Utility Week

Utility Week 22nd September 2017

Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government

Issue link: https://fhpublishing.uberflip.com/i/876437

Contents of this Issue

Navigation

Page 24 of 31

UTILITY WEEK | 22ND - 28TH SEPTEMBER 2017 | 25 Operations & Assets Market view G iven its significance to the economy, the energy sector is a prime target for hackers. A recent government survey of the FTSE 350 revealed that 68 per cent of board members have not been trained to deal with cyber security incidents, leaving them ill-equipped to manage the fallout from a successful attack. Aside from the devastating direct impact a successful attack could have, it could also have profoundly damaging indirect conse- quences for an energy business because of: (1) business interruption caused by the sus- pension of networks and systems; (2) reputational damage; (3) resulting third party claims (whether from customers or others who have suffered loss); (4) regulatory investigations (for instance by the Information Commissioner or Ofgem); (5) costs of repair; (6) damage to share price. The incoming (May 2018) General Data Protection Regulation (GDPR), and the Net- work and Information Systems Directive (NISD) will dramatically increase fines lev- ied on businesses, including those operating within the energy sector. Under the current regime, the maximum fine for a data breach is £500,000; this is set to rise under the GDPR and NISD to 4 per cent of a business's global turnover. The NISD is specifically aimed at pro- viders of "essential services", which may include energy companies. Under the new regime, an essential service provider's systems need to be secure by design and default, with an automatic duty to notify the competent authority (such as Ofgem) of a breach. So what can energy companies do to mitigate against the risk of a successful cyber attack and to ensure that they are best placed to deal with its consequences? Be Prepared The most obvious step any company can take is to be prepared and do what you can to stop an attack in the first place. 1. Risk assessment. Undertake a risk assess- ment of your existing network and system to identify weaknesses. 2. Create a culture of compliance. Encour- age a culture of compliance and disclosure from the board to the floor so that staff are trained to be aware of the tell-tale signs and approaches of hackers and can report them when they see them. 3. Produce an incident response plan. Decide who will be responsible within your organi- sation for dealing with a breach and ensure they are sufficiently senior to be able to make decisions quickly with a clear channel of communication available to them which can be used even if your systems are down. 4. Insurance. Cyber insurance policies vary greatly. Speak to a specialist broker to help you decide what policy will best suit your needs. 5. Review your contracts. Supply chain vulnerability is another key factor in your security. If your suppliers are not as secure as you, your system may be compromised. Make sure that your contracts obligate your suppliers to meet your security standards. If a breach occurs With the best will in the world, no system can be guaranteed impregnable, so plans must be put in place telling people what to do if there is a breach. 1. Act quickly but carefully. If you do not have the internal expertise, engage with a foren- sics company early to identify the cause of the breach and advise on how to resolve the issue. Don't forget to notify your insurer. 2. Instruct a specialist lawyer. Communica- tions between a lawyer and their client are privileged from disclosure. Careful use of a cyber security lawyer can help you decide quickly how best to respond to a breach, bearing in mind the regulatory investigation and litigation that might follow. Communi- cations with other professionals (such as accountants) do not attract privilege in the same way. 3. Notification. The lawyer will also advise if, when and how you may be obliged to notify regulators – the Information Commissioner, the police, Action Fraud, banks (if payment data has been stolen), suppliers (depending on the terms of your contracts), regulators and, if necessary, the public. 4. Engaging with insurers and other external experts. Depending on the breach, you may need to engage the services of a public rela- tions consultancy to shape your public mes- sage and communicate with your customers. Post breach 1. Lessons learnt. Consider how you can improve your network, systems, policies and procedures to improve your response the next time around. 2. Recourse. Investigate who was responsible for the breach and whether you have a claim against them. It may be possible to locate the hacker through the use of a lawyer and spe- cialist IT forensics team. 3. Litigation/regulatory investigations. The risk of litigation is an unfortunate side effect of a cyber security breach. Suppliers may seek to terminate their contracts with you; customers may seek damages for any loss they have suffered; and regulators may consider the breach worthy of further inves- tigation. In all cases, specialist legal advice should be sought. Dominic Holden, senior associate, dispute resolution; Michael Hekimian, legal director, commercial, Ashfords LLP Cyber security essentials Energy companies could find themselves particularly hard hit by a cyber attack, say Dominic Holden and Michael Hekimian, so it is essential they put the right measures in place now. No system can be guaranteed impregnable

Articles in this issue

Archives of this issue

view archives of Utility Week - Utility Week 22nd September 2017