Nine out of ten of the world’s leading energy companies, including the top ten US energy companies, experienced a third-party data breach sometime in the last 12 months. According to cybersecurity ratings company Security Scorecard, while only four percent of leading energy companies worldwide suffered a direct data breach, most were compromised via a supplier, contractor, or other third-party organization.
“Fueling the global economy and daily life, reliance on the energy sector elevates it as a prime target for cyberattacks. Amid economic and political uncertainties, concerns about safeguarding this vital sector intensified. Energy attacks not only result in financial losses and disruptions but ripple through manufacturing, healthcare, and transportation sectors,” says Security ScoreCard.
But the situation appears to be worse in a developed digital economy such as the US, where large organizations and their staff routinely hire legions of third and even fourth-party suppliers, frequently with purely online contact. An alarming 92% of the energy companies assessed by Security ScoreCard were also exposed to fourth-party breaches. Another factor could be that US energy companies supplying critical services are prime targets for cyber espionage by potentially hostile foreign powers.
New law to make companies liable
Senior Vice President of Threat Research and Intelligence at SecurityScorecard, Ryan Sherstobitoff, says: “More than two years after the major U.S. pipeline ransomware incident, the world still lacks a common framework for measuring cyber risk. Transparency and information sharing about cybersecurity is critical for national security.”
Controversial new SEC rulings due to become law this month will make US organizations responsible for data loss resulting from third and fourth-party attacks and liable to potential prosecution for negligence. Companies must disclose any “material” cybersecurity incident within four days. The stringency of the new rulings, the damage a data breach can do to customer and shareholder confidence, plus potential additional financial losses mean that a widespread and urgent overhaul of third and fourth-party supplier security is called for.
“Hope and prayer may be useful but are clearly not sustainable strategies. Preventing the surge of supply chain attacks requires systematically applying real-time data triggering,” says Jim Routh, Fortune 500 CISO and Senior Advisor and Chairman of the SecurityScorecard Cybersecurity Advisory Board.
