The case for CSR/ Sustainability Reporting Done Responsibly


IDENTIFY - MEASURE - MANAGE - CHANGE

Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Home / case studies / Case study: How Sempra Energy promotes cybersecurity

Case study: How Sempra Energy promotes cybersecurity

Sempra Energy is an energy infrastructure company with 2019 revenues of $10.8 billion, investing in, developing and operating transmission and distribution infrastructure in the most attractive markets in North America. Cybersecurity at Sempra Energy is about people, processes and technology working together to protect systems, networks and programmes from digital attacks.

This case study is based on the 2019 Corporate Sustainability Report by Sempra Energy published on the Global Reporting Initiative Sustainability Disclosure Database that can be found at this link. Through all case studies we aim to demonstrate what CSR/ ESG/ sustainability reporting done responsibly means. Essentially, it means: a) identifying a company’s most important impacts on the environment, economy and society, and b) measuring, managing and changing.

Layout 1Abstract

Sempra Energy is committed to dealing effectively with cybersecurity threats  Tweet This! to its energy grid, storage and pipeline infrastructure, as well as the information and systems used to operate its businesses. In order to promote cybersecurity Sempra Energy took action to:

  • establish an information security team
  • implement an information security awareness programme
  • use an automated SPAM reporting button

What are the material issues the company has identified?

In its 2019 Corporate Sustainability Report Sempra Energy identified a range of material issues, such as reliability, affordability, greenhouse gas emissions, public safety, disaster preparedness and response. Among these, promoting cybersecurity stands out as a key material issue for Sempra Energy.

Stakeholder engagement in accordance with the GRI Standards              

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups Sempra Energy engages with:

Stakeholder Group                Method of engagement
Customers ·      In-person meetings or phone calls

·      Open houses, town hall meetings

·      Ethics & compliance helpline

·      Website content

·      Surveys

·      Print or social media

Communities

 

·      In-person meetings or phone calls

·      Open houses, town hall meetings

·      Ethics & compliance helpline

·      Website content

·      Corporate sustainability report

·      Facility tours

·      Surveys

·      Print or social media

Employees

 

 

·      In-person meetings or phone calls

·      Open houses, town hall meetings

·      Ethics & compliance helpline

·      Website content

·      Corporate sustainability report

·      Facility tours

·      Surveys

·      Print or social media

Investors and shareholders

 

·      In-person meetings or phone calls

·      Open houses, town hall meetings

·      Ethics & compliance helpline

·      Website content

·      Corporate sustainability report

·      Facility tours

·      Print or social media

Regulators, elected officials, community leaders

 

·      In-person meetings or phone calls

·      Open houses, town hall meetings

·      Ethics & compliance helpline

·      Website content

·      Corporate sustainability report

·      Facility tours

·      Print or social media

Suppliers, contractors, business partners

 

 

·      In-person meetings or phone calls

·      Open houses, town hall meetings

·      Ethics & compliance helpline

·      Website content

·      Corporate sustainability report

·      Facility tours

·      Print or social media

How stakeholder engagement was made to identify material issues

To identify and prioritise material topics Sempra Energy interviewed stakeholders to gain their perspectives on current and emerging priorities.

What actions were taken by Sempra Energy to promote cybersecurity?

In its 2019 Corporate Sustainability Report Sempra Energy reports that it took the following actions for promoting cybersecurity:

  • Establishing an information security team
  • Sempra Energy’s information security team conducts regular penetration tests and analyses the results to improve existing controls and identify opportunities for improvement. Members of this team also participate in department staff meetings, safety stand downs and safety congresses to provide perspective and training on cybersecurity issues. Individual employees across the company support these efforts as “cybersecurity champions,” sharing relevant information with their teams.
  • Implementing an information security awareness programme
  • Sempra Energy’s information security awareness programme includes periodic communications, companywide events and campaigns, mandatory annual web-based training, facility-specific town hall events and a cross-business advocacy programme. Sempra Energy supports these efforts with articles, webpage communications and digital signage.
  • Using an automated SPAM reporting button
  • An automated SPAM reporting button in Microsoft Outlook allows easy one-click reporting of suspicious and unwanted emails. In fact, to keep this reporting option top-of-mind, Sempra Energy’s cybersecurity team utilises “fake” phishing attempts and sends congratulatory messages when employees take the correct action by clicking the SPAM button. Sempra’s 24/7 Information Security Operations Centre (SOC) also responds to reports of suspicious email. The SOC can pull a suspicious email from the enterprise, reducing the risk of infecting other users or devices.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:

 

80% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.



FBRH GRI Standards Certified, IEMA & CIM recognised Sustainability Course | Venue: London LSE

By registering for the next 2-day FBRH GRI Standards Certified, IEMA & CIM recognised course you will be taking the first step in gaining the many benefits of sustainability reporting.

Most importantly, you will gain the knowledge to use the GRI Standards, project manage your own first-class sustainability report and:

  • Identify your most important impacts on the Environment, Economy and Society
  • Begin taking solid, focused, all-round sustainability action ASAP

 

References:

1) This case study is based on published information by Sempra Energy, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:

http://database.globalreporting.org/

2) https://www.globalreporting.org/standards/gri-standards-download-center/

Note to Sempra Energy: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.