CCRcorp Sites  

The CCRcorp Network unlocks access to a world of insights, research, guides and information in a range of specialty areas.

Our Sites

TheCorporateCounsel

TheCorporateCounsel.net

A basis for research and practical guidance focusing on federal securities laws, compliance & corporate governance.

DealLawyers

DealLawyers.com

An educational service that provides practical guidance on legal issues involving public and private mergers & acquisitions, joint ventures, private equity – and much more.

CompensationStandards

CompensationStandards.com

The “one stop” resource for information about responsible executive compensation practices & disclosure.

Section16.net

Section16.net

Widely recognized as the premier online research platform providing practical guidance on issues involving Section 16 of the Securities Exchange Act of 1934 and all of its related rules.

PracticalESG

PracticalESG.com

Keeping you in-the-know on environmental, social and governance developments

I am not Nostradamus (although my kids think I am old enough that old Nosie and I used to hang together), but I have written extensively over the years about emerging environmental and sustainability risks. For the most part, these were business management risks rather than things that could imminently and substantially endanger human health. Even so, back in 2010 and again in 2014, I sounded the alarm of a very real risk that the next environmental catastrophe could be caused by hackers.

Almost all industrial manufacturing (such as chemicals, oil refining, metals smelting, pulp & paper, pharmaceutical and food processing) and utilities (power, water and wastewater) in the US is controlled with computer systems. These facilities manage a variety of potentially dangerous processes, including:

  • chemical management systems critical to preventing spills, releases and mixing of incompatible chemicals
  • combustion equipment (e.g., boilers and kilns) fuel feed controls and safety systems
  • waste storage, disposal and monitoring systems
  • dams, impoundments and flood prevention systems
  • water purification and wastewater treatment systems
  • fire control systems
  • fenceline air quality monitoring
  • numerous automated alarms

A front page article in USA Today now brings this risk to the public in the aftermath of the Colonial Pipeline and JBS hacks. Even so, the article misses many risks and arguably downplays potential catastrophes of those covered in the piece. It’s not a stretch to imagine a terrorist group intentionally disabling process controls at a large chemical processing site, resulting in a Bhopal-like scenario. Or hackers “just” seeking to temporarily disable a power utility for a ransom, accidentally disabling all operational safety controls and causing fuel explosions and possibly a nuclear incident.

These are truly nightmarish scenarios – and perhaps closer to reality than you think.

What You Can Do

Environmental catastrophes are not the first thing that pops into people’s head when the topic of cybersecurity arises, but the potential for these events should be included in corporate risk assessments, cyber security assessments and in ESG materiality determinations. At least four facets of this risk should be evaluated:

  • Human health risk. Depending on the type of manufacturing operation and equipment, the risk to employees on-site and the community at large can be significant in the event of process failure. Chemical emissions, fires and explosions are deadly and they can have a wide area of impact. Facilities subject to OSHA’s Process Safety Management or EPA’s Risk Management Plan regulations are required to perform off-site consequence analyses that are helpful in assessing the risk, but they are limited to only specifically covered chemicals/processes. Gas-fired boilers and dams/dikes are not covered. When evaluating human health risks associated with your operations, it would be prudent to take a wide view of what may impact employees and the community.
  • Environmental impact. Similar to human health risk, operational failures or breaches can cause environmental contamination and loss of wildlife, ecosystems/habitat, and endangered species.
  • Consequential impacts. Catastrophic events at a single location can also start a domino effect of “downstream” consequential impacts. For instance, chemical contamination of food crops, energy outages at hospitals and critical infrastructure, flooding of other manufacturing facilities or utilities, drinking water safety and loss of public use areas. There is even a possibility of disturbing previously closed environmental disposal sites – Hurricane Katrina flooded a closed municipal landfill, causing not only environmental damage, but also structural instability of the reclaimed land.
  • Financial exposure. Insurance usually provides a useful financial backstop for unplanned, sudden and accidental losses. However, your coverage likely has significant – or even absolute – exclusions or limitations for terrorist acts, cyber risk, pollution and consequential liabilities. It is advisable to review your insurance policy language in detail to identify and assess any relevant exclusions/limitations and make an informed decision about what to do from there.

Back to all blogs

The Editor

Lawrence Heim has been practicing in the field of ESG management for almost 40 years. He began his career as a legal assistant in the Environmental Practice of Vinson & Elkins working for a partner who is nationally recognized and an adjunct professor of environmental law at the University of Texas Law School. He moved into technical environmental consulting with ENSR Consulting & Engineering at the height of environmental regulatory development, working across a range of disciplines. He was one… View Profile