Today’s low oil prices and looming debt loads are not the only challenges to upstream offshore oil and gas companies and their vendors. But as if those weren’t enough, owners and operators must also be focused on the insidious threat of cyber attacks, which are very real and have been ongoing for some time. Jeannie Stell reports.
Clearly, offshore operations, from seismic software theft to communications to malicious pipeline operation viruses, and everything in between, can be vulnerable to cyber attacks. However, many owners and operators say they are not confident in their abilities to respond to cyber attacks.
For example, according to a recent report by global consulting firm EY, an estimated 61% of oil and gas companies believe it's unlikely or highly unlikely that they would be able to detect a sophisticated attack. Another 29% self-identify that they have no real-time insight on cyber threats. In fact, only 13% of oil and gas companies surveyed believe that their information security function is fully meeting the organizational needs.
One way to stay ahead of cyber attacks is to look to the future possibilities of the threat.
“Security departments tend to report ‘lag’ indicators when they are asked to provide the business with the likely cyber threats in the future that they should prioritize,” reports EY’s global information security leader, Ken Allan. “These types of indicators do have some value, but they provide only a retrospective commentary on events, acting as historical indicators of performance on compliance, rather than meaningful insight into future threats, risks of business initiatives or an evolving threat landscape.”
Vendor cyber attacks
Meanwhile, many owners and operating companies are not aware of, or prepared for, cyber attacks that affect them via their third-party vendors. In fact, the results of a new study suggest that many companies are underperforming in these areas.
“The same due diligence that organizations apply to their own incident response plans must be applied in this critical area of managing sensitive data outsourced to third parties, including demonstrating how they are protecting the data, maintaining a mature incident response plan, testing the plan and providing strong contractual service-level agreements to report compromises back to the organizations,” warns Rocco Grillo, the managing director of Protiviti.
According to the “2015 Vendor Risk Management Benchmark Study,” published by the Shared Assessments Program and global consulting firm, Protiviti, organizations must make improvements to their third-party and vendor risk-management programs to keep pace with the latest risks and challenges, or they will risk suffering expensive, time-consuming, and possibly hazardous consequences.
The benchmark study surveyed, gathered and analyzed information from more than 450 top executives, risk management personnel and audit professionals who rated their organizations using the vendor risk management maturity model (VRMMM), a benchmarking tool from the shared assessments program that measures the quality and maturity of existing vendor risk management programs. The 2015 study was compared to 2014 data, and the comparison showed that, at least initially, the vendor risk management capabilities in organizations appear to be stagnating. In fact, the scores in half of the categories did not change from year to year. However, the flat results do not necessarily mean that no progress has been made with regard to third-party vendor risk management.
For example, during the one-year period between the surveys, although companies saw an epidemic of cybersecurity breaches, according to Protiviti, more boards of directors and regulators developed more oversight of IT security risk programs. As a result, an increased regulatory focus on third-party risks means that organizations are now more aware of their own program's strengths and weaknesses, particularly at the executive and board level.
“With greater clarity about what is required to minimize and mitigate cybersecurity risks, many respondents likely rated their capabilities lower even in the face of process improvements in their firms, and may also be setting a higher bar for what they deem to be mature levels of vendor risk management,” Protiviti said.
Grillo, who is also the firm’s global leader for incident response and forensic investigations, says: “The increasing frequency and magnitude of cybersecurity breaches, along with recent and forthcoming regulatory actions, make it imperative that vendor risk management programs make a significant leap forward. This change requires fundamental alterations to strategies, processes and organizational culture. The good news is that there is greater demand for building more robust vendor risk management programs. This issue is more frequently a part of the agenda for boards of directors, who are regularly seeking assurance from management that the appropriate steps are being taken to combat vendor risk.”
Two key findings from the survey are that, first, vendor risk management programs require more substantive advances, and second, that policies, standards, procedures and contract management and criteria represent the most advanced components of current vendor risk management programs.
"The study clearly indicates, across industries and leadership roles, that much work needs to be done," says Gary S. Roboff, a senior advisor with Shared Assessments. "Organizations are asking for more resources and effective, efficient strategies to manage third-party risks, and this research tells us that executives are aware of the need for continued vendor risk management improvement."
Images from iStock.