Contractual Risk Allocation for Digitized Processes in the Upstream - - PowerPoint PPT Presentation

▶

contractual risk allocation for digitized processes in

Contractual Risk Allocation for Digitized Processes in the Upstream - - PowerPoint PPT Presentation

Jan 21, 2023 369 likes •539 views

Contractual Risk Allocation for Digitized Processes in the Upstream E&P Sector Contracts and Bridging Documents Glenn Legge, Cade White and Courtney Campion HFW USA October 11, 2019 Houston, Texas IADC Cybersecurity for Drilling Assets

slide-1

SLIDE 1

IADC Cybersecurity for Drilling Assets Conference

Contractual Risk Allocation for Digitized Processes in the Upstream E&P Sector

Contracts and Bridging Documents

Glenn Legge, Cade White and Courtney Campion HFW USA October 11, 2019 Houston, Texas

slide-2

SLIDE 2

IADC Cybersecurity for Drilling Assets Conference

Current Operational Environment

Exponential growth in use of

digitized processes and industrial control systems in upstream E&P.

Increase efficiencies, decrease

costs and improve

perations/safety.
Real time monitoring, AI, remote

sensors, real time integrity assessment via digital twins and MPD applications.

slide-3

SLIDE 3

IADC Cybersecurity for Drilling Assets Conference

Current Operational Environment

Digitalization could save upstream market $100 billion, report finds Rystad Energy estimates that as much as $100 billion can be eliminated from E&P upstream budgets through automation and digitalization initiatives in the 2020s.

Offshore Newsletter

October 8, 2019

slide-4

SLIDE 4

IADC Cybersecurity for Drilling Assets Conference

Current Contractual Utilization

Contracts
Address broader issues, obligations, warranties and industry standards.
Often employ a reasonableness standard.
Bridging documents
Incorporates specific regulations, standards and/or frameworks.
Specific standards of care.
Interaction of contracts and bridging documents must not create substantive

inconsistencies/tensions.

Contracts and bridging documents can create liability/exposure beyond the

scope of the immediate contract (JOAs, subcontracts).

slide-5

SLIDE 5

IADC Cybersecurity for Drilling Assets Conference

Contract v. Bridging Document

Drilling Contract: “Contractor shall devote its commercially reasonable efforts

and experience to the performance of the Work and perform the Work with due care and in a good, safe and workmanlike manner and in accordance with good oil and gas industry practices in the area where the Work is being conducted.”

Bridging Document: “Contractor shall ensure that all operations are

performed in accordance with all applicable local government regulations, Operator and Contractor standards, industry standards, standards referred to

r incorporated in the contract, best practices, and all other relevant standards.

slide-6

SLIDE 6

IADC Cybersecurity for Drilling Assets Conference

Avoid Inconsistencies in Contracts

Interaction of contracts and bridging

documents must not create substantive inconsistencies/tensions.

“In the event of a conflict between this

Bridging Document and the Agreement, the terms of the Agreement shall prevail. Contractor’s cybersecurity policies and management system shall govern all performance under this Agreement unless specifically stated otherwise.”

slide-7

SLIDE 7

IADC Cybersecurity for Drilling Assets Conference

Current Threat Environment

Cyberattacks, intentional and inadvertent introduction of malicious viruses,

state and non-state actors, reliance on contractors/service companies, digital process maintenance/updates.

ICS-ALERT-19-225-01 : Mitsubishi Electric Europe B.V. smartRTU and INEA ME-RTU (Update A)
ICS-ALERT-18-011-01 : Meltdown and Spectre Vulnerabilities (Update J)
ICSA-19-283-01 : Siemens Industrial Real-Time (IRT) Devices
ICSA-19-192-02 : Siemens SIMATIC WinCC and PCS7 (Update C)
Impairment of, or loss of control over, critical digital control systems.
Exposures - physical damage, personal injury/death, environmental

impairment, business interruption, lost/delayed production, loss of proprietary data and reputational damage.

slide-8

SLIDE 8

IADC Cybersecurity for Drilling Assets Conference

Current Regulatory and Industry Standards

Evolving with new technology or running to catch up?
Assessment of cyber risk – CISA Alerts/Bulletins.
Standards/processes for managing risks – NIST 800-82, ISO/IEC 27001,

ISA99/IEC 62443, USCG Cybersecurity Framework for Offshore Operations.

Disparate goals of regulators – USCG Framework v. BSEE RTM.
Regulations and industry standards = baselines for:
Contractual performance standards/warranties
Gross negligence, willful misconduct, negligence per se
Loss of limitation of legal, statutory and/or regulatory limits of liability

slide-9

SLIDE 9

IADC Cybersecurity for Drilling Assets Conference

Cyber Risks – 1. Assess 2. Allocate Allocation in Contracts or Bridging Documents?

slide-10

SLIDE 10

IADC Cybersecurity for Drilling Assets Conference

Allocating Cyber Risk - Contracts

Scope/structure of warranties – industry standards/regulations?
Knock for knock structure may not be functional due to scope of exposure – but

may be dependent upon insurance structure of operator.

Indemnity triggered by fault/non-compliance with contractual
bligations/industry standards rather than classification of damage.
Limitation of liability/waiver of consequential damages based upon

compliance with contractual obligations/industry standards?

Choice of law considerations to address non-traditional risk allocation.

slide-11

SLIDE 11

IADC Cybersecurity for Drilling Assets Conference

Allocating Cyber Risk – Contracts/Insurance

Insurance coverage – liability/additional insured/contractual liability coverage.
Significant variable in risk allocation negotiations.
Most liability, excess and reinsurance policies contain exclusions for cyber liability.
London market policies - CL380 exclusion
2019 JRC CL380 Buyback – Buyback A (isolated cyber attack); Buyback B

(non-isolated cyber attack).

Proximity of wells, processes, facilities.
No business interruption coverage.
CL380 Buyback applicable to contractual liability coverage?

slide-12

SLIDE 12

IADC Cybersecurity for Drilling Assets Conference

Allocating Cyber Risk – Contracts/Insurance

Operators – OIL Ltd. Cyber Wrap
Gap coverage USD 100M DIC/DIL.
Property damage/control of well trigger.

slide-13

SLIDE 13

IADC Cybersecurity for Drilling Assets Conference

Allocating Cyber Risks – Bridging Documents

Job/task specific obligations:
Align operator’s SEMS/operational program with required cyber safe work

processes.

Use of WCID format for application and use of digitized processes and ICS on

location.

Penetration testing on specific digitized processes/ICS.
Scope of cyber exposures – shared/common systems/components + Well,

Facility, Field wide exposures.

Job specific notification obligations regarding cyber intrusion.
Address methodologies to address cyber intrusions – MOC if
perations/communications “go dark”.

slide-14

SLIDE 14

IADC Cybersecurity for Drilling Assets Conference

Allocating Cyber Risks – Bridging Documents

Express responsibilities/warranties regarding:
Compliance with appropriate industry standards for cyber risks and

cybersecurity – certifications required?

Due diligence is not sufficient – diligence must adapt to evolving threat/regs.
Procedure for addressing evolving standards/regs – collaborative obligations

to address required actions/additional costs/impact on timeline.

Notice of past and current cyber security breaches – written notice, time

period, corrective actions, lessons learned.

slide-15

SLIDE 15

IADC Cybersecurity for Drilling Assets Conference

Questions?

“The future depends on what you do today.”

Mahatma Gandhi

slide-16

SLIDE 16

IADC Cybersecurity for Drilling Assets Conference

Contractual Risk Allocation for Digitized Processes in the Upstream E&P Sector

Contracts and Bridging Documents

Glenn Legge, Cade White and Courtney Campion HFW USA October 11, 2019 Houston, Texas