Critical Infrastructure Risk Management

In 2013, recognizing the growing threat of advanced cyber attacks on the business and industrial control systems on which critical infrastructure rely, the Federal Government ordered owners and operators to share information about cyber threats and attacks and to implement common voluntary cybersecurity standards. A year later, the National Institute for Standards and Technology (NIST) issued the Cybersecurity Framework for improving cybersecurity that all industries are in various stages of adoption. And in 2017, President Trump issued an Executive Order which imposes obligations on federal agencies to implement NIST standards and work with the private sector in order to strengthen the cybersecurity of federal networks and critical infrastructure.

In addition to the directives of these Executive Orders, various sectors, including government contractors, energy and transportation, are expected by the Federal Government, customers, and other third parties, to implement technical controls to protect sensitive critical infrastructure information and to respond quickly and efficiently to security incidents and crises. In addition, the globalization of the economy means that the U.S. has interests in the development of security policies regarding foreign investments in our nation's critical infrastructure. Increasingly, these obligations and opportunities require counsel, security personnel and corporate boards to work together and with the government to manage security risks and threats.

Crowell & Moring's interdisciplinary team includes professionals who have served in positions throughout the federal government, including the Department of Homeland Security (DHS), the Department of Defense (DoD), the Department of Justice (DOJ), the Environmental Protection Agency (EPA), the Federal Energy Regulatory Commission (FERC), and other agencies. We offer innovative approaches to the laws, regulations, and policies that confront critical infrastructure. Notably, our practice brings together a wealth of experience in cyber and physical security regulations, business continuity, crisis management, internal investigations, and government relations. Our broad experience and understanding of government expectations allow us to help our clients assimilate new requirements into existing regulatory frameworks and risk management plans effectively and efficiently. 

Comprehensive Security Risk Assessments

Facing a myriad of security regulatory requirements and evolving threats, critical infrastructure owners and operators in all sectors—from telecommunications, energy, transportation, financial, defense industrial base, critical manufacturing, and water—need a way to manage risk efficiently across their enterprises. Crowell & Moring recognizes comprehensive risk assessments as good tools in helping companies manage and mitigate these risks.

Our representative experience includes:

• Security Compliance Reviews: Assisting companies undertake comprehensive and coordinated cyber and physical security risk assessments and compliance reviews led by security personnel and legal counsel whose efforts can help direct compliance efforts and preserve privilege and confidentiality for business and proprietary information and data.
• Security Plans: Working with companies to develop cyber and physical security policies and procedures, operations, and incident response and business continuity plans (including restoration, mitigation, and contingency plans) and testing and exercise regimes. 
• Risk Mitigation: Helping companies reduce the risk profile and regulatory burdens associated with critical infrastructure and key assets.

Incident Response

Despite preparation and best efforts, incidents and crises will occur. Our Privacy and Cybersecurity and Government and Internal Investigations groups help clients conduct and manage privileged post-incident internal and external investigations in coordination with forensic investigators and represent clients before agencies and other government entities. 

Our representative experience includes:

• Advising companies in a multitude of sectors on hundreds of data breaches, including advising on government and contractual reporting obligations and potential mitigation responsibilities.
• Representing Los Alamos National Security, LLC, the operator and manager of Los Alamos National Laboratory for the National Nuclear Security Administration, in connection with a February 2014 radiological release incident at the Waste Isolation Pilot Plant and compliance with applicable laws, regulations, contracts, and policies.
• Providing representation before the Chemical Products Safety Board, Federal Trade Commission, Securities and Exchange Commission, offices of the U.S. Attorney General, and other relevant authorities.

Opportunities to Mitigate Risk

Given the potentially significant risks that critical infrastructure owners and operators face in the event of a security incident, our Insurance Group advises companies on identifying appropriate coverage. 

Oftentimes, insurance isn't enough. Through the DHS Support Anti-Terrorism by Fostering Effective Technologies Act (the SAFETY Act) program, we help a broad array of clients seek and obtain liability protections, including immunity from tort claims for damages arising out of an act of terrorism and limits on potential liability for loss when approved anti-terrorism products and services are in use. Most critical infrastructure and service providers are eligible for SAFETY Act protection.

Cybersecurity Risk Management

Cybersecurity and privacy concerns have played an increasingly critical role in influencing how government and the private sector think about information collection, use, and disclosure. Information sharing—a core Homeland Security mission—poses unprecedented challenges in the information arena, such as privacy, cybersecurity, and international data exchanges. Concerns about cybersecurity and privacy have caused delays, restructuring, and even termination of Homeland Security programs and challenges for the private sector. Domestic laws, like the U.S. Patriot Act, may also clash with international privacy requirements.

U.S. and foreign regulators have responded with a patchwork of privacy principles (such as FTC and state Attorney General "recommendations"), new laws (including federal laws and different security breach statutes in 47 states and in Washington, D.C.), and aggressive enforcement. Together, these varying requirements and best practices create a complex and uncertain regulatory environment. We guide clients through these myriad laws, regulations, and best practices to design and implement efficient and effective privacy programs.

Our representative experience includes:

• Compliance Counseling: We work with companies to adopt or improve efficient and effective privacy programs that are tailored to the particular threats and vulnerabilities as well as industry-specific issues each organization faces.
• Regulatory: Our team identifies and helps organizations comply with all state, federal, and international laws, regulations, and best practices that apply to the organization.
• Transactional: We help companies perform due diligence—particularly relating to privacy concerns—in advance of a transaction and develop key deal terms.
• Litigation: Our team's national reputation for successful litigation, settlement, and thought-leadership make us a clear choice when a client faces significant class action litigation, such as under the Telephone Consumer Protection Act (TCPA), California Confidentiality of Medical Information Act (CMIA), and other state and federal laws.

Energy Sector Security and Reliability

Managing the evolving risks faced by the energy sector requires both a comprehensive understanding of how this sector works and is regulated, and a comprehensive knowledge of the cyber and physical security environment and its overlapping regulatory framework. Our firm's experienced Energy Group and security professionals work together to help our clients comply with legal requirements and manage the material risks associated with security and reliability concerns.  

Representative experience includes:

• Recently assisted a generator operator client in handling a potential violation of NERC Critical Infrastructure Protection standards and analyzed whether any such violation occurred. 
• Advised companies on implementation of the TSA Pipeline Security Guidelines, including providing advice on developing compliant corporate security programs, plans and risk analyses, conducting site reviews, and preparing for government inspections.

Industrial Security

We help our clients create, implement, and maintain security policies and procedures to effectively manage compliance with the evolving regulations confronting members of the defense industry. Recognizing that critical infrastructure owners and operators cannot always rely on regulatory compliance to manage risk, we also help our clients assess security vulnerabilities and develop policies and procedures to mitigate risk.

Because of the deep knowledge and experience of our Government Contracts Group, we are able to help clients navigate and address regulatory and contractual issues that may be affected in the event of a cyber or physical attack.

Our representative experience includes:

• Advising companies on compliance with the National Industrial Security Program Operating Manual (NISPOM) obligations including development of security training and incident response programs and policies.
• Advising companies on Defense Federal Acquisition Regulations Supplement (DFARS) rules on safeguarding classified and other controlled or sensitive government information entrusted to them.
• Advising and counseling energy companies on NERC compliance issues, with a particular focus on Critical Infrastructure Protection (CIP) Standards. 
• Conducting a comprehensive physical security assessment and providing a gap analysis for major government contractor, in coordination with technical expert, and assisting on developing best practice compliance program.

Chemical Security

Crowell & Moring's professionals have broad experience helping industrial sectors, including pipelines, pulp and paper mills, petroleum facilities, metal production and manufacturing plants, hospitals, universities and colleges, and industrial cleaning facilities cope with chemical security regulatory programs, including the evolving DHS Chemical Facility Anti-Terrorism Standards (CFATS), the Coast Guard Maritime Safety and Transportation Act (MTSA) regulations, and the EPA Chemical Accident Prevention provisions.

Our representative experience includes:

• Helping companies develop hundreds of CFATS and MTSA surveys, vulnerability assessments and site and facility security plans.
• Assisting companies prepare for CFATS and MTSA field inspections and technical assistance visits.
• Advising companies on internal and third-party audits, investigations, and compliance reviews.
• Counseling companies on avoiding regulatory risks by modifying chemical holdings.

National Security

A Crowell & Moring interdisciplinary team, which includes a broad base of knowledge in the areas of government contracting, energy, transportation and mining, provides advice and counsel to our clients on unique and complex national security regulatory programs, including the export and other controls over sensitive technologies and issues related to Committee on Foreign Investment in the United States (CFIUS), an inter-agency committee empowered to review all foreign investments in U.S. companies (including of a U.S. business from one foreign owner to another) that may affect U.S. national security.  US national security is interpreted very broadly by CFIUS and includes not only mergers and acquisitions involving US defense contractors or businesses but also those that could result in foreign control of US critical infrastructure, such as communications, energy, transportation, chemical and biopharmaceutical manufacturing and mining assets.

The Government Contracts and International Trade groups at Crowell & Moring include lawyers who know the CFIUS process inside and out—through guiding both foreign acquirers and domestic businesses through the CFIUS process and participating in CFIUS reviews through prior government service—and understand what companies need to do to gain approval for their transactions.  We are also deeply familiar with the myriad of export control regulations (ITAR, EAR, NRC and DOE) that control the export and import of defense-related articles and services, nuclear power and other sensitive technologies, including access by foreign owners of U.S. businesses. 

Our representative experience includes:

• Counseling companies on identifying U.S. national security implications early in the consideration of potential transactions, on determining whether to submit a voluntary notice to CFIUS, on undertaking the filing process, and, ultimately, on managing the many formal and informal considerations involved in obtaining CFIUS clearance.
• Counseling clients concerning US laws and regulations applicable to foreign investment and ownership in the United States, such as ITAR, EAR, NRC and DOE.