Protiviti has noticed that energy companies tend to have little to no formal documentation on testing of security incident response plans compared to other industries. In addition, energy companies, specifically those in exploration and production (E&P), have been hesitant to invest in tools to identify where their “crown jewels” are stored, apparently on the basis that many do not feel their company is much at risk because it does not retain much sensitive data. However, many common processes and company confidential information at E&P companies do involve sensitive information protected by state privacy laws. This article points out Protiviti’s 2017 Security and Privacy Survey’s main findings and includes some worst-case scenario questions energy executives and boards would be wise to ask themselves.