Professionals >

Contacts >

The U.S. government is increasingly focused on protecting the nation's critical energy infrastructure from destructive cyber and physical attacks and ensuring security within its supply chain. Managing the evolving risks faced by the energy sector requires both a comprehensive understanding of how this sector works and is regulated, and in-depth knowledge of the cyber and physical security environment and its overlapping regulatory framework. Our firm's Energy Security Team includes experienced Energy and Privacy & Cybersecurity lawyers, working together to help clients comply with legal requirements and manage the material risks associated with security and reliability concerns.  

The owners and operators of the nation’s energy infrastructure today face an increasingly complex and risky environment in ensuring the safety, reliability, resilience and physical and cyber security of the system. We provide a robust suite of services to develop our clients’ protective systems, to ensure and verify compliance with applicable rules, to bolster physical, insurance-related and regulatory protections, and to support companies’ incident response in the increasingly likely event of a cyber breach.  These comprehensive services allow our clients to prepare for system-threatening events, to demonstrate compliance to the various federal, state and international regulators who are active in this space, and to support real-time, effective responses to events that threaten the system.

NERC Compliance

Our Energy Security Team advises on all aspects of our clients’ compliance with the mandatory reliability standards enforced by the North American Electric Reliability Corporation (NERC).  NERC violations can result in civil penalty assessments of up to $1,269,500 per violation per day.  Our lawyers regularly advise clients on risk allocation with respect to compliance with and enforcement of the NERC reliability standards in a variety of commercial transactions, including energy asset management and O&M agreements, and the negotiation and administration of agreements with third parties either providing NERC-related services or delegating NERC responsibilities to such third parties.  When necessary, we also assist clients in responding to NERC determinations of alleged violations of NERC electric reliability standards.

Additionally, we regularly help our clients prepare for NERC audits and other NERC compliance monitoring processes (such as self-certification), including reviewing the legal sufficiency of evidence provided by our clients to demonstrate compliance. This can include creating, reviewing, benchmarking and revising clients’ internal compliance programs to ensure that they meet NERC’s electric reliability standards; responding to NERC regional entity inquiries regarding internal compliance programs; and training senior management on NERC compliance, including risk exposure and measures to ensure compliance and mitigate violations.

Mitigating Cyber Risk

Our Energy Security Team has broad experience in helping energy businesses assess their physical and cyber risks and threats, and to develop legally compliant mitigation policies and procedures. As part of our efficient approach to counseling clients, we work with the company's resources, leveraging existing compliance reviews and assessments, in order to identify compliance requirements and best practices that efficiently and effectively protect data, networks, and systems. We also work with technical consultants through a relationship that helps maintain confidentiality and privilege.

A focus of our approach in mitigating cyber risk is to assist our clients in conducting comprehensive and privileged risk assessments and compliance reviews.  These reviews are tailored to each unique client, and typically include assessing and classifying client data; identifying required and recommended data and network safeguards; evaluating organizational governance of information, people, and policies; reviewing training requirements and content for compliance with existing standards; assessing accountability, including the auditing process, risk reporting, and enforcement activities; and reviewing contractual and other components of vendor management and supply chain risk.

We typically conduct our reviews by identifying and assessing our clients’ compliance with a broad range of government regulatory programs that impose obligations to protect sensitive company and personal information, including the Defense Federal Acquisition Regulation Supplement (DFARS); the Chemical Facility Anti-Terrorism Standards (CFATS); the Maritime Transportation Security Act (MTSA), and evolving federal, and state government privacy data breach laws which may impose control standards and incident reporting obligations upon companies, including those in the energy sector.

Incident Response Plans and Training

We also assist clients in developing or enhancing their privacy and cybersecurity policies and procedures, including governance frameworks for escalating events internally and communicating with government partners, incident response plans, vendor management agreements, and insider threat policies.

In order to help ensure that key and responsible individuals understand their obligations under the incident response plans, our Energy Security Team has developed, facilitated, and participated in hundreds of cybersecurity and privacy tabletop exercises – detailed and rigorous simulations of a cyber or privacy incursion that provide invaluable insight into the resiliency of the company’s response protocols. The goals of our tabletop exercises are to identify appropriate actions for each phase of an incident response and to assess the effectiveness of current policies and procedures.  As a result of the exercise we are able to develop a list of targeted suggestions to help mitigate cybersecurity risks and threats.

Crisis Management

We understand the threat landscape and the impact that a cyber incident can have on companies in the energy sector. We represent both clients who are experiencing a security breach, and clients that are alleged to have security or privacy vulnerabilities in their products or services. In these crisis situations, we pack our bags, hit the ground, and remain on site with our clients until the issues are resolved, from the initial internal investigation stage through the communication, government enforcement, and follow-on litigation stages.

SAFETY Act Certifications and Protections

The Support Anti-Terrorism by Fostering Effective Technologies Act (the SAFETY Act), enacted shortly after the 9/11 tragedy, gives the Department of Homeland Security (DHS) authority to encourage the development and use of anti-terrorism technologies and services by providing liability protections to companies that meet DHS criteria.  Since the Act’s passage, DHS has provided SAFETY Act approval to a widening range of cybersecurity products and services, including technology that detects, blocks, tracks, and contains malware threats across multiple threat vectors within an enterprise network.  Once approved, the Act caps third-party tort liability at an approved level of insurance, providing either limited or absolute immunity under some circumstances for losses suffered as a result of terrorist acts.  The Act includes a myriad of other risk management benefits for companies using approved technologies and services, such as exclusive jurisdiction in federal court for suits against sellers of a technology arising from acts of terrorism; a bar against punitive damages and prejudgment interest; a limitation on non-economic damages; and liability only in proportion to the responsibility of the seller.

Our Energy Security Team has helped numerous clients seek and obtain liability protections under the SAFETY Act. We help companies examine whether their security systems, business continuity, physical and cyber-related incident response plans, or other products and services qualify for coverage under the SAFETY Act. And, we help our clients, with the assistance of technical consultants as appropriate, to develop the applications and information to secure the coverage.

View More

Crowell & Moring To Launch In Denver With Seven-Lawyer Team The Global Legal Post (October 15, 2021)
Media Mentions
Crowell & Moring Launches In Denver With Seven-Lawyer Team Reuters (October 14, 2021)
Media Mentions
Crowell & Moring Hires Four Women To Open Denver Office Bloomberg Law (October 14, 2021)
Media Mentions
Crowell Launches Denver Office, Tapping Deep Into Local Talent Pool The National Law Journal (October 14, 2021)
Media Mentions
"Cyber Insights – Lessons Learned from Recent Ransomware Attacks," Webinar in collaboration with IBJ/IJE (September 21, 2021). Moderator: Maarten Stassen. Speakers: Evan D. Wolff and Matthew B. Welling.
"English High Court Judgment Narrows The Scope of Data Breach Claims," International Dispute Resolution Alert (September 15, 2021). Contacts: David Russell, CFA, Robert Weekes, Laurence Winston, Maarten Stassen
Client Alert/Newsletter
A New Flightpath For Cybersecurity (September 8, 2021). Authors: Evan D Wolff, Kate M. Growley, Maida Oringher Lerner, and Michael G. Gruden.
"Employee Personal Information Protection in China – Are You Up to Speed?," Labor & Employment Law Alert - US (August 25, 2021). Contacts: Nicole Janigian Simonian, Robert Holleyman, Jackson C. Pai, Zhongdong Zhang, Yi Huang, Aurora Zhang
Client Alert/Newsletter
Even After Pandemic Disruptions, Law Firms' Tech Procurement Processes Remain Steady Legaltech News (August 23, 2021)
Media Mentions
Crowell Adds Boutique, In-House Alum Who Built Cyber Intel Platform Reuters Legal (August 12, 2021)
Media Mentions

To view more News & Events for this area, please go to our desktop site.

Crowell & Moring LLP is an international law firm with offices in the United States, Europe, MENA, and Asia that represents clients in litigation and arbitration, regulatory and policy, and transactional and corporate matters. The firm is internationally recognized for its representation of Fortune 500 companies in high-stakes litigation and government-facing matters, as well as its ongoing commitment to pro bono service and diversity, equity, and inclusion.

View Desktop Site | Mobile Sitemap |

Contact | Subscribe | Terms of Use | Privacy Statement | Alumni

© Crowell & Moring LLP 2021
Attorney advertising - prior results do not guarantee a similar outcome.