New BIMCO Cyber Security Clause
With the increasing digitisation and use of information technology in the world today, the chance of becoming a victim of a cyber-attack is greater than ever. The energy industry is particularly susceptible as it seeks to increase the automation of processes in the interests of efficiency, safety and reducing the potential impact of human operational errors.
The potential fallout from a cyber-attack, therefore, could be devastating, resulting in damage to reputations, the environment or property, injury or death of personnel, and financial hardship to the company targeted.
Companies in the offshore oil and gas sector are, therefore, seeking to increase their resilience to such attacks; this is not only a question of strengthening the IT systems that protect the company, but also ensuring that personnel are fully trained to recognise the increasingly sophisticated tactics used by hackers.
Particular areas where operators and contractors may be vulnerable arise from the facility for offshore assets to be remotely controlled through networked systems. Whether that is a dynamically positioned drillship, or a remotely operated pipeline valve, any area where technology is used in operations is susceptible. There are particular concerns regarding the security of equipment within the sphere of the Internet of Things.
In order to regulate some of these risks between contracting parties, BIMCO has released its new Cyber Security Clause 2019. The clause broadly achieves four objectives: it sets out the cyber security arrangements that should be in place, it requires the parties to use reasonable endeavours to ensure that any third party contractors adopt the same arrangements, it contains a notification regime - which can quickly reduce and manage any risk that might arise - and it contains a standard provision to limit liability in the absence of gross negligence or wilful misconduct.
According to BIMCO’s own guidance, the intention behind its clause is threefold: (1) to raise awareness of the risk of cyber security attacks, (2) to ensure the parties have appropriate measures in place to mitigate against the risk, and (3) to manage the effects of an incident when it occurs through co-operation between the parties. It is expressly designed not to cover payment fraud since there is little that a generic clause can do to reduce the risk of this type of incident.
The standard BIMCO clause does not require cyber security insurance since the availability of different types of cyber security insurance policy can vary significantly between providers and across different jurisdictions. It is hoped by BIMCO that, although the clause does not require (or fully address) cyber insurance, it will help parties to secure affordable insurance protection based on the liability cap included in the clause.
Related news & insights
News / Climate change litigation update: Derivative claim dismissed
06-07-2022 / Energy & Infrastructure
McGaughey & Anor v Universities Superannuation Scheme Ltd & Anor  EWHC 1233 (Ch) On 24 May 2022, the High Court refused a claim brought against the directors of the Universities Superannuation Scheme (the “USS”), the largest private pension scheme in the UK, for inaction around climate change commitments.
News / Refund guarantees – avoiding drafting pitfalls
12-05-2022 / Energy & Infrastructure
Refund guarantees are often described as the cornerstones to shipbuilding projects and the buyer’s main security. Although they do not strictly form part of the shipbuilding contract, a shipbuilding project is unlikely to go ahead at all without one. It is therefore important to understand the different types of guarantee instruments, and the impact each has in practice on the guarantor’s obligations to pay and the buyer’s entitlement to recovery. A well-drafted guarantee provides certainty to the parties and strikes a balance between their respective entitlements and obligations.
News / You will be estopped if you cross the line
04-04-2022 / Energy & Infrastructure
Estoppel is a useful tool in litigation, which is usually used to bind one party to a statement or a promise that it has previously expressed causing another to accept or adopt it for the purpose of their legal relations. The Court’s recent ruling in Geoquip Marine Operations AG v (1) Tower Resources Cameroon SA (2) Tower Resources PLC addresses estoppel by convention and recognises the requirement for the common assumption created between the parties to be clear and unequivocal. In this article, we focus on the specifics of the Court decision.
News / Court of Appeal overturns second Unaoil bribery conviction
29-03-2022 / Energy & Infrastructure
On 24 March 2022, the Court of Appeal overturned the conviction of a second man, Paul Bond, prosecuted by the Serious Fraud Office (SFO) in relation to alleged wrongdoing by Unaoil.
News / The Court grapples with impact of Covid-19 on European rugby
08-03-2022 / Energy & Infrastructure
As we approach the second anniversary of Covid-19 being declared a pandemic by the World Health Organisation on 11 March 2020, a number of judgments are coming out of the English Courts which are providing useful guidance on how the English Courts are treating claims concerning Covid-19, especially in a force majeure context.
News / Climate change litigation: Courts decide the law, not political policies
02-03-2022 / Energy & Infrastructure
R (Finch) v Surrey County Council CA (Civ Div)  EWCA Civ 187 “The task of the court in a claim such as this is only to decide the issues of law. Those issues cannot extend into the realm of political judgment – which is the responsibility of the executive, not the courts …”