As a result of digitalization and the large-scale introduction of IT technologies into the Company’s activities and everyday life, the Group has become even more dependent on the proper operation of automated process control systems and IT systems, the security of the information it processes, and the effective functioning of the information security system.
Inter RAO views the risk of an increase in the number and scale of consequences resulting from information security breaches as a major strategic risk. The absence of substantial material or monetary damage as a result of a targeted cyber-attack on the automated process control systems and IT systems of the Group’s companies has been taken as a criterion for assessing the effectiveness of information security risk management.
Results of 2019 and events after reporting date
- A project was implemented to assess the security of the external perimeter of IT infrastructure at the Group’s enterprises as well as a number of tests on external penetration into the Group’s key information systems.
- A separate list of the Group’s most significant information security risks was compiled, and each of the risks was evaluated and analyzed in terms of the sufficiency of current measures that have been taken and the need for additional measures.
- A new unit – the Information Security Department – was established and staffed at PJSC Inter RAO. It reports directly to the CEO and has the requisite level of authority to reduce any risks it identifies.
- An unscheduled inventory of information technology and information security tools was initiated and completed.
- The Group modernized its information protection tools in the following classes: firewalls, protection of workstations and servers (including the anti-virus component), security analysis (vulnerability scanner), and protection against zero-day attacks (sandboxes).
- The Group began integrating information security processes into key business processes: a functional expert on information security was included in the project team to create new Group-wide information systems.
- The Group completed the collection of data on the category of critical information infrastructure in compliance with the requirements of Federal Law No. 187-FZ dated July 26, 2017 “On the Security of Critical Information Infrastructure of the Russian Federation.”
- The Inter RAO Group’s Information Security Development Program was adopted. The Inter RAO Group’s Information Security Development Program for the period 2021-2025 is expected to be adopted in 2020.
The information security measures employed by Inter RAO ensures the proper level of security of information and automated systems, as evidenced by the absence in 2019 of any recorded cases involving the leakage, theft, or loss of personal data or significant complaints about breaches of the personal data of end consumers at supply companies.
Commissions in charge of categorizing critical information infrastructure have been set up at PJSC Inter RAO and its subsidiaries in an effort to protect the Group’s information resources against unauthorized access (computer attacks) and also to implement the requirements of Federal Law No. 187-FZ dated July 26, 2018 “On the Security of Critical Information Infrastructure of the Russian Federation.”
The digital transformation of the Group is fraught with an increased level of risk due to the novelty of the technologies used, its strong sensitivity to cybersecurity issues, the lack of business hypotheses that have been tested on the market, and high demands for response time when implementing innovative projects and taking timely corrective actions.
In order to reduce cybersecurity risks, the Inter RAO Innovative Development Program is premised on the use of a product-based approach to project implementation. A prototype should be made first, followed by a minimum viable product (MVP), and only after its effectiveness is confirmed should a fully-functional product be implemented that includes, in particular, the protection of information security, convenience, and documentation.
The Inter RAO insurance coverage program includes insurance for the risks of data operators and other information risks (cyber risks). The annual insured amount is RUB 350 mln. Insurance coverage includes:
- Expenses on eliminating a threat to the security of a computer system
- Investigation expenses
- Expenses on consultations and other services provided by external software and technical experts
- Expenses for the restoration of electronic data
- Losses from virtual extortion
- Expenses on reputation-related consultations