Contractual Risk Allocation for Digitized Processes in the Upstream E&P Sector Contracts and Bridging Documents Glenn Legge, Cade White and Courtney Campion HFW USA October 11, 2019 Houston, Texas IADC Cybersecurity for Drilling Assets Conference
Current Operational Environment • Exponential growth in use of digitized processes and industrial control systems in upstream E&P. • Increase efficiencies, decrease costs and improve operations/safety. • Real time monitoring, AI, remote sensors, real time integrity assessment via digital twins and MPD applications. IADC Cybersecurity for Drilling Assets Conference
Current Operational Environment Digitalization could save upstream market $100 billion, report finds Rystad Energy estimates that as much as $100 billion can be eliminated from E&P upstream budgets through automation and digitalization initiatives in the 2020s. Offshore Newsletter October 8, 2019 IADC Cybersecurity for Drilling Assets Conference
Current Contractual Utilization • Contracts o Address broader issues, obligations, warranties and industry standards. o Often employ a reasonableness standard. • Bridging documents o Incorporates specific regulations, standards and/or frameworks. o Specific standards of care. • Interaction of contracts and bridging documents must not create substantive inconsistencies/tensions. • Contracts and bridging documents can create liability/exposure beyond the scope of the immediate contract (JOAs, subcontracts). IADC Cybersecurity for Drilling Assets Conference
Contract v. Bridging Document • Drilling Contract: “Contractor shall devote its commercially reasonable efforts and experience to the performance of the Work and perform the Work with due care and in a good, safe and workmanlike manner and in accordance with good oil and gas industry practices in the area where the Work is being conducted . ” • Bridging Document: “Contractor shall ensure that all operations are performed in accordance with all applicable local government regulations , Operator and Contractor standards , industry standards , standards referred to or incorporated in the contract , best practices, and all other relevant standards. IADC Cybersecurity for Drilling Assets Conference
Avoid Inconsistencies in Contracts • Interaction of contracts and bridging documents must not create substantive inconsistencies/tensions. o “In the event of a conflict between this Bridging Document and the Agreement, the terms of the Agreement shall prevail. Contractor’s cybersecurity policies and management system shall govern all performance under this Agreement unless specifically stated otherwise.” IADC Cybersecurity for Drilling Assets Conference
Current Threat Environment • Cyberattacks, intentional and inadvertent introduction of malicious viruses, state and non-state actors, reliance on contractors/service companies, digital process maintenance/updates. o ICS-ALERT-19-225-01 : Mitsubishi Electric Europe B.V. smartRTU and INEA ME-RTU (Update A) o ICS-ALERT-18-011-01 : Meltdown and Spectre Vulnerabilities (Update J) o ICSA-19-283-01 : Siemens Industrial Real-Time (IRT) Devices o ICSA-19-192-02 : Siemens SIMATIC WinCC and PCS7 (Update C) • Impairment of, or loss of control over, critical digital control systems. • Exposures - physical damage, personal injury/death, environmental impairment, business interruption, lost/delayed production, loss of proprietary data and reputational damage. IADC Cybersecurity for Drilling Assets Conference
Current Regulatory and Industry Standards • Evolving with new technology or running to catch up? o Assessment of cyber risk – CISA Alerts/Bulletins. o Standards/processes for managing risks – NIST 800-82, ISO/IEC 27001, ISA99/IEC 62443, USCG Cybersecurity Framework for Offshore Operations. o Disparate goals of regulators – USCG Framework v. BSEE RTM. • Regulations and industry standards = baselines for: o Contractual performance standards/warranties o Gross negligence, willful misconduct, negligence per se o Loss of limitation of legal, statutory and/or regulatory limits of liability IADC Cybersecurity for Drilling Assets Conference
Cyber Risks – 1. Assess 2. Allocate Allocation in Contracts or Bridging Documents? IADC Cybersecurity for Drilling Assets Conference
Allocating Cyber Risk - Contracts • Scope/structure of warranties – industry standards/regulations? • Knock for knock structure may not be functional due to scope of exposure – but may be dependent upon insurance structure of operator. • Indemnity triggered by fault/non-compliance with contractual obligations/industry standards rather than classification of damage. • Limitation of liability/waiver of consequential damages based upon compliance with contractual obligations/industry standards? • Choice of law considerations to address non-traditional risk allocation. IADC Cybersecurity for Drilling Assets Conference
Allocating Cyber Risk – Contracts/Insurance • Insurance coverage – liability/additional insured/contractual liability coverage. • Significant variable in risk allocation negotiations. • Most liability, excess and reinsurance policies contain exclusions for cyber liability. • London market policies - CL380 exclusion o 2019 JRC CL380 Buyback – Buyback A (isolated cyber attack); Buyback B (non-isolated cyber attack). o Proximity of wells, processes, facilities. o No business interruption coverage. o CL380 Buyback applicable to contractual liability coverage? IADC Cybersecurity for Drilling Assets Conference
Allocating Cyber Risk – Contracts/Insurance • Operators – OIL Ltd. Cyber Wrap o Gap coverage USD 100M DIC/DIL. o Property damage/control of well trigger. IADC Cybersecurity for Drilling Assets Conference
Allocating Cyber Risks – Bridging Documents • Job/task specific obligations: o Align operator’s SEMS/operational program with required cyber safe work processes. o Use of WCID format for application and use of digitized processes and ICS on location. o Penetration testing on specific digitized processes/ICS. o Scope of cyber exposures – shared/common systems/components + Well, Facility, Field wide exposures. o Job specific notification obligations regarding cyber intrusion. o Address methodologies to address cyber intrusions – MOC if operations/communications “go dark”. IADC Cybersecurity for Drilling Assets Conference
Allocating Cyber Risks – Bridging Documents • Express responsibilities/warranties regarding: o Compliance with appropriate industry standards for cyber risks and cybersecurity – certifications required? o Due diligence is not sufficient – diligence must adapt to evolving threat/regs. o Procedure for addressing evolving standards/regs – collaborative obligations to address required actions/additional costs/impact on timeline. o Notice of past and current cyber security breaches – written notice, time period, corrective actions, lessons learned. IADC Cybersecurity for Drilling Assets Conference
“The future depends on what you do today.” - Mahatma Gandhi Questions? IADC Cybersecurity for Drilling Assets Conference
Contractual Risk Allocation for Digitized Processes in the Upstream E&P Sector Contracts and Bridging Documents Glenn Legge, Cade White and Courtney Campion HFW USA October 11, 2019 Houston, Texas IADC Cybersecurity for Drilling Assets Conference
Recommend
More recommend