Subscribe
Share
Share
Embed
In this episode, Elizabeth Corner is joined by Brittany Bacon, Partner and Co-Head of the Technology Industry Group at Hunton Andrews Kurth LLP, to explore the evolving cyber threat landscape for pipeline and oil and gas operators.
From the regulatory aftermath of the Colonial Pipeline attack to SEC disclosure rules, fiduciary duties, vendor risk, cyber insurance disputes, and evidence preservation during incident response: this conversation dives into what ‘reasonable’ really means in the eyes of regulators and courts.
As digitalisation accelerates and operational technology remains vulnerable, cybersecurity is a board-level responsibility. Brittany outlines the practical questions that directors should be asking.
The CCS Forum offers an unmissable opportunity to join your peers and represent your organisation at the heart of the UK CCS discussion as we discuss the projects, technologies, and policies shaping this emerging sector. Find out more here: https://www.worldpipelines.com/ccsforum2026
Creators and Guests
What is World Pipelines Podcast?
The World Pipelines podcast, with Elizabeth Corner, is a podcast that connects and unites pipeline professionals to learn about issues affecting the midstream oil and gas industry.
Hello, and welcome back to the World Pipelines Podcast. I'm thrilled to bring you conversations with experts from across the pipeline sector. For this episode, I am pleased to welcome Brittany Bacon, partner in global privacy and cybersecurity at Hunt and Andrews Curf LLP. Brittany is a partner in Hunt and New York office and co head of the firm's technology industry group. Among many other accolades, she has received national recognition for her work in assisting clients in identifying, evaluating and managing a host of global privacy and information security risks and compliance issues.
Elizabeth Corner:She advises clients on US state and federal privacy requirements and global data protection laws and routinely advises on cybersecurity incident response. She has served as a lead attorney on the two largest reported breaches in history. In this episode, we're going to be talking about some industry specific cyber risk issues along with some bigger picture legal and government's questions. There's a lot to cover because the cyber threat environment for energy infrastructure is evolving really quickly. Before we get into it, here's a message from me.
Elizabeth Corner:We're busy planning something exciting. On the March 18, I'll be hosting the World Pipelines CCS Forum in London. It's a day dedicated to the CO2 pipeline build out and how we'll make The UK's carbon capture and storage pipeline networks a reality. We'll cover the engineering challenges specific to CO2 pipelines. We'll outline the different demands for integrity and maintenance, we'll provide project updates from each of the clusters, and we'll debate the future of the sector in The UK.
Elizabeth Corner:The speaker lineup includes National Gas, United Infrastructure, SGN, DNV, Pence Pen and more. Search World Pipelines CCS Forum for more information. We have special discounted rates for members of pipeline organizations, including the Pipeline Industries Guild, EPLOCA, the CCSA, and Yucopa. Thanks for listening. Let's get back to the episode.
Elizabeth Corner:Hello, Brittany. Welcome to the podcast. I'm really pleased to have you here.
Brittany Bacon:Hi, Elizabeth. So happy to
Elizabeth Corner:be here. Brittany, let's start by looking to the recent past. From your vantage point, what has changed most for pipeline or oil and gas operators in the last twelve to eighteen months within the realm of cyber risk?
Brittany Bacon:Elizabeth, I would rewind the clock back just a bit further to 2021 because this was a real watershed moment in the industry. Of course, this is when Colonial Pipeline was hit by a ransomware attack that caused a six day shutdown of The US's largest fuel pipeline. In addition to the fuel shortages and the price spikes that this caused, the attack really prompted agencies and regulators in The US to spring into action. In recognition of just how catastrophic an attack on critical infrastructure can be for this nation, we saw the Transportation Security Administration issue two security directives. We saw the Cyber Incident Reporting for Critical Infrastructure Act of 2022, CERCIA, be introduced, which imposed a seventy two hour reporting requirement and a twenty four hour deadline when a ransom payment is made.
Brittany Bacon:And that was just the tip of the iceberg. Pipeline operators and oil and gas companies are subject to a real patchwork quilt of obligations under federal and state rules, including those issued by the SEC and utility regulators and attorneys general at the state level. Not to mention, of course, requirements imposed by these companies' own customers and business partners. Alongside the backdrop of the legal and regulatory landscape that's been evolving, we have really observed that critical infrastructure continues to be a high value target for cybercriminals and hacktivists and nation state actors alike. This all lines up with the fact that the industry is digging deep into new digital and automated technologies, along with the fact that OT, which are operational technology systems that many of these companies use, are built on legacy infrastructure and systems that unfortunately suffer from unpatched vulnerabilities and outdated software and frankly, weak security controls that can make them even more difficult to protect.
Brittany Bacon:So there's a lot going on there, and it's something we certainly are very keen to discuss.
Elizabeth Corner:The way you describe it is like the perfect storm of all of these bits coming together. That means we really need to take this seriously.
Brittany Bacon:Absolutely. Yes.
Elizabeth Corner:I think that listeners will be interested to hear what executive and board responsibilities and fiduciary duties look like for critical infrastructure. Can you talk to us a little bit about that?
Brittany Bacon:Absolutely. And this is a topic that we are hearing echoed across many, many organizations in this industry. Everybody is concerned about it. In The US, both courts and regulators have made it very clear that cybersecurity is considered a mission critical risk. And it's a central compliance risk that really deserves board level oversight and monitoring.
Brittany Bacon:This is particularly true for utilities and other energy companies, which operate the nation's critical infrastructure in a really highly regulated sector. So what does this mean for boards? We have had the benefit of observing how courts have ruled in various actions that have been brought against directors following significant data breaches. And some key takeaways from these cases include the fact that a board really needs to oversee and monitor its company's cybersecurity risk and compliance program, as well as the company's preparedness efforts and its response to significant incidents. We have also seen that courts have been very focused on how frequently and comprehensively boards have been updated and provided information about the company's cybersecurity posture, compliance, and of course, its risk exposure.
Brittany Bacon:And another important thing to remember is that while cyber specific oversight obligations can be delegated to a board committee like the audit committee or a special steering committee, the full board ultimately must be kept informed of these material cybersecurity risks because that full board has the fiduciary obligations attached to it. So this isn't something that you can address in a kind of separate room in a space where you're all specialists and not feedback to the board? Absolutely, absolutely. The full board must be kept apprised, particularly of these material cybersecurity risks. Appreciating the fact that there may be certain directors who have deeper subject matter expertise and are well positioned to be the ones on a regular basis, you know, discussing and thinking through these issues.
Elizabeth Corner:Sure. When regulators or courts review a company after a breach, they don't expect perfect protection as I understand it, but they do expect the company to have taken some reasonable steps to manage risk. And that's the benchmark that I believe you help boards and operators define. So my question is, what does reasonable look like if you're later going to be asked to prove diligence?
Brittany Bacon:You're absolutely correct. The courts do not expect perfection. The emphasis is certainly on reasonableness. And going back to those cases I mentioned, we have found that courts suggest that if a board provides appropriate oversight with respect to the program, courts really are hesitant to second guess management's risk based decisions concerning cyber controls and management. Courts have found that the company's decisions have to be reasonable and really focus on whether the board had systems and processes in place ahead of time to oversee and monitor the company's cybersecurity posture and of course, in the event of a data breach.
Brittany Bacon:So what does this look like in practice? On a proactive, more regular oversight basis, I would say it's important for boards to be kept apprised of some really key components of the company's program and risk posture. What does that look like? The board should be informed about what the company is facing from a threat environment perspective. What are the company's crown jewels?
Brittany Bacon:What's the most significant, valuable, and high risk systems and data that the company needs to protect? What is the company's cybersecurity governance structure looking like, and how is it ensuring appropriate oversight? How does the overall program expenditures and key security initiatives stacked up in light of the risks and the threat environment. What are the company's preparedness efforts? What is it doing in advance of an incident?
Brittany Bacon:Things like identifying expert third parties that it would call into action in the event the company did face a significant incident. What are the company's peers doing? So, it's important for the board to receive benchmarking on how the company's security practices and maturity really compare to those of similarly situated organizations. From a breach response perspective, there are additional questions that the board should be asking and topics that management should be communicating to the board to help the board really demonstrate that it has exercised its cybersecurity oversight duties. So, again, what does this look like?
Brittany Bacon:In the event of an incident, the board should be focused on understanding what is the company's containment strategy? Have we terminated the threat actor's access to the systems and eradicated the threat actor from our environment? What is the potential impact from a business continuity perspective to the company's operations and financials and its reputation? What's our business continuity plan? From a legal perspective, what legal obligations do we have?
Brittany Bacon:Do we have any disclosure or notification requirements that have been triggered? In the event of ransomware, let's say, board should be understanding one informed management's decision as to whether or not to pay the ransom. And will, of course, the payment violate any laws? And communications. What is our strategy for managing reputational risk to our brand?
Brittany Bacon:Who have we engaged to help us navigate the important PR challenges that might be presented in the event of an incident? And finally, root cause and recovery. So conducting a postmortem, making sure the board is aware of what caused the incident and what have we done to improve our safeguards and help prevent the reoccurrence of this type of event? Those are the kinds of questions that the board should be asking and that management should be communicating to help the board comply with its duties.
Elizabeth Corner:Thank you. That was an amazing overview of everything that you'd want a company to be able to prove, to show, to prove that they've been diligent and responsible. So with that in mind, and with new disclosure rules in mind, how can companies decide what is serious enough to report and how quickly they should report it without either jumping the gun or without holding back too much information. I wonder if you have a framework for that kind of decision making.
Brittany Bacon:It's a great question. And this is definitely an art, not a science. When we think about these SEC cybersecurity rules, for example, these rules require public companies to disclose material cybersecurity incidents within four business days of determining that the incident is material. And information as a general matter is viewed as material if there's a substantial likelihood that a reasonable investor would consider this information important in making an investment decision, or if it would significantly have altered the total mix of information that's made available to investors. This unfortunately is not a bright line test and it is highly fact specific, which is why to your question about, is there a framework for this decision making?
Brittany Bacon:That's exactly what a company should create. And we routinely work with our clients to develop the SEC disclosure and other types notification related frameworks that help sketch out the various considerations and the various factors that would need to be taken into account in real time to help assess whether the company has an obligation to disclose the event and, of course, when, because timing is everything. It's really important to think about these issues ahead of time and not wait for an incident to happen first.
Elizabeth Corner:We've heard in previous podcast episodes, and in fact, you mentioned earlier, about the risks inherent in third party vendor or third party supply chain connections. What are the biggest supply chain pitfalls that you're seeing? Is there one contractual clause that you wish every operator would adopt as standard?
Brittany Bacon:Yeah. So cyber related risks associated with vendors and the supply chain ecosystem are real. Countless of the matters that my team has handled over the past several years have stemmed from a single point of failure, whereby the compromise of one vendor, one entity, one link in the chain had a tremendous ripple effect on the downstream customers and business partners whose data and sometimes systems were ultimately compromised as a result. And I think this is particularly relevant for the pipeline and the rest of the oil and gas industry, given how its attack surface is really broader than ever. And you've got these geographically dispersed assets and heavy reliance on the complex supply chains with a lot of third party dependencies.
Brittany Bacon:If there was one contractual provision that would help address this kind of risk, that would be amazing. The reality is, unfortunately, there's no silver bullet, and we tend to focus on pushing for a suite, multiple layers of privacy and cybersecurity related terms that, depending on the company's leverage in connection with a particular negotiation, they may or may not be as successful in implementing and pushing onto their vendors. But the kinds of provisions we are focused on are ones that, of course, require the vendor to maintain reasonable safeguards, ideally ones that are aligned to industry frameworks like NIST and ISO. We also impose aggressive breach notification provisions that require very short, quick timing requirements for when the vendor needs to notify the company about an incident, an actual or suspected incident. Unfortunately, vendors will often wait until they have the full picture, the full scope of everything that had happened, full confirmation, which can take months to have before they communicate with their customers.
Brittany Bacon:And this is oftentimes too late. We also certainly want to make sure there are appropriate indemnification provisions that might cover third party claims that might be brought following an incident. Appropriate cyber insurance provisions to make sure the vendor has sufficient coverage and that our company is named as an additional insured to the policy. Appropriate audit rights are really important to give us the ability to engage in ongoing monitoring of our vendor beyond just contractually requiring the vendor to do certain things. We want to make sure we have ongoing visibility and know that the vendor with what is written on the paper.
Brittany Bacon:And last but not least, because this can sometimes be forgotten, I would be sure to push for a reimbursement for notification related costs, which can be very significant following a vendor breach. Things like legal fees and forensics fees and credit monitoring and call center costs and external PR costs, all the kinds of direct costs that can often be borne by a company who didn't experience a breach itself, but unfortunately has a vendor who did that exposed their data.
Elizabeth Corner:That's a long list of things, especially those extras. You mentioned insurance, and I want to touch a little bit on cyber insurance. I'm aware that listeners will have varying levels of coverage depending on the size of their organisation and the importance of the data and the assets that they own. Can you tell me where are claims being challenged by insurers and how operators can avoid coverage gaps or surprises?
Brittany Bacon:Sure. So I am far from a cyber insurance expert, but we have a team at Hunton that really knows us better than anyone else in the industry. And here's what I think they would highlight. First, we wanna talk about application misrepresentations. So many insureds innocently misrepresent something on their insurance applications often because critical stakeholders are not all involved in the application process.
Brittany Bacon:Then when we have an incident, the insurer will look to the application to see what the response was. So here's an easy example, patching cadence, patching of vulnerabilities. Perhaps on the application, the company stated that they always install critical patches within twenty four hours. But here, they did it, which led to an exploit via some zero day vulnerability. The insurer may deny coverage because what we sent on our application is not in fact what we did in connection with this breach.
Brittany Bacon:We also see this with some newly acquired subsidiaries. So, the insured will fill out the application as if they're answering on behalf of the parent company, but this might not address the differences in controls or systems that the subsidiaries have. And then the subsidiary has an incident and unfortunately the insurer looks at the application and sees that none of those controls warranted were actually in place for the subsidiary. And the insurer there can deny coverage and even may have a right to rescind the policy depending on the jurisdiction. The second quick thing I would mention is business interruption losses.
Brittany Bacon:So, this is another common source of disputes, which is the calculation of business interruption loss. The insurer will have their forensic accountants who never seem to agree with the insured's calculation of lost income, leading sometimes to month long fights over that difference. Insureds really need to retain a competent forensic accountant that has experience in calculating cyber claims and coverage counsel to help guide them through loss calculation and submissions. And I would say to help avoid these coverage gaps and surprises, really recommend taking a very close look at your policy and engaging super smart and effective cyber insurance coverage council. I have some names if you need any recommendation.
Elizabeth Corner:Great. Good to know. I'm going to jump forward now to a question I wanted to ask you about evidence preservation because you mentioned forensics. I want to ask you about evidence preservation versus rapid remediation. So how do we avoid jeopardizing forensics while we're safely restoring operations, we're busy doing that?
Brittany Bacon:That's a great question. And this can be a tension between the cybersecurity team who is in complete crisis mode, is trying to stop the bleeding, is trying to contain the incident, and is going to be inclined to unplug the system, wipe the system, get rid of the malware, take all of the steps that really are designed to help eradicate the threat actor's presence in the environment. The challenge with that can be if it's not done correctly and if it's not done by taking the appropriate steps beforehand, taking a forensic copy of the relevant systems and forensically preserve the images that will serve as a replica of exactly what happened. This can lead to what we call spoliation issues where relevant evidence ultimately is destroyed. And if there is subsequent litigation following a data breach, the lack of that evidence, which again, might be completely innocently removed or made to be destroyed by the company stakeholders can be really problematic for the company to have to wrestle with from a legal perspective.
Brittany Bacon:So we recommend that the cybersecurity and IT teams who are working on the technical response are in complete lockstep with the legal team and the outside forensics advisers, particularly in those very early hours of the incident response process, which are so critical.
Elizabeth Corner:Do you have any do's and don'ts for an incident response plan, specifically for OT? The sorts of things I'm thinking about are who calls who first, when do we get legal involved, when do we initiate protocols? Is there a plan for that very early stage action?
Brittany Bacon:Yes. So an incident response plan is the cornerstone of a cybersecurity governance program. And it is absolutely critical that the incident response plan reflects a multi stakeholder holistic response to a cybersecurity event. It used to be the case that these incident response plans were highly technical. They were largely owned by cyber and IT.
Brittany Bacon:There was no mention of legal, no mention of comms, no mention of escalation processes. It was all about how do we fix the system and get it back to restoration. Now, as you mentioned, it's very important and commonplace and regulators expect that an incident response plan contains various multiple stakeholders that are in different groups that know what they are supposed to do. So there's clear delineation of roles and responsibilities. There's an escalation process.
Brittany Bacon:So, it makes clear who gets brought in when and why. How do we initially classify the incident? So, what is the potential severity level of the issue and what are the consequences of the event being classified in that way? Oftentimes in our incident response plans, we include an appendix that has the key steps that need to be taken within the first twenty four to seventy two hours, which are often the most critical moments of the incident response process. And that way we don't leave to guesswork what steps must be done.
Brittany Bacon:One word of caution though, I would just say is make sure the incident response plan is not so overly prescriptive, like this person will be notified within forty five minutes, because inevitably in the fog of a breach, there's so many moving parts and no one is going to be able to cross check and make sure that we comply with every single prescriptive requirements that's in there. So make it workable, make it scalable, and make it flexible to be able to be fit for purpose in the amendment incident, regardless of the nature and scope of it. Thank you so much for talking to the podcast, Brittany. My pleasure. Thank you so much for having me.
Elizabeth Corner:Thank you to Brittany Bacon at Hunt and Andrews Kurth LLP for decoding cyber risk for pipeline operators and for explaining board accountability, disclosure decisions, OT incident response, vendor contracts and insurance pitfalls. That was some very practical guidance on making reasonable security demonstrable and on what good governance looks like. Thanks for listening to the World Pipelines Podcast. Subscribe for free wherever you get your podcasts. If you have enjoyed this episode, please rate, please review, and forward to a colleague or friend.
Elizabeth Corner:We're busy planning something exciting. On the March 18, I'll be hosting the World Pipelines CCS Forum in London. It's a day dedicated to the CO2 pipeline build out and how we'll make The UK's carbon capture and storage pipeline networks a reality. We'll cover the engineering challenges specific to CO2 pipelines. We'll outline the different demands for integrity and maintenance.
Elizabeth Corner:We'll provide project updates from each of the clusters, and we'll debate the future of sector in The UK. The speaker lineup includes National Gas, United Infrastructure, SGN, DNV, Pencepen, and more. Search World Pipelines CCS Forum for more information. We have special discounted rates for members of pipeline organizations, including the Pipeline Industries Guild, EPLOCA, the CCSA, and Yucopa. Thanks for listening.