Jones Walker LLP publicly released the findings of its 2020 Midstream Oil and Gas Cybersecurity Survey, examining cybersecurity preparedness in North America-based independent midstream oil and gas companies. The findings were presented during a webinar hosted by the Institute for Energy Law at the Center for American and International Law.
The results reflect the responses of 125 key executives, security and compliance officers, and general counsel, and confirm that cybersecurity remains a top concern for the midstream sector of the oil and gas industry — especially as companies grapple with the worldwide economic downturn, the reduction in commodity prices, and the increased dependence on remote work and autonomous systems due to the global COVID-19 pandemic.
This survey is Jones Walker’s second on the topic of cybersecurity. The first was in 2018 and focused on maritime, another critical infrastructure industry. Jones Walker attorneys Andy Lee, Krystal Scott, and Ewaen Woghiren authored a report outlining the key findings of the firm’s Midstream Oil and Gas Cybersecurity Survey.
Speaking about the survey, Lee, partner and chair of Jones Walker’s privacy & data security team, says, “Similar to the 2018 survey, the Midstream Oil and Gas Cybersecurity Survey found that smaller companies are particularly vulnerable to cyber attacks. These businesses typically do not have appropriate breach response plans, and hackers are looking to take advantage of their weaknesses.”
Key findings of the Jones Walker Midstream Oil and Gas Cybersecurity Survey include:
- Avoid overconfidence. Although the majority of respondents believe that both the midstream sector and their own companies are prepared for a cyber attack, more than one in 10 suffered a successful breach.
- Know your enemies. To address cyber vulnerabilities effectively, companies must understand who and what they face. The survey respondents pointed to organized criminal groups as the top threat actors and to their own employees’ negligence as a source of major concern.
- Plan and practice for success. Survey results indicate that cybersecurity plans are not up to the task because they are either outdated or not practiced. Across all companies in the survey, 40% reported an attempted or successful data breach in the past year, but only 7% updated their written security policy during the same period.
- Match resources to the threat. Existing cybersecurity measures at midstream companies are varied and often do not correlate directly to their identified vulnerabilities. Companies indicated an increased focus on cybersecurity, yet only 38% of respondents will increase their cybersecurity budget this year. Further, despite increased vulnerability to cyber attacks during the COVID-19 pandemic, when more employees work remotely and often utilize a mix of personal and company-issued technology, 74% still do not have cyber insurance or cyber-breach insurance coverage.
- Partnering is sound strategy. Many companies work in isolation and do not take advantage of opportunities and cost efficiencies offered through industry collaboration and public-private partnerships.
“Despite the fact that there have been successful cyber attacks in the past year and that employees are considered a top threat, midstream companies still lack sufficient employee cybersecurity training — only 37% of respondents conduct annual trainings,” adds Scott, partner on the Energy, Environmental & Natural Resources Industry Team and co-leader of the firm’s energy and natural resources litigation team. “While employees pose a heightened risk to cybersecurity today due to increased remote-work conditions in response to COVID-19, a majority of midstream companies are not increasing cybersecurity budgets in the coming year. This may prove detrimental to the sector’s ability to thwart cyber attacks.”
Discussing a key finding, Woghiren, an associate on the energy and natural resources litigation team, says, “Sixty-eight percent of respondents indicated having cybersecurity plans included in their overarching strategic plans, and leadership participation in developing and executing these plans is high. However, a clear majority of companies reported that they do not have dedicated senior staff focused on cybersecurity. This lack of cybersecurity personnel is problematic, as their skills are necessary to avoid and combat increasingly complex cyber attacks.”
The 2020 Midstream Oil and Gas Cybersecurity Survey is available for download on the Jones Walker website.