats from adversaries.
The critical infrastructure protection (CIP) standards developed and implemented of by the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corp. (NERC) have improved cyber and physical security, but they also have increased liability risks, because they establish potential standards of care against which utility security efforts can be measured. Cyber insurance, in turn, continues to evolve, but generally contains substantial exclusions to coverage, particularly for companies that cannot demonstrate they have state-of-the-art cyber and physical security practices.
This article highlights a new and potentially groundbreaking approach to managing these risks using the Support Anti-Terrorism by Fostering Effective Technologies or SAFETY Act. In a nutshell, the SAFETY Act provides a mechanism for electric utilities and their vendors to limit their potential liability for the consequences of a cyberattack or a physical security attack. The liability limitations offered by the SAFETY Act are not only valuable in their own right, but also offer substantial secondary benefits, including reduced insurance costs and more robust insurance coverage.
The use of the SAFETY Act by electric utilities and their vendors to manage liability risks has gained more attention in recent years, and a few utilities have begun to take steps to try to acquire SAFETY Act coverage for their cyber and physical security programs. Hunton & Williams LLP has worked with some of those early applicants and engaged with the Office of SAFETY Act Implementation (OSAI) on its criteria for granting SAFETY Act Designation or Certification. The following is an overview of the potential benefits of the SAFETY Act, as well as the criteria that must be met to acquire SAFETY Act Designation or Certification.
Electric Utilities Confront Real Liability Risks from Cyber Events
There are real liability risks for electric utilities, their vendors and the officers and directors of both, arising out of a widespread electric outage caused by a cyberattack. While the probabilities of such events are uncertain, their impact is high. In December 2015, hackers managed to break into IT systems that operate large portions of the Ukrainian grid. They used that access to cause sustained electric outages to several hundred thousand people at a particularly vulnerable time (around the Christmas holiday).
In early 2016, ransomware attacks on electric utilities in Michigan and Israel in which attackers attempted to take over utility computer systems and to interrupt key operations were reported. These attacks highlight the fact that critical infrastructure remains vulnerable to cyber and physical attack, and that attackers wishing to make a high-profile impact are likely to target electric utilities, given their central role in the smooth functioning of everyday life.
Although utilities enjoy certain common law and tariff protections against liability from outages caused by cyber or physical attack, those protections evolved in an earlier era, when the threat of widespread, multi-state outages resulting from terrorist attacks was largely nonexistent. The extent of those protections against claims arising from a catastrophic outage due to an inadequate cybersecurity program is uncertain. History suggests that in instances where there is a particularly dramatic or widespread outage, traditional tariff and common law liability protections granted to electric utilities are less than foolproof in defending against lawsuits. Indeed, in major outages during the past 40 years, utilities have often been subject to some degree of outage liability in spite of their applicable common law and tariff protections.
A utility suffering from a cyberattack that causes a widespread or widely-publicized outage or both is likely, therefore, to spend years fending off resulting litigation. In addition, there is a better than average chance that it (or its insurer) will pay some form of damages, either because of jury trial or claims’ settlement. To the extent that a vendor’s product or services are implicated in the cyberattack and outage, such vendors are even less protected by traditional liability limitations. These vendors, therefore, bear even higher levels of liability risk than the utilities.
In addition to claims against the company and its vendors for outage-related liability, such entities and their directors and officers also could be the target of derivative suits or shareholder suits for fraud and other securities law violations. The allegations in such cases could range from failing to adequately protect the company against cyberattack (or, in the case of vendors, failing to take steps to ensure that their product or service adequately protect against cyberattack) to failing to make adequate disclosures about the state of the company’s cybersecurity practices. Such lawsuits also can be time-consuming and expensive to defend against. In addition, as with outage liability claims, resolution of these lawsuits often result in substantial payments by the target company or its officers (or their insurers) or both.
Although the CIP standards have led to better cyber and physical security practices, they also have elevated the potential liability risks associated with a major cyber or physical security attack because they provide defined standards against which a utility’s pre-attack behavior can be measured. This risk is heightened by the fact that when a widespread outage occurs, FERC, NERC and regional entities tend to conduct investigations, many of which are disposed of through settlements where there is a finding of one or more reliability standards violations. Such violations can serve as evidence (and, in some cases, a per se finding) of negligence or gross negligence on the part of the applicable utility.
The SAFETY Act Provides Substantial Liability Protections
In conjunction with adequate cyber insurance, coverage of an electric utility’s cyber and physical security programs under the SAFETY Act can substantially mitigate the liability risks from cyber or physical attacks. Before describing how the SAFETY Act can specifically benefit electric utilities, however, some basics on the statute itself are needed.
The SAFETY Act was enacted as part of the broader Homeland Security Act of 2002 to help facilitate the development and deployment of anti-terrorism products and services (referred to in the statute as “technologies”) by granting various liability protections. The SAFETY Act provides covered technologies with two basic types of protection-Designation and Certification-against third party liability for injury, loss of life or damage to property or businesses arising out of an act of terrorism in circumstances where the applicable technology is deployed in defense against, or in response to, such an act. An “act of terrorism” is defined as any act that is (i) unlawful; (ii) causes harm to a person, property or entity, in the U.S., or in the case of a domestic U.S. air carrier or a U.S.-flag vessel, in or outside the U.S.; and (iii) uses or attempts to use instrumentalities, weapons or other methods designed or intended to cause mass destruction, injury or other loss to U.S. citizens or institutions.
For a technology that has been granted Designation, third party liability for damages arising out of an act of terrorism is capped at the level of the applicant’s insurance coverage, which the Department of Homeland Security’s (DHS) Office of SAFETY Act Implementation (OSAI) determines as part of the application process. Designation also carries with it a series of additional risk mitigation measures, including exclusive jurisdiction in federal court for all lawsuits; a bar against punitive damages and pre-judgment interest; a limitation on non-economic damages; and liability only in proportion to the responsibility of the seller of the technology.
Certification provides the same protections as those provided by Designation, but also provides more complete liability protection by allowing the seller of the covered technology to assert the Government Contractor Defense (a broad defense which forecloses most claims). The Government Contractor Defense may be rebutted only by proving with clear and convincing evidence that fraud or willful misconduct occurred by the seller in submitting information to DHS. Each certified technology also is designated as an “approved product for homeland security” by DHS.
In addition, the Act provides that the only proper party defendant to a lawsuit arising from an act of terrorism is the technology’s seller. Thus, customers, clients, subcontractors and vendors that either consume the technology or support the seller in deploying the technology are immune from liability.
SAFETY Act protections are obtained through an application process. A status of Designation is a prerequisite for obtaining Certification, although applicants may seek both protections simultaneously. Designation requires that applicants demonstrate that the applicable product or service has utility and is effective. The applicant also must prove that the seller of the product or service has large or unquantifiable potential third-party liability risk exposure; it is likely that without the SAFETY Act’s protections, the liability associated with the product or service would prevent or curtail its deployment; there be a substantial potential risk exposure to the public should the product or service not be deployed; and any other factors DHS deems relevant to U.S. security.
Applicants seeking Certification must satisfy all the criteria of Designation, as well as demonstrate that the technology can meet three additional criteria: 1) the technology performs as intended; 2) the technology conforms to specifications; and 3) the technology is safe for use.
Under the SAFETY Act, OSAI has 120 days from the completion of an application to render a decision. A grant of Designation or Certification is good for five years, after which the company must reapply for SAFETY Act coverage.
Electric Utilities can Benefit From the SAFETY Act
The understanding of what constitutes a covered technology under the SAFETY Act has evolved significantly since the statute was passed in 2002. For much of the SAFETY Act’s history, technology to be covered under the statute largely has meant equipment, devices, computer programs and applications, and other similar assets. However, the definition of technologies in the SAFETY Act is not so limited. Technologies is defined in the statute as any “product, equipment, service (including support services), device or technology (including information technology) designed, developed, modified or procured for the specific purpose of preventing, detecting, identifying or deterring acts of terrorism or limiting the harm such acts might otherwise cause, that is designated as such by the Secretary (of Homeland Security).”
The inclusion of the term “services” and “support services” within technologies’ definition under the SAFETY Act is significant, because it means that SAFETY Act coverage can be extended to not only equipment and applications, but also security processes and procedures, including those a company devises for its own purposes. In recent years, OASI has begun to extend SAFETY Act coverage to service providers-first to third party sellers of physical security services, and then, more recently, to entities that developed their own internal physical security programs.
These extensions of SAFETY Act protections to programmatic activities have set the stage for an extension of the SAFETY Act to an electric utility’s own internal cyber and physical security programs. In conjunction with the development of the Cybersecurity Framework and the C2m2, OSAI has indicated (in discussions that Hunton & Williams LLP have had with the agency) that it is willing to grant SAFETY Act coverage to critical infrastructure owners and operators for part or all of their internal cybersecurity programs.
The SAFETY Act, therefore, provides two complementary avenues for an electric utility to mitigate and even reduce its liability risks from cyber and physical threats. The first, and easiest, avenue to increase liability protections is to purchase goods and services, particularly those involving physical and cyber security, from vendors that have obtained SAFETY Act coverage for their products. That way, the utility can avail itself of the liability protections attached to using those products.
The second avenue, which would allow for more comprehensive risk mitigation, is for an electric utility to seek SAFETY Act Designation or Certification for its internal cyber and physical security programs and processes. This is the type of SAFETY Act coverage some electric utilities are now applying for.
For a utility to obtain SAFETY Act coverage for its entire program, it must show OSAI that all aspects of its cybersecurity program, from identification of critical cyber assets and other protected cyber assets to protection mechanisms and recovery and restoration plans, satisfy the criteria for Designation and Certification.
If an entity is successful in obtaining SAFETY Act Designation or Certification, it can enjoy at least two levels of liability protection. First, if the Secretary of Homeland Security rules that a cyberattack is an act of terrorism, the specific protections specified in the SAFETY Act apply. Second, even if an act of terrorism is not declared, the fact that a company’s cyber or physical security program has been approved for SAFETY Act Designation or Certification and been designated as an “Approved Product for Homeland Security” by DHS, provides an official stamp of approval of the company’s internal programs. This provides strong evidence that the company acted in accordance with applicable standards and, therefore, can mitigate liability risks.
In addition to these benefits, SAFETY Act Designation or Certification can improve a covered company’s insurance costs. SAFETY Act coverage can limit an entity’s potential liabilities and likely reduce a utility’s insurance costs, while potentially allowing it to gain more expansive coverage. This is because SAFETY Act coverage provides an independent demonstration to underwriters that a utility has less risk and therefore should qualify for better coverage at a lower cost.
The regulatory landscape for cybersecurity is constantly evolving, especially for electric utilities because they own and operate critical infrastructure. Utilities’ regulatory landscape involves mandatory regulation and constantly-changing standards. The utility industry already has devoted vast resources to achieving compliance with the CIP standards, but such compliance is not a foolproof defense against a cyberattack or the liability risks associated with such an attack.
The SAFETY Act allows utilities and their vendors to capitalize on all the work they have performed in upgrading cybersecurity processes and practices. Rather than simply allow a utility to defend against regulatory penalties, SAFETY Act coverage-particularly for all or a part of a utility’s cybersecurity program-allows that utility to better manage and minimize its liability risks associated with a cyberattack.
Equally as important, it could allow utilities to obtain more robust cyber insurance coverage for a lower cost than most cyber insurance policies currently on the market.
Hunton partner Paul Tiao co-chairs the firm’s multi-disciplinary Cyber and Physical Security Task Force and its Energy Sector Security Team. Paul regularly advises companies on risk management, preparedness, cyber incident response, compliance, litigation, policy and legislation.
Hunton partner Brian Zimmet focuses on regulation and restructuring issues for electric utilities. He was a primary drafter of the Retail Electric Competition and Consumer Protection Act of 1999.