Cyber Security Risks for Energy Businesses

Share on twitter
Share on linkedin
Share on facebook

The Optus data breach has focused the attention of executives of energy businesses on cyber security. Cybersecurity threats have increased in intensity and frequency over the past few years, and all utility providers should be re-examining their cyber resilience.

There are both general and industry specific regulatory obligations that apply to energy businesses. Understanding applicable regulatory obligations is a critical component of any assessment of cybersecurity risk.

Regulatory & Legal Obligations relating to cybersecurity

Within the Privacy Act, the Australian Privacy Principles set out how businesses must collect, manage, store and disclose personal information. Personal information is defined in the Privacy Act as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not. To comply with the Australian Privacy Principle 11, a business must take reasonable steps to prevent misuse, interference and loss, as well as unauthorised access, modification or disclosure of personal information. When no longer required (including under a legal obligation to retain), a business must take reasonable steps to destroy personal information or ensure that it is de-identified.

Recommendation one: Consider the personal information your business holds that is no longer required. Ensure that you either destroy or de-identify that information.

Businesses are also likely to have common law and contractual obligations when it comes to data security. Contracts with service providers often contain specific obligations relating to data shared and used.

Finally, energy businesses have industry specific obligations to protect certain data such as the obligation on Victorian Energy Retailers ( Clause 7.2(a) of the Electricity Customer Metering Code (1 Mar 2022)) to keep metering data confidential and use reasonable endeavours to protect that information and comply with any relevant guideline.

Recommendation two: map all of the data security obligations that your business has and ensure that responsibility for compliance is understood.

Understand the cybersecurity threats to your energy retail business

Cybersecurity threats to your energy business can come from many different sources. Some common threats include cyberattacks from criminals, hackers, and nation-states. Any of these could lead to data breaches, theft of customer information, or even technical failures that could disrupt operations. To prevent these occurrences, it is important to understand the different types of cybersecurity threats and take appropriate measures to protect yourself.

Recommendation three: map the potential cybersecurity threats faced by your business. Understand how the data you hold could be misused and how much of a target your business is. Map mitigations you can employ against individual risks.

Implement cyber security measures to protect your business.

In order to protect your energy retail business from cyberattacks, it is essential to implement strong cyber security measures. Here are a few tips to help you get started:

1. Establish strict cybersecurity protocols.

2. Implement robust password & 2FA requirements, anti-virus and firewalls protection.

3. Educate your employees on the importance of cyber security. Ensure that they understand the risks of social engineering and malware.

4. Stay up-to-date on the latest cybersecurity threats.

Cybersecurity is one of the top concerns for energy retailers in today’s digital age. Cybersecurity threats have increased in intensity and frequency over the past few years, and proper cyber security measures can help protect your energy retail business from the potential damage of cyberattacks.

More to explorer

Autumn leaves falling with copy space on black background

Avoiding Compliance Atrophy: The Critical Role of Assurance Reviews for Growing Energy Retailers

As energy retailers expand their customer base and operations, ensuring ongoing compliance with regulatory obligations can become increasingly challenging. A key risk is “compliance atrophy” – where initially compliant documents, processes and systems slowly deteriorate and waste away over time if not regularly monitored and reviewed. What is compliance atrophy? Compliance atrophy is typically a result of documents, processes and systems being ‘updated’ or ‘reworded’ to reflect changes in focus for the business and input from other stakeholders including marketing

person holding debit card

AER payment difficulty framework review

The Australian Energy Regulator (AER) is conducting a review of the consumer protections available under the National Energy Customer Framework (NECF) for those experiencing payment difficulties. On 14 May 2024, the AER released an issues paper for consultation. The review is driven by the commitment in Action 8 of the ‘Towards Energy Equity’ strategy in which the AER committed to considering whether improvements could be made to the NECF to ensure that consumers experiencing payment difficulties are identified early, engaged

Technicians installing photovoltaic solar panels on roof of house.

Compliance Quarter’s Submission to the AER’s Review of the Compliance Procedures and Guidelines

On 11 April 2024, Compliance Quarter put forward its submission on proposed changes to the AER Compliance Procedures and Guidelines. The AER is reviewing its Compliance procedures and guidelines, which set out the manner and form in which energy businesses in jurisdictions that have adopted the National Energy Retail Law must submit compliance information and data to the AER. We argue that there should be consideration of measures to incentivise early reporting of potential breaches. These may, for example, take the

Leave a Reply

Your email address will not be published. Required fields are marked *