Vendor cybersecurity due diligence
Vendor cybersecurity due diligence in the Energy, Power & Commodities sector is under active regulatory scrutiny, with the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation driving the most consequential compliance obligations through NERC CIP standards that extend supply chain risk requirements to software and service vendors. The U.S. Department of Energy has separately issued guidance tying federal procurement and grid security to vendor vetting practices. Compliance teams in this sector are working through vendor access controls, incident notification clauses, and third-party software inventories before NERC CIP-013 audit cycles.
Watch
- NERC CIP-013-2 supply chain risk management: revised implementation timeline and audit posture
- FERC Order 887 directives on internal network security monitoring now reaching vendor access scope
- DOE cybersecurity funding conditions tied to vendor risk attestation requirements
- TSA pipeline cybersecurity directives: applicability questions for commodity trading counterparties
- EU NIS2 Directive vendor obligation clauses affecting APAC and European energy subsidiaries
Recent material activity in Energy, Power & Commodities
Active monitoring in place across Energy, Power & Commodities. Material developments related to vendor cybersecurity due diligence will appear here as they are published.