Privacy and security
Privacy
Protecting the personal data of our customers, employees and other stakeholders has Alliander’s continuous attention. We aim for an increasing level of maturity when it comes to privacy, for example, by setting up a new central, automated Privacy Control Framework for optimising privacy and control measures in 2023. We expect to have this system completed in early 2024.
We also devote effort to Privacy by Design, which involves ensuring that privacy is systematically part of a product or service under development from the start of the process. Especially the Digitisation/Mission Control development teams are taking big steps in this regard. A targeted validation check is performed on all (new) IT applications (data minimisation, authorisations for access rights and removal of personal data).
Data breaches
There were no major privacy-related incidents in 2023, but we did investigate a total of 14 identified data breaches. One of these involved a case for which a duty to report applied in line with the GDPR. In addition, two of these incidents involved centralised processing, so the network operators bear joint responsibility for them.
Security
We want to remain resilient in the field of security, allowing us to keep focusing on our strategic objectives, retain the trust of our customers and shareholders, and comply with relevant laws and regulations. By investing in people, procedures and technology, we are taking measures to prevent security incidents or to minimise the impact of incidents. In recent years, the number and frequency of threats to organisations in general and organisations with vital infrastructure have increased. Examples of these are:
Geopolitical developments and state actors
Cybercrime, such as hijacking of systems and data
Vulnerabilities in our ecosystem regarding systems, software and human actions
Alliander has a well-considered security strategy in place for structurally safeguarding security within Alliander and for structurally keeping our resilience at an adequate level.
ISMS
We are working towards an Alliander-wide information security management system (ISMS) to manage security within Alliander consistently in a dynamic world. In 2023, we uniformly defined our security policy in accordance with ISO 27001 and implemented it throughout the Alliander organisation. The ISO 27001 certificates for Liander, Alliander Telecom and Utility Connect were renewed. Qirion was granted an ISO 27001 certificate.
BCM
We facilitate business continuity management (BCM) to minimise the impact of a crisis or contingency on business processes. We do this by optimising our preparations for a crisis and by defining our actions during and after the crisis. We are trying to improve this structurally by having an action plan and policy relating to BCM. The goal of BCM is to implement measures required in the field of operational and information technology to safeguard the continuity of the (most critical) business processes and to minimise the impact of outages on the services we provide. This makes BCM an important addition to the existing crisis organisation and crisis approach.
Sufficiently mature security
Alliander finds it important for us as a vital infrastructure company to be able to structurally control security risks. This is why we are constantly working on improving our security resilience. In concrete terms this means that we work in accordance with ISO 27001 and that we allow the level at which we do this, the maturity of our security, to be measured using the C2M2 (Cybersecurity Capability Maturity Model) methodology. The C2M2 methodology is specifically designed for energy network operators and includes both the IT and the OT environment of an organisation.
Security by design
We apply security by design in digitisation initiatives as much as possible, whether or not we build them ourselves. This enables us to implement security wishes and requirements as efficiently and effectively as possible. Security must be included in the Definition of Done for all IT initiatives and all software developed in-house is tested for risks or critical findings to ensure that no software is used without a security check.