The Colonial Pipeline, the largest refined oil pipeline system in the U.S., had to shut down completely after a crippling malware cyberattack in May 2021.1 The attack prompted a state of emergency, created fuel shortages and forced the infrastructure business to pay a $4.4 million ransom to regain access to its IT systems. This is the stuff of nightmares for any treasury and payments professional, and it only continues to increase.

High-profile cyberattacks make clear that the physical security of core infrastructure assets—electric power lines, pipes, gasworks and water supplies—is only as good as a utility’s digital security. The need to protect client and company data is crucial, and the stakes will continue to increase as the world becomes more digital. Considering that data breaches costed U.S. businesses more than $9 million on average in 2020-2021,5 doing nothing is not an option. As such, cybersecurity has become a key, board-level focus and utilities must create a proactive and practical strategy to protect themselves, customers and other stakeholders.

Here are four key actions your business can take now too secure its operations from a cyberattack. 

1. Create a playbook

To prepare your business for a cyberattack, or an attempted one, start by creating a business contingency plan and cybersecurity policy that is clear and comprehensive. This could mean the difference between a thwarted cyberattack and one that hobbles your business.

To create your company playbook, identify mitigation strategies across a range of scenarios, and then test those strategies. Consider the different access points and ways your business could be compromised. One vector is that your servers could be hacked. Another is customer identity theft, which could be leaked, sold or held to ransom.

Strong cybersecurity policies are built through strong communication and cross-functional partnerships across operations—leveraging the contacts, skills and experience of legal departments, business operations and HR, for example. Each business function will know what their most valuable assets are—and from there, a conversation can begin about how to protect them and what role the treasury team can play.

You can have the strongest controls in the world, the best cybersecurity program—but one thing that organizations continuously need to work on is improving their crisis management processes.6

One element of your playbook could be to create backup systems in case your primary systems are hijacked by a ransomware attack. From a treasury perspective, that could mean that if you typically initiate critical wire payments through a company workstation, you enable the capability to do them through your bank portal or mobile app as a backup. Specifically, this may mean you empower staff with a secure method to use personal devices to make critical payments during an emergency.

2. Do table-top exercises

Anticipating and working through what would happen in the event of a breach of your digital systems is a great way to identify and fix weaknesses before a malicious event occurs. This is where the implementing table-top exercise comes in.

One hypothetical attack could be a power transmission and distribution system being hacked and held to ransom for millions of dollars. A utility treasury team should be prepared in advance to know which steps are critical to keep the business running. Your action plan may include:

  • Call law enforcement and the third-party negotiator.
  • Identify your critical payments.
  • Deploy pre-assigned, pre-approved individuals to use their personal devices to make the critical payments.
  • Call your bank and tell them to reprocess all payroll files from the previous week.

A clear communication plan for both employees and the Press and media is also key. This might mean preparing internal and external briefs to reassure and inform your staff, and get ahead of the media in the event of an attack. This is a fundamental part of crisis management that should be established ahead of time.

By working through the various scenarios that could happen, your treasury can keep payments and reliable communication flowing, even if the rest of the business is frozen or under attack.

It’s important to test resiliency plans at least twice a year with simulated drills and implement any necessary changes to ensure all employees are comfortable with processes and procedures.7

3. Identify your critical payments

We’ve looked at how to secure your critical payments in emergency situations. But do you know exactly what your critical payments are? This is a key area where treasury can help. Pre-identifying which payments have to go out immediately, and which can wait a few days or until systems are back up and running, saves valuable time and team effort when a cyberattack takes place.

For example, a hack may occur on Thursday and payroll may be on Friday. To prevent further distress and uncertainty for staff during a cyberattack, payroll is a critical payment that would need to go out. Therefore, your company’s cybersecurity playbook should include a contingency plan for making that payment, for instance, via a third-party payroll provider or via your bank’s previous payroll files. Debt payments are another non-negotiable payment to prevent your company defaulting on its commitments; and critical supplier payments are another aspect to consider in order to retain access to essential supplies and services.

4. Engage your business and banking partners

As with all comprehensive business strategies, a holistic approach is best. Educating every part of your business in your cybersecurity strategy may help reduce vulnerabilities throughout your operations. Biannual anti-fraud training for staff, for instance, could be one of the best investments in cybersecurity your business makes. This is because the vast majority of vector attacks happen through your employees, whether via opening a malicious email or a company laptop left in an unsecure location. It is critical that utilities treasury staff are trained to identify and respond to cybersecurity threats.  

It also means engaging your critical external partners to prevent fraud—including external counsel, vendors, banking providers, insurers and so on. Ensure your partners are just as engaged in preventing fraud as you are. From a treasury perspective, you may engage your banking partners to help protect your business. Fraud prevention services such as AVS, Check Positive Pay and ACH Debit Blocks can help keep your systems and processes flowing during a security breach or data leak.

Take the next steps to protect your business

The Colonial Pipeline suffered a catastrophic security breach, sending a clear message that the ongoing cybersecurity threat to the infrastructure industry is very real. Now is the time for the utilities industry to adapt and evolve to meet the challenges of digitization and mitigate the next cyberattack.

Three tactics utilities businesses are implementing to mitigate digital risk:

  1. Communicate to employees about cybersecurity threats and best practices through regular newsletters, trainings and townhalls.
  2. Develop one-click reporting and tracking tools for visibility into what’s happening across your operations.
  3. Build a business recovery plan to outline how your business will resume operations following a cyberattack and other unforeseen disruption.

Cybersecurity has a massive impact on a utility’s survival and the society at large. Preventing an attack is the best solution. Now is the time to ensure your business is equipped and ready to handle these threats.

Connect with your J.P. Morgan representative to learn more about our cybersecurity solutions.

References

1.

“Hackers breached Colonial Pipeline using compromised password,” Bloomberg, June 2021. https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password
 

2.

2021 state of reliability report, NERC, August 2021. https://www.nerc.com/pa/RAPA/PA/Performance%20Analysis%20DL/NERC_SOR_2021.pdf
 

3.

“Worldwide denial-of-service cyberattacks on utilities up seven-fold this summer, data shows,” Morning Consult, August 2020. https://morningconsult.com/2020/08/27/cyber-attacks-gas-electric-utilities-data/
 

4.2021 payments fraud and control survey report, AFP.
 
5.

“How much does a data breach cost?” IBM, 2021. https://www.ibm.com/security/data-breach
 

6.

“Payments industry partnerships offers solution to growing cybercrime concerns,” The Fintech Times, September 2021. https://thefintechtimes.com/payments-industry-partnership-offers-solution-to-growing-cybercrime-concerns/
 

7.

“Combating the increasing threat of ransomware attacks,” J.P. Morgan, July 2021. https://www.jpmorgan.com/commercial-banking/insights/combating-increasing-threat-of-ransomware-attacks
 

We prepared these materials for discussion purposes only and for your sole and exclusive benefit. information provided is intended to help clients protect themselves from cyber fraud. It does not provide a comprehensive list of all types of cyber fraud activities and it does not identify all types of cybersecurity best practices.

You, your company or organization are responsible for determining how to best protect against cyber fraud activities and for selecting the cybersecurity best practices that are most appropriate to your needs.

The views and opinions expressed herein are those of the author and do not necessarily reflect the views of J.P. Morgan, its affiliates, or its employees. The information set forth herein has been obtained or derived from sources believed to be reliable. Neither the author nor J.P. Morgan makes any representations or warranties as to the information’s accuracy or completeness.  The information contained herein has been provided solely for informational purposes and does not constitute an offer, solicitation, advice or recommendation, to make any investment decisions or purchase any financial instruments, and may not be construed as such.

JPMorgan Chase Bank, N.A. Member FDIC.

JPMorgan Chase Bank, N.A., organized under the laws of U.S.A. with limited liability.