No significant cyber security breach

One of the biggest challenges that cybersecurity faces is the evolving technology which gives cybercriminals an ever-growing list of vulnerabilities to explore and results in an increased likelihood of accidental failure of Galp’s digital infrastructure. This combined with the constant development of new methods of conducting cyber-attacks exposes Galp to an increase cyber-threat risk. In addition, the Russia-Ukraine conflict has exacerbated this trend, triggering an increase in cyber-attacks on energy infrastructure in several European countries, with serious consequences.

Considering this context, cybersecurity has become a greater priority for Galp, whose ambition and strategic milestone is to have no significant cyber security breach, measured by having no cyber security incidents that lead to interruption of our critical business processes longer than RTOs (Recovery Time Objective) included in the Business Continuity Plan and by having no personal data breach with “High” level of impact and probability, in line with Galp’s GDPR risk matrix. For that, we have strengthened cyber resilience in our operations and incorporated Cyber culture in our DNA.

Strengthen data infrastructures in our operations

Multiple Cyber Assessments were conducted throughout 2022 to internal business units and major suppliers, that play a critical role on protecting Galp’s digital landscape and critical business processes.

Furthermore, Galp has a permanent Red Team evaluating the Cyber Resilience of its Digital landscape and business processes. This team has conducted multiple assessments as well as one yearly Cyber Crisis Simulation (including both Operational and Management/ExCom members) to test Galp’s Cyber Crisis readiness. We also invested significantly in enhancing the cyber resilience of our industrial areas (OT – Operational Technology), following the recent threat landscape evolution for the energy sector in Europe.

Galp ensures a 24/7 response capability to cyber incidents through its CSIRT (Cyber Security Response Team), guarantying its resilience through coordinating the response to incidents that affect the organisation. We also identify and monitor lessons learned, as a way of continuously improving the organisations cyber security, and proactively exchange threat information with authorities and peers.

Incorporate Cyber culture in our DNA

According to Bitsight (a Cyber Ratings company), Galp is currently positioned within the Top 10% companies of the Global Energy Sector in terms of its Cybersecurity posture. An assessment during 2022, by an external party, also confirmed that Galp’s Cyber Maturity Level stands above the global cyber maturity benchmark.

Several initiatives were launched to raise awareness among employees to the cyber threats that emerged in this context, as well as public alerts to customers and society in general, regarding situations in which cyber criminals tried to take advantage of Galp's reputation for carrying out cyber fraud attempts. Galp continued to invest in promoting a Cyber Culture program through its “CyberOn” brand. Apart from dozens of awareness contents, campaigns, and trainings – inc. regular phishing exercises - a new Cyber Gamification platform is being implemented to explore other Cybersecurity gaps and measure the effectiveness of the awareness and trainings contents being developed through this adaptive learning approach. Also aligned with our goal of incorporating cyber culture in our DNA, we’ll have from 2023 onwards mandatory trainings on cybersecurity topics.

A new Cyber Roadmap has been developed, for the period of 2023-2024, with several initiatives and projects aiming to bring Galp’s Cyber Maturity in line with the Global Top Quartile for all sectors, including the definition of a new value-at-risk approach and value assurance unit, to ensure risk-based focus and prioritization of investments and initiatives.

Guidebook for a Cyber-Resilient Energy transition

Galp contributed to development of this guidebook, together with our peers at the World Economic Forum, thus promoting a more sustainable and safer world.