Jones Walker LLP today publicly released the findings of its 2020 Midstream Oil and Gas Cybersecurity Survey, examining cybersecurity preparedness in North America-based independent midstream oil and gas companies. The findings will be presented during a webinar hosted by the Institute for Energy Law at the Center for American and International Law today at 12:30 p.m. CT.

The results reflect the responses of 125 key executives, security and compliance officers, and general counsel, and confirm that cybersecurity remains a top concern for the midstream sector of the oil and gas industry — especially as companies grapple with the worldwide economic downturn, the reduction in commodity prices, and the increased dependence on remote work and autonomous systems due to the global COVID-19 pandemic.

This survey is Jones Walker’s second on the topic of cybersecurity. The first was in 2018 and focused on maritime, another critical infrastructure industry. Jones Walker attorneys Andy Lee, Krystal Scott, and Ewaen Woghiren authored a report outlining the key findings of the firm’s Midstream Oil and Gas Cybersecurity Survey.

Speaking about the survey, Lee, partner and chair of Jones Walker’s privacy & data security team, says, “Similar to the 2018 survey, the Midstream Oil and Gas Cybersecurity Survey found that smaller companies are particularly vulnerable to cyber attacks. These businesses typically do not have appropriate breach response plans, and hackers are looking to take advantage of their weaknesses.”

Key findings of the Jones Walker Midstream Oil and Gas Cybersecurity Survey include:

• Avoid overconfidence. Although the majority of respondents believe that both the midstream sector and their own companies are prepared for a cyber attack, more than one in 10 suffered a successful breach.
• Know your enemies. To address cyber vulnerabilities effectively, companies must understand who and what they face. The survey respondents pointed to organized criminal groups as the top threat actors and to their own employees’ negligence as a source of major concern.
• Plan and practice for success. Survey results indicate that cybersecurity plans are not up to the task because they are either outdated or not practiced. Across all companies in the survey, 40% reported an attempted or successful data breach in the past year, but only 7% updated their written security policy during the same period.
• Match resources to the threat. Existing cybersecurity measures at midstream companies are varied and often do not correlate directly to their identified vulnerabilities. Companies indicated an increased focus on cybersecurity, yet only 38% of respondents will increase their cybersecurity budget this year. Further, despite increased vulnerability to cyber attacks during the COVID-19 pandemic, when more employees work remotely and often utilize a mix of personal and company-issued technology, 74% still do not have cyber insurance or cyber-breach insurance coverage.
• Partnering is sound strategy. Many companies work in isolation and do not take advantage of opportunities and cost efficiencies offered through industry collaboration and public-private partnerships.

“Despite the fact that there have been successful cyber attacks in the past year and that employees are considered a top threat, midstream companies still lack sufficient employee cybersecurity training — only 37% of respondents conduct annual trainings,” adds Scott, partner on the Energy, Environmental & Natural Resources Industry Team and co-leader of the firm’s energy and natural resources litigation team. “While employees pose a heightened risk to cybersecurity today due to increased remote-work conditions in response to COVID-19, a majority of midstream companies are not increasing cybersecurity budgets in the coming year. This may prove detrimental to the sector’s ability to thwart cyber attacks.”

Discussing a key finding, Woghiren, an associate on the energy and natural resources litigation team, says, “Sixty-eight percent of respondents indicated having cybersecurity plans included in their overarching strategic plans, and leadership participation in developing and executing these plans is high. However, a clear majority of companies reported that they do not have dedicated senior staff focused on cybersecurity. This lack of cybersecurity personnel is problematic, as their skills are necessary to avoid and combat increasingly complex cyber attacks.”

The 2020 Midstream Oil and Gas Cybersecurity Survey is available for download on the Jones Walker website.

Comments from Cybersecurity and Cyber Risk Insiders:

Brad Burke, Managing Director, Rice Alliance for Technology and Entrepreneurship, Rice University:

• “At the Rice Alliance for Technology and Entrepreneurship, we regularly collaborate with energy companies as they operate within a rapidly evolving technological environment. Just as we see startups focused on innovating for efficiency during this time, cybersecurity is also a key part of their digital transformation. Jones Walker’s Midstream Oil and Gas Cybersecurity Survey is a valuable tool that identifies key cybersecurity issues to spur thoughtful discussion and continued innovation in the midstream and other segments of the oil and gas industry. With this survey, companies have a resource to navigate tactical conversations about technology, security, and risk.”

Heather Hughes, VP Engagement Management, Stroz Friedberg, LLC, an Aon Company:

• “The Jones Walker team has successfully illustrated the ongoing cyber risks that our midstream clients face on a daily basis. Threat actors continuously work to exploit the midstream business model’s inherent vulnerabilities. The findings highlight our ongoing need for continued collaboration between industry experts, internal information security teams, and cybersecurity counsel. This collaboration benefits all parties and also provides a much-needed united front against cyber criminals.”

Christopher Morrow, Senior Attorney, IT & Cybersecurity, Williams:

• “Companies looking to allocate budget funds for cybersecurity must recognize that there is no ‘one size fits all’ answer. Cybersecurity spend for an organization should be guided by a defined risk appetite and recurring risk assessments based on the ever-changing threat landscape.”

Brian Robb, Underwriting Director & Cyber Industry Leader, CNA Hardy:

• “One of the most challenging aspects of cybersecurity is the sophistication of threat actors and their ability to quickly implement new technologies. These threat actors can leave companies, especially those without a dedicated cyber team, vulnerable and one step behind. The Jones Walker Midstream Oil and Gas Cybersecurity Survey provides a snapshot of threat actors and the tactics they employ. This white paper serves as a guide for energy companies to evaluate existing plans and ramp up for what the future may hold for cybersecurity.”

About Jones Walker
Jones Walker LLP (joneswalker.com) is among the largest 120 law firms in the United States. With offices in Alabama, Arizona, the District of Columbia, Florida, Georgia, Louisiana, Mississippi, New York, and Texas, we serve local, regional, national, and international business interests. The firm is committed to providing a comprehensive range of legal services to major multinational, public and private corporations, Fortune® 500 companies, money center banks, worldwide insurers, and emerging companies doing business in the United States and abroad.

The firm’s Energy, Environmental & Natural Resources Industry Team is experienced in all aspects of the midstream oil and gas industry complex, as it interfaces with upstream and downstream operations. Our understanding of the energy stream of commerce distinguishes us in providing regulatory, transactional, and litigation advice, including divestitures of gathering systems and processing facilities; the financing, construction, development, and permitting of interstate and intrastate pipelines and natural gas storage facilities; tax matters involving publicly traded master limited partnerships; pipeline condemnations; legacy litigation and environmental damage litigation; and title reviews, mineral title opinions, and reviews of title policies.

The firm’s privacy & data security team is committed to helping clients become cyber-ready and to identify, prevent, and respond to the full spectrum of data-breach and privacy risks. The team routinely works with companies to develop and audit cybersecurity plans and provide guidance about appropriate vendors and service providers to help companies become more cyber-ready. The team is also skilled at guiding clients through the aftermath of a breach or an attempted breach.