The research was conducted with participation of 163 global Energy CEOs from Australia, China, India, Italy, Germany, Japan, France, Spain, UK and US.
Within the Energy sector, respondents consider their organizations to be more prepared and confident. There are perhaps reasons for the degree of confidence. They have been more actively targeted than many over the last 5–10 years, and therefore their maturity is more advanced than within some others such as construction, retail or large parts of transport for example.
However we see an interesting dynamic between the level of understanding of the risk, the maturity of the organization and the continued levels of investment. We find that many of those organizations that have the deepest understanding – often after living through severe incidents in the past – and that as a result have the most mature cyber security capability are often those that continue to invest on an ongoing basis; they understand that getting to a tolerable position is going to take many years and significant investment, and that even when they are at that tolerable position there will still be an ongoing requirement to work to maintain it.
This is because the cyber landscape is constantly changing. Beyond the IT cyber threats that organizational security departments have become familiar with a new threat is emerging in the Energy landscape - the direct compromise of critical production assets. As the industrial control systems [ICS] used to manage asset’s production processes have evolved companies have been able to reduce costs and improve efficiency by consolidating engineering and IT services.
The more mature organisations are also looking to improve effectiveness by adopting sophisticated data analytics on their production data. As a consequence operational and corporate systems are sharing infrastructure and previously standalone control systems are being integrated into corporate intranets or even with the internet.
However, in doing so, Energy companies may be exposing previously hidden vulnerabilities on their production assets and the exploitation of these vulnerabilities could have an immediate operational, safety, environmental impact beyond the traditional financial, and reputational impact seen with an IT system compromise. This new threat doesn’t mean that businesses should halt the process of converging systems, but that they need to have the skills to identify and manage the risk - adding yet another cost into already stretched cyber security budgets.
Energy companies are already exposed to significant business pressures that compete with Cyber Security for resources, and often increase the cyber risks to the business. Oil & Gas has the obvious pressure from continued low market prices when compared with 18 months ago.
Power & Utilities on the other hand are still under post-recession pressure to prevent a rise in their output prices despite significant rises in the input costs over the last 8 years. This often encourages them to choose risk acceptance rather than mitigation, though that is not often a formalized decision and is rarely if ever provisioned. That is not the limit of the problem though. Those conditions often drive other cost reduction exercises within the IT environment that might increase risk such as a deeper and faster push to outsourcing, and the fragmentation of services with the push to the cloud.
All in all, the smart operators recognize the heightened importance to ensure every security pound or dollar spent hits its mark and they realize that they will achieve greater success in doing this with help than they would if they did it on their own.
Fifty-five percent of CEOs believe their companies are fully prepared for a cyber event.
CEOs have met 4-6 times 57 percent and never at 4 percent.
Fifty-one percent are planning to take steps in the next 3 years while 7 percent plan to take no action to meet with their board.
CEOs plan to take steps in the next 3 years to convene multiple meetings with their cybersecurity team at 60 percent.28 Global
Thirty-seven percent of CEOs have taken steps to preempt a cyber security breach, 30 percent report they have no plans.
Fifty-nine percent plan to hire a cyber security consultant in the next 3 years.
Fifty-two percent of ENR CEOs are planning to upgrade their current technologies in the next three years and 40 percent have already taken preemptive steps.
Eighty-four percent have or plan to deploy new technologies in the next 3 years.
The majority of companies have changed internal processes.
Eighty-three percent plan to or have changed external processes such as data gathering, transaction processing or data sharing.
© 2017 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.