Given its significance to the economy, the energy sector is a prime target for hackers. A recent government survey of the FTSE 350 revealed that 68 per cent of board members have not been trained to deal with cyber security incidents, leaving them ill-equipped to manage the fallout from a successful attack.
Aside from the devastating direct impact a successful attack could have, it could also have profoundly damaging indirect consequences for an energy business because of:
(1) business interruption caused by the suspension of networks and systems;
(2) reputational damage;
(3) resulting third party claims (whether from customers or others who have suffered loss);
(4) regulatory investigations (for instance by the Information Commissioner or Ofgem);
(5) costs of repair;
(6) damage to share price.
The incoming (May 2018) General Data Protection Regulation (GDPR), and the Network and Information Systems Directive (NISD) will dramatically increase fines levied on businesses, including those operating within the energy sector. Under the current regime, the maximum fine for a data breach is £500,000; this is set to rise under the GDPR and NISD to 4 per cent of a business’s global turnover.
The NISD is specifically aimed at providers of “essential services”, which may include energy companies. Under the new regime, an essential service provider’s systems need to be secure by design and default, with an automatic duty to notify the competent authority (such as Ofgem) of a breach.
So what can energy companies do to mitigate against the risk of a successful cyber attack and to ensure that they are best placed to deal with its consequences?
The most obvious step any company can take is to be prepared and do what you can to stop an attack in the first place.
1. Risk assessment. Undertake a risk assessment of your existing network and system to identify weaknesses.
2. Create a culture of compliance. Encourage a culture of compliance and disclosure from the board to the floor so that staff are trained to be aware of the tell-tale signs and approaches of hackers and can report them when they see them.
3. Produce an incident response plan. Decide who will be responsible within your organisation for dealing with a breach and ensure they are sufficiently senior to be able to make decisions quickly with a clear channel of communication available to them which can be used even if your systems are down.
4. Insurance. Cyber insurance policies vary greatly. Speak to a specialist broker to help you decide what policy will best suit your needs.
5. Review your contracts. Supply chain vulnerability is another key factor in your security. If your suppliers are not as secure as you, your system may be compromised. Make sure that your contracts obligate your suppliers to meet your security standards.
If a breach occurs
With the best will in the world, no system can be guaranteed impregnable, so plans must be put in place telling people what to do if there is a breach.
1. Act quickly but carefully. If you do not have the internal expertise, engage with a forensics company early to identify the cause of the breach and advise on how to resolve the issue. Don’t forget to notify your insurer.
2. Instruct a specialist lawyer. Communications between a lawyer and their client are privileged from disclosure. Careful use of a cyber security lawyer can help you decide quickly how best to respond to a breach, bearing in mind the regulatory investigation and litigation that might follow. Communications with other professionals (such as accountants) do not attract privilege in the same way.
3. Notification. The lawyer will also advise if, when and how you may be obliged to notify regulators – the Information Commissioner, the police, Action Fraud, banks (if payment data has been stolen), suppliers (depending on the terms of your contracts), regulators and, if necessary, the public.
4. Engaging with insurers and other external experts. Depending on the breach, you may need to engage the services of a public relations consultancy to shape your public message and communicate with your customers.
1. Lessons learnt. Consider how you can improve your network, systems, policies and procedures to improve your response the next time around.
2. Recourse. Investigate who was responsible for the breach and whether you have a claim against them. It may be possible to locate the hacker through the use of a lawyer and specialist IT forensics team.
3. Litigation/regulatory investigations. The risk of litigation is an unfortunate side effect of a cyber security breach. Suppliers may seek to terminate their contracts with you; customers may seek damages for any loss they have suffered; and regulators may consider the breach worthy of further investigation. In all cases, specialist legal advice should be sought.