Privacy and security
If critical infrastructure were to fail, this could result in serious, widespread disruption in society. Alliander’s activities fall within the scope of the Dutch Network and Information Security Act and, in conjunction with our partners, we do everything possible to prevent failures in critical infrastructure. Cybersecurity includes all measures (technology, people and the organisation) to detect, prevent and limit losses and damage caused by cybercrime. To do so, we use professional, modern security systems where possible. We continually monitor and analyse cyber risks to work out what they mean to Alliander, how they might affect us and what action we need to take. In addition, our office automation and process automation are kept separate to prevent malicious operations accessing the management of our energy networks.
Protecting the personal data of our customers, employees and other stakeholders has continuous attention at Alliander. We aim ever higher when it comes to privacy, for example by embedding a new control framework for privacy. We also consider the issues in providing information to colleagues.
We detected and investigated 26 data breaches in 2021. As 10 of these incidents involved centralised processing, the network operators bear joint responsibility for them. Of the 26 identified data breaches, 12 incidents involved a breach for which a duty to report applied in line with the GDPR.
Governance changes to meet new security challenges
The CISO Office was set up in 2021 to deal more effectively with the combination of today’s increasingly complex cyber threats and the digitalisation of our networks. It serves to anchor a structured approach to cyber resilience at Alliander. The CISO Office facilitates the prevention, detection and response to cybersecurity risks by providing cultural, technological and staff-related measures to increase Alliander’s digital resilience. This enables us to keep abreast of cybersecurity developments and the increasingly higher demands placed on security. The Chief Information Security Officer (CISO) reports directly to the Management Board.
Our preference is to have our security processes certified by an independent external body. The critical infrastructures at Liander and Kenter already held ISO 27001 certificates and these certificates were extended in 2021. Alliander Telecom and Stam & Co attained the ISO 27001 certificate last year. Firan and ENTRNCE have Security Verified certification.