The impending cybersecurity revolution in the oil and gas industry

In recent years, the oil and gas industry in the United States has witnessed a growing need for cybersecurity measures due to the ever-increasing cyber risks. This need has become even more pressing with the new information security directives issued by the Transportation Safety Administration (TSA) in 2021 and 2022. These directives, together with the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and the proposed regulation of the Securities and Exchange Commission (SEC), have introduced new vulnerability assessment and reporting requirements for companies in the sector. The Biden administration's recently released National Cyber Security Strategy also placed emphasis on increasing government regulation and private sector accountability.

The impact of increased government and regulatory oversight

The National Cyber Security Strategy emphasizes the importance of establishing information security requirements for critical infrastructures. The strategy emphasizes the federal government's role in establishing these requirements, while also encouraging states and independent regulators to use their authorities to do so. The expectation is that this will lead to increased government oversight and regulation of cybersecurity in the oil and gas sector. An example of these potential government actions is the recent Government Accountability Office (GAO) report on the cybersecurity of offshore oil and gas facilities. Additionally, recent actions taken in New York state may indicate how other states may seek to lead cybersecurity practices in the industry.

The importance of effective IT security management

Effective cybersecurity management requires strong collaboration between different stakeholders, including technical teams, security teams, legal, communications, and others. The planned revision of the NIST Information Security Framework will introduce a new "Govern" function, highlighting the importance of effective governance. The proposed SEC rule regarding information security disclosures by registrants also highlights the importance of governance. This approach confirms the growing expectations for companies' governance of cyber risk. Oil and gas companies should expect governance to become a key feature of their cybersecurity programs in the future, if it hasn't already.

Prepare for a future of rising cybersecurity expectations

Cybersecurity expectations for US oil and gas companies have increased in recent years and are expected to continue to do so. Companies should engage with policymakers to ensure future policies effectively advance industry cybersecurity. Oil and gas companies should also prepare for three key trends: advance reporting or disclosure of cyber incidents, increased government oversight or regulation of cyber security practices, and rising expectations for cyber security governance. While the details of future cybersecurity expectations for the industry remain to be seen, understanding and responding to these three trends will enable oil and gas companies to manage the legal, financial and reputational risks associated with the many cyber threats they face.