Cybersecurity is one of BP’s highest priority risks, with breaches presenting a risk to the security of our information, IT systems and operations. We take cyber security very seriously as the threat our digital infrastructure, industrial control systems and our business evolves.
There is a strong likelihood that cyber attackers will target our suppliers in order to gain access to information or systems. We work together with our suppliers to share the role of protecting our information and systems.
If you suspect it, report it.
If you, as a BP supplier suffer a security breach that impacts BP or you identify a potential risk or threat to BP’s information or IT systems please report it without delay to your point of contact within BP. If you do not know who your point of contact within BP is, please contact us here.
Information security requirements are included in supplier contracts. The security requirements in supplier contracts are aligned to the National Institute of Standards & Technology (NIST) cyber security framework.
The level of cyber security risk determines the complexity of contractual requirements and the security contract compliance required. Contract compliance can involve an on-site compliance visit, an online assessment or review of security certifications such as ISO 27001/2, SOC 1/2 or Cyber Essentials. If any security improvement actions are determined we work with our suppliers to have these remediated as soon as possible.
Cyber security and BP suppliers
When a supplier responds to a request for proposal or information, questions may be asked regarding cyber security controls. These questions will vary according to business area. Please provide as much details as possible as it will speed up the time to assess supplier responses.
There are several government and industry organisations that provide information and guidance on cybersecurity threats, controls, and risk management techniques. While BP does not endorse any specific organisation or set of controls, here are a few that may help.