The scale and spread of our operations means we must prepare for a range of possible business disruptions and emergency events
Potential threats to our business are not always predictable and come in many forms, such as earthquakes, extreme weather, hostile physical or cyber attacks, political conflicts, health alerts and major accidents. We have processes in place to try to anticipate them and to be ready if a crisis or incident occurs.
BP monitors for, and aims to guard against, hostile actions that could cause harm to our people or disrupt our operations, including physical and digital threats and vulnerabilities. We assess risk on an ongoing basis in those operating areas that are affected by political and social unrest, terrorism, armed conflict or criminal activity. Our central security team provides guidance and support to our businesses through a network of regional security advisers. We continue to monitor threats globally and, in particular, the situation in the Middle East and North Africa. Following the armed terrorist attack on the In Amenas gas plant in Algeria in 2013, BP and Statoil continue to work with Sonatrach, the Algerian state oil and gas company, and the Algerian authorities on a programme of further enhancements to the joint venture’s security systems and assurance of their ongoing effectiveness. BP is a signatory to the Voluntary Principles on Security and Human Rights, which are designed to help companies maintain security while promoting respect for human rights.
Cyber attacks present a risk to the security of our information, IT systems and operations. We collaborate closely with governments, law enforcement agencies and industry peers to understand and respond to new and emerging cyber threats. We also monitor our IT systems for suspicious activity and have a 24-hour monitoring centre in the US tasked with this. We promote good cyber security behaviours in our workforce through easy-to-understand policies and instructional videos. Campaigns and presentations on topics such as email phishing and protecting our information and equipment have helped to raise employee awareness of these issues.
Q: How big a risk is cybersecurity for BP?
A: News headlines frequently contain reports of cyber attacks stealing huge volumes of information or, increasingly, causing damage and disrupting business operations. These events have demonstrated how quickly systems once believed to be secure can become vulnerable. This complex, fast-changing landscape, and BP’s reliance on technology, mean that cybersecurity is a risk BP takes very seriously. Cybersecurity is one of the company’s highest level risks and is monitored by the board. We take an intelligence-led approach to evolve our cyber defences and response, in line with the fast-changing threats.
Daniel Barriuso, chief information security officer, BP
Crisis and continuity management planning helps us keep our people safe, respond effectively to emergencies and avoid potentially severe disruptions in our operations. In addition to carrying out routine monitoring and an annual risk assessment process, our businesses are expected to carry out exercises at both a local and regional level to test their preparedness to respond. For example, in 2015 we carried out a two-day oil spill response exercise involving a drilling rig in the UK North Sea. The exercise involved more than 150 people from across our North Sea business as well as relevant government agencies. It gave those responsible for oil spill response from different teams within the region the opportunity to test joint oil spill preparedness plans, supported by coaching from BP’s central response team.