When was the last time you thought about your utility’s cybersecurity policy statement? Was it during onboarding? The two words “policy statement” likely manifest more groans than being invited to meetings that should be e-mails. But the truth is, your policy statement is critical to the everyday mission of your utility and likely needs a refresher.
This cybersecurity policy statement will lay out to your customers and teammates, at a high level, what you’re doing to protect customer data. This includes how you plan to protect the entire infrastructure of your utility. It’s meant to be the outward-facing message of comfort to anyone with a stake in your utility, stating that:
- You care about uninterrupted service, and, if there’s an interruption, you have a plan to fix it
- You’re committed to protecting customer data your utility may have with proper safeguards
This statement sets the tone for all of the compliance documents you write, for all the disaster response checklists you update, and serves as the reminder on what your purpose as a utility is to the community.
So, how do you write one for your utility?
- Keep it simple: this is not a statement for going into the “hows” but for the “why” – don’t get technical and definitely don’t use jargon that you and your coworkers use. Think about how you’d sum up why you have cybersecurity policies in place who doesn’t work with you.
- State the Commitment to the Community: You’ve got to make it clear that you have policies in place specifically to safeguard data and to keep the resource you’re providing flowing.
- Use Action Words: Words that describe being proactive are crucial. Cybersecurity is not a passive thing, you’re always needing to be on top of things. Use words like “protect,” “mitigate”, “respond”
- Mention Relevant Regulations: Your customers (and coworkers) want to know you’re also not making up the response playbook on your own. There is comfort in mentioning that a higher authority, focused on several utilities, is giving you mandates on the levels of security you need to be providing.
Below are three examples of clear cybersecurity policy statements you can use for guidance as you rework your own:
Example 1:
“Our power utility is dedicated to safeguarding our customers’ personal information and the availability and integrity of our company’s assets. We have implemented strict security measures to protect against cyber-attacks, including regular software updates and monitoring systems. Our employees and contractors receive regular training on our cybersecurity policies, and we are committed to compliance with all applicable regulations. In the event of a security incident, we have an incident response plan to address and resolve the issue quickly.”
Example 2:
“At our power utility, the protection of our customers’ data is of the utmost importance. We have implemented various technical and administrative controls to secure our systems and data and are committed to complying with all applicable regulations. Our employees and contractors receive regular cybersecurity training and are held accountable for adhering to our policies. In the event of a security incident, we have a rapid response plan in place to quickly address and resolve the issue.”
Example 3:
“Our power utility is committed to providing safe and secure service to our customers. We understand the importance of protecting our customers’ sensitive information and company assets from cyber-attacks. We have implemented advanced security measures and continuously assess and update them to align with industry standards and best practices. Our incident response plan ensures that security incidents are handled promptly and effectively. Our employees and contractors are trained and held accountable for adhering to our cybersecurity policies and complying with the industry standards and regulations.”
Your cybersecurity policy needs to stay relevant and is worth looking at often. Your utility exists to serve the community; being reminded of that commitment can help focus you. Next time you’re reaching for a 3rd cup of coffee while sorting through all the planning and paperwork that comes with adequately securing your part of the grid – keep this big picture in mind. The policy will be your guide in keeping your entire cybersecurity posture in great health.