Report Winning the Cyber Risk Challenge

Published on 23rd March 2020

The Energy/Power (E/P) sector’s speed of digitalisation is outpacing its building of cyber defense capabilities and adaptation of overall risk management strategies. In this report, Marsh & McLennan Advantage Insights analyses the Marsh Microsoft 2019 Global Cyber Risk Perception Survey to explore the latest cyber trends in the transitioning E/P landscape and propose strategies to proactively measure and manage cyber risks.

A shifting playing field
Many organisations in the E/P sector are now facing two overarching challenges that are shifting the threat landscape.

Internal Challenge: Digitalisation in the sector is outpacing its cyber defense capabilities

While digital transformation is positively reshaping the sector by reducing operational costs, improving profitability, and enabling faster and more effective decision-making; it also introduces a new set of risks to be managed, such as weaker security baselines and the use of potentially insecure data storage systems and data communication.

While cloud computing is perceived to have the greatest business benefit by respondents (65%) in the sector, the perceived level of cyber risk associated with it among respondents is higher than for most other technologies (26%), due to potential weaknesses in program interfaces and outside access to data.

While the sector is aware of the risks, there are concerns that it is not adequately equipped to deal with cyber threats – or perhaps overconfident in its ability to do so. When compared to the cross-industry average, respondents from the E/P sector are more confident in understanding and mitigating cyber risks but are just as insecure when it comes to recovering from cyber incidents.

External Challenge: E/P organisations are increasingly targeted by sophisticated cyber attackers

Both publicly and privately-owned E/P organisations have become prime targets for criminals and hostile governments. In many cases, the ability to disrupt enemies by bringing down the systems on which they depend has become a more central part of their strategy than conventional warfare. As such:

• 60% of respondents are highly concerned about the potential harm that a nation-state cyberattack could have on their business
• 53% agree that governments need to do more to help protect E/P organisations against nation-state cyber-attacks

Better organised “opponents”

Taking a closer look at the external challenge, the E/P sector faces increasing exposure to sophisticated cyber adversaries that can disrupt the sector more easily than events such as earthquakes, physical attacks, and operational errors.

Within their respective ecosystems, organisations need to focus on several internal and external cyber threat vectors to understand their overall cyber exposure.

Internal cyber threat vectors remain the most urgent yet understated sources of cyber risk for any organisation and industry. Yet, the sector has some way to go in ensuring that cyber risk management is truly “risk-driven”, integrated as a top-down organisation-wide shared responsibility. Ninety percent of E/P survey respondents indicated that cyber risk responsibility sits mainly within IT, and only 48 percent indicated that the responsibility sits mainly with their risk management team.

With regards to process, the sector has taken a more proactive approach on cyber risk compared to other industries, though these actions are still largely centered on basic preparation and prevention. Out of the E/P organisations surveyed:

• 91 percent of have made improvements in hardware security
• 84 percent in data protection capabilities
• 77 percent implemented awareness training
• 71 percent strengthened their cybersecurity policies and procedures

From a technology standpoint, the evaluation of cyber risks should be an end-to-end process with the understanding that cyber risk is a systemic business risk. Currently, a majority of the organisations assess their cyber risks during the initial phase of the project. Almost two-thirds of companies across all industries do so during the testing phase, and almost half of the E/P respondents (47 percent) note that their organisations also do so during the onboarding/implementation stage.

External cyber threat vectors stem from the growing supply chain, including trusted partners, and the evolving regulatory landscape that is seeking more accountability.

Supply chain risk is growing exponentially. As infrastructure rapidly modernizes, and pressure mounts to move operations to the cloud, players become more reliant on and integrated into third-party operations. More and more systems are increasingly interconnected, with interdependencies across the supply chain, and this interconnectivity will only continue to increase.

This raises the stakes for all organisations in the supply chain to maintain cyber resilience, as they now operate in ecosystems that are exposed to weaknesses in other companies, which may not have the same focus on cyber risk management.

According to 38 percent of E/P sector respondents, partners in the interconnected supply chains of the E/P sector faced a bigger threat from cyber risks than perceived by their own organisations.

From a policy and legislative perspective there has been a significant increase in the regulation of data privacy and cybersecurity globally and across all industries, with a primary focus on data protection and supply chain security.

Regulation and cyber threats were highlighted as the topmost concerns in the E/P sector. In terms of what type of standards works (or not) for the E/P sector, there are mixed perceptions on the effectiveness of “hard” government regulations and laws in helping organisations improve their cybersecurity posture across all industries.

How to win

With the embrace of transformative technologies and a long-term move towards cleaner energy sources, most players in the E/P sector have already shifted from mechanical and centralized assets to new operational-plus-digitalized systems that will increasingly expose each player in the ecosystem to cyber risks.

In order to win this digital-cyber challenge, organizations need to advance their cyber resilience by pursuing a range of cyber strategies and building up a portfolio of cyber capabilities. The focus should be equally placed on both cyber risk management as well as innovating with technologies. It will be prudent for organizations to consider embedding cyber throughout their digitalization journey, or risk favoring one at the expense of the other.