Cyber risks facing the oil and gas industry continue to grow. Legal requirements, likewise, are continuing to expand. The cybersecurity directives issued by the Transportation Safety Administration (TSA) in 2021 and 2022, for example, imposed new requirements upon certain oil and gas pipelines, including new incident reporting obligations and required vulnerability assessments.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and the Securities and Exchange Commission's (SEC) proposed rule to require public companies to disclose material incidents within 4 business days promise further change. Moreover, the National Cybersecurity Strategy recently released by the Biden administration makes strengthening the cybersecurity of US critical infrastructure a top priority. Emphasizing an increase in government regulation and private-sector accountability to "rebalance" legal expectations for companies, the Biden administration's strategy could have potentially significant consequences for the oil and gas sector, particularly if Congress passes legislation expanding regulatory authorities.
In short, further change is on the horizon. But what does this mean for companies in the oil and gas industry? While it is impossible to predict precisely how policymakers will shape cybersecurity requirements in the future, leaders in the oil and gas sector will benefit from understanding three key trends: first, a shift toward earlier reporting and public disclosure of cyber incidents; second, an increase in government oversight and regulation of cybersecurity within the industry; and third, a heightened focus on cyber governance, including by companies' boards of directors.
This article summarizes how these trends may affect oil and gas companies in the coming years and describes steps companies can take to stay ahead of the curve.
Earlier Reporting and Public Disclosure of Cyber Incidents
The TSA substantially expanded cyber incident reporting requirements in the oil and gas industry when it required critical pipeline owners and operators to report any cybersecurity incident on a pipeline's network infrastructure to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours of identification. Policymakers are not stopping there.
The two forthcoming requirements discussed next will further advance this trend toward earlier reporting of incidents to government agencies and, in some cases, public disclosure of cyber incidents. As a result of these and other impending changes, a broad range of US oil and gas companies should expect to be required to report, and possibly disclose, certain cyber incidents in the next few years.
In 2022, Congress dramatically expanded cyber incident reporting to the federal government with CIRCIA. That statute requires covered entities to report certain substantial cyber incidents to CISA within 72 hours. Covered entities will also need to disclose within 24 hours any ransom payments made.
The exact scope and mechanics of these requirements will be identified in a rulemaking effort led by the Director of CISA — a process that saw extensive industry comments in response to a request for information in September 2022. Some of these industry comments recommended that CISA cover only the most critical infrastructure and the most severe incidents in the forthcoming rule.
The tone of the National Cybersecurity Strategy appears to suggest, however, that the Biden administration may interpret CIRCIA broadly so that it covers a wide group of incidents experienced by a broad set of companies. While the implementation timeline provided in CIRCIA means that any final rule is unlikely to go into effect for at least a couple of years, oil and gas companies should not be caught flat-footed when the time comes.
Increasing public disclosure of cyber risks and cyber incidents to investors has been a focus of the SEC for over a decade. Having previously issued guidance, the SEC took the further step in March 2022 of proposing a rule that would require publicly traded companies to publicly disclose cybersecurity incidents on a Form 8-K within 4 business days of determining that the incident is "material."
This proposed rule raised numerous concerns for industry stakeholders about its workability and unintended consequences. For example, numerous stakeholders across industries urged the SEC to permit delay of public disclosure of incidents when disclosure would impair law enforcement investigations, compromise national security, or otherwise have serious negative consequences for the victim company or third parties. It remains to be seen how the SEC will resolve the comments it received. Assuming the SEC moves forward with a final rule that roughly aligns to the proposal, publicly traded oil and gas companies should be prepared for early public disclosure of cyber incidents.
Practically speaking, this trend toward early reporting — and possibly public disclosure — will require relevant businesses to maintain procedures that allow them to quickly and appropriately assess the cyber incidents they face and then provide accurate information to key internal decisionmakers so that they can determine whether notification or disclosure is required. Companies that do not maintain well-defined internal procedures for responding to cyber incidents that involve their legal counsel and escalate key decisions to executive stakeholders likely will struggle to meet forthcoming requirements and to manage the consequences of incident reporting or disclosure.
As a result, oil and gas companies likely will benefit from assessing and exercising their incident response policies, particularly after more clarity is available around the scope and substance of future regulatory requirements.