Privacy and security
Protecting the personal data of our customers, employees and other stakeholders has Alliander’s continuous attention. We aim for an increasing level of maturity when it comes to privacy, for example by setting up a new central, automated Privacy Control Framework for optimising privacy control measures. We also devoted effort to Privacy by Design, which involves ensuring that privacy is part of a product or service under development from the start of the process. We perform targeted validation checks on all IT applications as part of that effort. We worked additionally on an identity and access control policy for uniformly setting up, verifying and revoking authorisations.
In 2022, we were informed that a company that personalises access cards for us had suffered a ransomware attack. The compromised personal data unfortunately included the access card details of a small group of Alliander employees. All the affected colleagues and former colleagues were personally informed by email and the leak was reported to the Dutch Data Protection Authority.
In 2022, we investigated a total of 21 data breaches. As eight of these incidents involved centralised processing, the network operators bear joint responsibility for them. Of the 21 identified data breaches, nine incidents involved a breach for which a duty to report applied in line with the GDPR (five Alliander reports and four sector reports).
If critical infrastructure were to fail, this could result in serious, widespread disruption in society. Alliander’s activities fall within the scope of the Dutch Network and Information Security Act and, in conjunction with our partners, we do everything possible to prevent failures in critical infrastructure. Last year, increased threat levels in several areas further highlighted the importance of security for our organisation. There is a need for better data protection in view of geopolitical developments such as the war in Ukraine. In addition, there was a sharp increase in cyber attacks. However, cybersecurity expertise is not readily available, so attracting and retaining qualified employees has become a challenge.
Cybersecurity includes all measures (technology, people and the organisation) to detect, prevent and limit losses and damage caused by cybercrime. To do so, we use professional, modern security systems where possible. We continually monitor and analyse cyber risks to work out what they mean to Alliander, how they might affect us and what action we need to take. In addition, our office automation and process automation are kept separate to prevent malicious operations accessing the management of our energy networks.
Since 2022, Alliander has pursued four fundamental security strategies:
In the digitalisation portfolio, we apply ‘Security by Design’ to firmly anchor security. This means that we include security in the plans and ideas from the beginning in our initiatives, whether they be in-house developments or products and services that we purchase from others.
We implement an Alliander-wide information security management system to manage security consistently and keep it up to date.
We apply business continuity management to minimise the impact of an emergency on business processes: i.e. we prepare for an emergency and know what to do if one occurs.
We are working to achieve security maturity level four according to the Norea standard by explicitly defining security processes and making them quantifiable. In early 2023, we will measure our current level.
Alliander is not alone in recognising the importance of cybersecurity, politicians are also increasingly interested in this topic. The need for adequate cybersecurity for vital industries is considered self-evident, both in Dutch political circles and from a European perspective. In the coming years, the regulatory and supervisory pressure on Alliander pursuant to laws and regulations is expected to increase further with the introduction of the NIS2 Directive, the NCCS and the CER Directive. Risk assessments and supply chain security are important aspects in this context. Therefore, the past year was devoted to identifying and aligning with developments in laws and regulations, IT fundamentals and cybersecurity.
In 2022, Liander, Alliander Telecom, Utility Connect and Kenter renewed their ISO27001 certification. Qirion achieved ISO27001 certification as of January 2023.