Cybersecurity, data security and privacy: Seven questions E&P company boards need to ask

One of the enduring legacies of the COVID-19 pandemic will be the shift to remote working, in an effort to reduce operating costs and employee health and safety risks. E&P companies will not be exempt from this development, both in terms of how they might change their own operations and in how they interact with business partners—such as oilfield service companies—that have already begun to move aggressively to remote working arrangements.

Fig. 1. Remote working further heightens cybersecurity, data security and privacy risks.

More remote working, however, means greater amounts of sensitive data moving digitally between many more devices, in many more locations, with less direct control by the company over how data are handled at the end points, Fig. 1. This state of affairs not only tests an organization’s cybersecurity capabilities, but also the extent to which it has an integrated approach covering cybersecurity, data security and privacy.

While cybersecurity has been part of the board agenda at E&P companies for some time, directors now need to make their digital oversight broader and more holistic. Companies that suffer a major cyberattack that results in loss of operations, data theft, or public disclosure of proprietary information can expose themselves to significant legal, regulatory and reputational risk. And while it has yet to happen, boards should anticipate the possibility of a suit relying on Caremark that would attempt to hold directors legally liable for failing to establish adequate oversight of cybersecurity, data security and privacy measures.

In considering a company’s cybersecurity, data security and privacy, it is important to note that while all three concepts are closely related, they are distinct, Fig. 2. Cybersecurity involves the protection of an organization’s electronic information systems from attack and unauthorized access. Data security covers the confidentiality, integrity and access of all data, including operational data, intellectual property, and employee records, whether or not those data are accessible in electronic or physical form. Privacy concerns itself specifically with the protection and use of personally identifiable data and the rights of individuals to those data. Because these areas are distinct, an E&P company with extensive cybersecurity capabilities may still have privacy vulnerabilities, for example.

Fig. 2. The intersecting domains of cybersecurity, data security and privacy risks.

Board oversight of this complex datasphere needs to be based on a clear understanding of the company’s vulnerabilities, the applicable regulations and legal liabilities, and a framework for asking management the right questions.

GREATER VULNERABILITY

Even before the move toward remote working brought by the pandemic, the cybersecurity, data security and privacy risks of E&P companies had been increasing. The typical E&P organization is laden with data. Trade secrets and proprietary geological and operational data, already extensive, will only grow with the evolution of artificial intelligence and the internet of things (IoT). Employee data include biometric data and health data, both of which are covered by both longstanding regulations—such as HIPAA—and a new generation of regulations protecting data privacy. These vulnerabilities extend to data from contractors or business partners that may sit on the E&P organization’s servers, or vice versa.

The amount and type of data stored by companies across the energy sector has made their networks high-value targets for malicious actors. Cyberattacks on energy infrastructure already have occurred and are likely to be an increasingly important weapon in terrorist attacks and conflicts between nation-states. Hackers are launching ransomware attacks on entire municipalities. As E&P companies sit at the origin point of the energy supply chain, their boards must ensure that their companies’ cybersecurity and data protection capabilities keep pace with this evolving risk landscape.

Beyond these external challenges, employees, contractors and business partners pose an ongoing internal threat. Sometimes that threat can be due to deliberate malfeasance—such as the recent case in which an oilfield services contractor live-streamed well data to a friend, who was setting up his own OFS business. But even employees and contractors, who would not think of so brazen a theft, may still have a less-than-rigorous perspective regarding intellectual property. A survey by cybersecurity firm Symantec revealed that half of employees retained confidential company information after they left their jobs, and 40% percent planned on using that information in their new job. Employees and contractors also lose company devices, fall victim to phishing attacks, and circumvent security measures, due to their perceived inconvenience.

The rise in remote working has magnified both internal and external data security risks significantly. Sensitive company data are now distributed across a wider network, creating more entry points for intruders. Employees working from home may have company information on personal devices or be accessing company networks through insecure channels. The need for information during the pandemic have created fertile conditions for COVID-19-related phishing exploits. All these factors have elevated data security to a board-level concern.

A WEB OF REGULATIONS AND LIABILITIES

In addition to greater vulnerability regarding data security, E&P company boards today also must ensure compliance with an array of state, national and supra-national regulations that continue to evolve. The cyber component of protecting infrastructure has been a part of industry risk management for some time, through established best practices and regulations, such as the Critical Infrastructure Protection Act in the United States, the European Programme for Critical Infrastructure Protection, and regulations from agencies, such as the Federal Energy Regulatory Commission and the North American Energy Regulatory Commission.

E&P companies also must comply with cybersecurity requirements that are woven into other regulations. For example, an E&P company that mis-states the protections that it provides to personal information may be in violation of the Federal Trade Commission Act’s prohibition against unfair and deceptive trade practices. Publicly listed companies must comply with the Securities and Exchange Commission’s regulations regarding disclosure of cybersecurity incidents.

In addition, E&P companies now face entirely new regulations, such as the EU’s General Data Protection Regulation (GDPR), the California Consumer Protection Act (CCPA), Illinois’ Biometric Information Privacy Act and the growing number of similar laws across various jurisdictions. These regulations place stringent requirements on the use of personal data and establish considerable individual rights regarding that data. They also can have extra-territorial reach and can empower individuals to bring civil action against companies for privacy breaches.

WHAT BOARDS NEED TO ASK

To stay ahead of rapidly evolving cybersecurity, data and privacy risks, regulations and liabilities, board directors need to know the essential questions to ask of management. The following list provides a framework for oversight.

1. Is the company devoting adequate resources to the task? Even in the best of times, the functional leaders overseeing security and privacy often must fight for the staffing and resources necessary to keep pace with evolving threats. The COVID-19 pandemic has placed all corporate spending under scrutiny, exacerbating this situation. But as the flurry of cyberattacks during the pandemic has shown, the threat of cyber breaches actually increases during economic downturns, as bad actors seek to take advantage of organizations stretched thin and under pressure. E&P boards need to watch that corners aren’t being cut, and that the company retains the optimal balance of internal and outsourced capabilities to address these risks.
2. Does the company have the right management structure? Cybersecurity, data security and privacy are not merely IT issues—they involve legal and regulatory requirements, as well as physical security, human resources and employee training. The convergence of these functions in an organization’s data security profile has caused many companies to re-examine the reporting lines of key leadership roles. While there is no one-size-fits-all answer, boards should satisfy themselves that the issue is being properly addressed from a legal, technological and business perspective. No matter how the security and privacy functions are structured, they should be agile and responsive to change, with direct and regular communication between the board and leadership.
3. Does the board have the right composition? The shift to remote working will bring more than just changes in procedure; it will accelerate the use of automation, machine learning and other data-driven technologies. The nominating committees of forward-thinking E&P company boards will look to recruit CEOs and other senior executives that have technology and data security expertise, and who have helped implement these changes elsewhere.
4. Do we know what data we have and how it flows into, out of, and through the organization? Even sophisticated organizations can lose sight easily of the amount of data that they collect and store. Identifying data is just the start; it is also necessary to track how data moves throughout the enterprise and beyond. For example, does the company share data with business partners, store data with third-party service providers or sell data to data brokers? Different types of data will present different risks and liabilities, and require different protection strategies. A thorough data inventory allows companies to develop comprehensive strategies rather than ad hoc responses that can lead to gaps and vulnerabilities.
5. Do we know our data and privacy strengths and weaknesses? The greater risks that come with increased remote working heightens the need for E&P companies to have a close read on their cybersecurity, data security and privacy capabilities, so that priorities can be set in the most cost-effective way. Thorough data and privacy audits and testing, as well as reviewing certifications and conformity—with benchmarks such as the National Institute of Science and Technology’s Cybersecurity Framework—provide a useful baseline for these efforts.
6. Are employees the first line of data security? Companies can significantly reduce both the costs and risks regarding data security and privacy by developing sustainable and effective data handling policies and procedures, and updating them to reflect developments like remote working. Changes made to policies and procedures need to be passed through to employee training and compliance. Remote working increases the importance of data hygiene at the individual level; employees should be properly equipped to comply with the company’s heightened data security expectations.
7. Are data security and privacy integrated throughout the organization? The key to effective data security and privacy is ensuring that the necessary procedures and behaviors flow through the enterprise and are monitored for consistency. Coordination between legal, business and marketing functions is necessary, so that accurate representations are made to those inside and outside regarding privacy protection and data handling. HR should provide appropriate employee privacy and information security training. Vendor due diligence needs to include assessment of data handling and privacy practices. Contracts must be revised to reflect protections required by regulations, such as the CCPA and GDPR. Legal departments must ensure timely investigation and response to notification obligations arising out of data breaches.

These questions will undoubtedly lead to others, depending on a company’s exposure to cybersecurity, data security and privacy liability, and the maturity of its relevant functions. However, the insight these questions generate should help boards exert the appropriate oversight of this complex and dynamic area.