Responding to climate change Harnessing the power of technologyReinforcing cyber resilience and data protection Building an agile, inclusive and sustainable workforce
CLP Sustainability Report 2019 / Material topics / Reinforcing cyber resilience and data protection

Reinforcing cyber resilience
and data protection

Reinforcing cyber security and data privacy infographic

Year in review

Along the value chain in the electric utility sector, connected technologies such as cloud computing are increasingly being deployed to enhance the visibility of asset performance and improve efficiency.

Facilities such as smart meters and microgrids are collecting ever more information from pro/consumers. Unfortunately, this distributed energy landscape is also introducing new targets for malicious attacks. These attacks can occur in both CLP IT or OT systems:

  • Information technology (IT): the technology used to support normal business activities and processes (e.g. email, customer databases, finance systems).

  • Operational technology (OT): the technology used to control, monitor, support or manage systems and assets used to generate, transmit, distribute, deliver and manage electric power.

In a 2019 survey of more than 1,700 utilities professionals worldwide, 56% said they experienced at least one shutdown or operation data loss in the last 12 months. The focus has also shifted from attacks on IT to OT: respondents to the same survey agreed that attacks on their OT system have become a greater threat than those on their IT system. It was estimated 30% of attacks on OT systems remain undetected, and on average 72 days is required to respond to a malware attack.

CLP has had no instances of lost production or any operational shutdown due to cyberattack. However, in common with all companies in the Energy Sector CLP faces attacks on a daily basis, from criminals and other threat actors. In 2019, CLP stepped up its governance on cyber security. Cyber security is not a separate issue that is the sole responsibility of a dedicated department, but a business risk that needs to be managed holistically and integrated into daily operations . CLP's enhanced Group Cyber Security team acts as an in-house advisor and reviewer to help raise awareness amongst staff, and establish the system and tools required to protect information and other systems against cyber risks.

In 2019, there were no customer privacy or data loss cases reported in relation to the retail business of CLP Power Hong Kong. In Australia, four complaints were received, three of which have been formally closed by the Office of the Australian Information Commissioner with no further action required by EnergyAustralia.

Reinforcing cyber resilience and data protection - 2019 Key Metrics


Cyber resilience is especially important for companies like CLP which provide critical infrastructure. A cyber breach could have a significant impact not only on the Company, but also on the environment and the economy at large.

As electric utilities become more connected and decentralised, the exposure to malicious attack cannot be eliminated. It is only by embedding cyber security into the mindset of all employees and their daily tasks, and continually enhancing organisational capacity that a company can defend itself or respond promptly should an attack occur.

CLP has been making good progress in building up internal expertise and a strong organisational awareness of the importance of cyber security. As the business evolves and the systems that underlie it change, new vulnerabilities arise.

Going forward CLP will be implementing a range of further cyber security measures at a level of people, process and technology, with the Audit & Risk Committee maintaining an oversight. The Group will also continue its awareness raising and emergency preparedness initiatives, so that employees remain continually vigilant.

Cyber resilience outlook - customer service hotline


How CLP has enhanced its cyber security governance, built internal capacity in the area, as well as its performance in relation to safeguarding information protection.

Back to top