The Optus data breach has focused the attention of executives of energy businesses on cyber security. Cybersecurity threats have increased in intensity and frequency over the past few years, and all utility providers should be re-examining their cyber resilience.
There are both general and industry specific regulatory obligations that apply to energy businesses. Understanding applicable regulatory obligations is a critical component of any assessment of cybersecurity risk.
Regulatory & Legal Obligations relating to cybersecurity
Within the Privacy Act, the Australian Privacy Principles set out how businesses must collect, manage, store and disclose personal information. Personal information is defined in the Privacy Act as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not. To comply with the Australian Privacy Principle 11, a business must take reasonable steps to prevent misuse, interference and loss, as well as unauthorised access, modification or disclosure of personal information. When no longer required (including under a legal obligation to retain), a business must take reasonable steps to destroy personal information or ensure that it is de-identified.
Recommendation one: Consider the personal information your business holds that is no longer required. Ensure that you either destroy or de-identify that information.
Businesses are also likely to have common law and contractual obligations when it comes to data security. Contracts with service providers often contain specific obligations relating to data shared and used.
Finally, energy businesses have industry specific obligations to protect certain data such as the obligation on Victorian Energy Retailers ( Clause 7.2(a) of the Electricity Customer Metering Code (1 Mar 2022)) to keep metering data confidential and use reasonable endeavours to protect that information and comply with any relevant guideline.
Recommendation two: map all of the data security obligations that your business has and ensure that responsibility for compliance is understood.
Understand the cybersecurity threats to your energy retail business
Cybersecurity threats to your energy business can come from many different sources. Some common threats include cyberattacks from criminals, hackers, and nation-states. Any of these could lead to data breaches, theft of customer information, or even technical failures that could disrupt operations. To prevent these occurrences, it is important to understand the different types of cybersecurity threats and take appropriate measures to protect yourself.
Recommendation three: map the potential cybersecurity threats faced by your business. Understand how the data you hold could be misused and how much of a target your business is. Map mitigations you can employ against individual risks.
Implement cyber security measures to protect your business.
In order to protect your energy retail business from cyberattacks, it is essential to implement strong cyber security measures. Here are a few tips to help you get started:
1. Establish strict cybersecurity protocols.
2. Implement robust password & 2FA requirements, anti-virus and firewalls protection.
3. Educate your employees on the importance of cyber security. Ensure that they understand the risks of social engineering and malware.
4. Stay up-to-date on the latest cybersecurity threats.
Cybersecurity is one of the top concerns for energy retailers in today’s digital age. Cybersecurity threats have increased in intensity and frequency over the past few years, and proper cyber security measures can help protect your energy retail business from the potential damage of cyberattacks.