Cyber security is one of bp’s highest priority risks, with breaches presenting a risk to the security of our information, IT systems and operations. We take cyber security very seriously as the threat our digital infrastructure, industrial control systems and our business evolves.
There is a strong likelihood that cyber attackers will target our suppliers in order to gain access to information or systems. We work together with our suppliers to share the role of protecting our information and systems.
If you suspect it, report it.
If you, as a bp supplier, suffer a security breach that impacts bp or you identify a potential risk or threat to bp’s information or IT systems you must report it without delay to our Security Operations Centre as well as your usual point of contact within bp. If you are not a contracted bp supplier, and you need to contact us for anything else relating to supply chain cyber security, please contact us here.
Information security requirements are included in supplier contracts. The security requirements in supplier contracts are aligned to the National Institute of Standards & Technology (NIST) cyber security framework.
The level of cyber security risk determines the complexity of contractual requirements and the security contract compliance required. Contract compliance can involve an on-site compliance visit, an online assessment or review of security certifications such as ISO 27001/2, SOC 1/2 or Cyber Essentials. If any security improvement actions are determined we work with our suppliers to have these remediated as soon as possible.
Cyber security and BP suppliers
When a supplier responds to a request for proposal or information, questions may be asked regarding cyber security controls. These questions will vary according to business area. Please provide as much details as possible as it will speed up the time to assess supplier responses.
There are several government and industry organisations that provide information and guidance on cybersecurity threats, controls, and risk management techniques. While bp does not endorse any specific organisation or set of controls, here are a few that may help.