Cyber security and BP suppliers

Working together to make BP a cyber resilient organisation

Why cyber security is important

Cybersecurity is one of BP’s highest priority risks, with breaches presenting a risk to the security of our information, IT systems and operations. We take cyber security very seriously as the threat our digital infrastructure, industrial control systems and our business evolves.

There is a strong likelihood that cyber attackers will target our suppliers in order to gain access to information or systems. We work together with our suppliers to share the role of protecting our information and systems.

How to report a cyber breach or threat to BP

If you suspect it, report it. 

If you as a BP supplier suffers a security breach that impacts BP or you identify a potential risk or threat to BP’s information or IT systems please report it without delay.

Contracts with suppliers

Information security requirements are included in supplier contracts. The security requirements in supplier contracts are aligned to the National Institute of Standards & Technology (NIST) cyber security framework. 

The level of cyber security risk determines the complexity of contractual requirements and the security contract compliance required. Contract compliance can involve an on-site compliance visit, an online assessment or review of security certifications such as ISO 27001/2, SOC 1/2 or Cyber Essentials. If any security improvement actions are determined we work with our suppliers to have these remediated as soon as possible.

cyber-security-and-bp-suppliers

Requests for proposal and requests for information

When a supplier responds to a request for proposal or information, questions may be asked regarding cyber security controls. These questions will vary according to business area. Please provide as much details as possible as it will speed up the time to assess supplier responses.

Further information

There are several government and industry organisations that provide information and guidance on cybersecurity threats, controls, and risk management techniques. While BP does not endorse any specific organisation or set of controls, here are a few that may help.