01. PURPOSE
At the HSO Venezuela Consortium (hereinafter, "HSO Consorcio" or "the Consortium"), the security of our information and that of our partners, clients, and counterparties is critical. The hydrocarbon sector is a high-profile target for cyberattacks, with phishing being the most common entry point for financial fraud, data theft, and regulatory compliance breaches. The purpose of this policy is to protect the Consortium, its members, and its users against these threats by establishing clear guidelines to identify, prevent, and report phishing attempts, as well as to maintain an adequate level of information security in line with the legal requirements of the United States and Venezuela.
02. SCOPE
This policy applies to:
- All employees, contractors, and suppliers of the Consortium.
- Member companies of the Consortium (Venezuelan Adherent Companies).
- Any person who uses the Consortium's information systems, email, the website https://www.hsoconsortium.com, or accesses Consortium data, whether from Consortium devices or personal devices.
- Electronic communications with PDVSA, Venezuela's Ministry of Petroleum, international partners (IOCs), and crude oil buyers.
03. APPLICABLE LEGAL FRAMEWORK
This policy is based on the following legal and regulatory provisions:
In the United States:
- California Consumer Privacy Act (CCPA) – data subject rights.
- Computer Fraud and Abuse Act (CFAA) – criminalization of unauthorized access.
- Office of Foreign Assets Control (OFAC) Regulations – General Licenses 46B, 48A, 49A, 50A and Executive Order 14373 (prohibition of transactions with sanctioned persons/entities).
- Federal Trade Commission (FTC) guidelines on security practices and breach notification.
- State data breach notification laws (e.g., California, New York).
In Venezuela:
- Constitution of the Bolivarian Republic of Venezuela (arts. 28 and 60) – habeas data, privacy, and intimacy.
- Organic Law on Protection of Personal Data (LOPDP) – principles of lawfulness, consent, and data security.
- Infogobierno Law – data protection in public and private registries.
- Special Law against Computer Crimes – sanctions for unauthorized access, phishing, and computer sabotage.
04. DEFINITIONS
- Phishing: A type of cyberattack where criminals impersonate legitimate entities (banks, suppliers, clients, or even Consortium management) via fake emails, text messages, phone calls, or fraudulent websites. Its goal is to trick you into revealing confidential information, clicking malicious links, downloading infected files, or making wire transfers to accounts controlled by fraudsters.
- Social engineering: Psychological manipulation of people to perform actions or disclose confidential information.
- Information security: The set of technical and organizational measures designed to ensure the confidentiality, integrity, availability, and authenticity of data.
- Data breach: An incident that results in the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data or sensitive information.
- Sanctions lists (SDN List): The list of blocked persons and entities administered by OFAC. The Consortium will not exchange information with or allow access from or to such lists.
05. IDENTIFYING SUSPICIOUS EMAILS: FIRST LINE OF DEFENSE
Every user, employee, or Consortium member acts as a "human firewall." Before clicking any link or attachment, or responding to a request for information, check for the following red flags:
| Red Flag | What to check |
|---|---|
| Sender | Does the email address exactly match the real company domain (e.g., @hsoconsortium.com vs @hsoconsortium-secure.com)? Beware of public domains (Gmail, Yahoo, Outlook) used by supposed companies. |
| Generic greeting | Does the email use phrases like "Dear User," "Dear Customer," or "Dear Member" instead of your full name? |
| Urgency or threats | Are you pressured with phrases like "Your account will be closed in 24 hours," "Urgent wire transfer required," or "Immediate data update required"? Phishing uses urgency to impair critical thinking. |
| Links and attachments | NEVER click on a suspicious link. Hover over it (without clicking) to see the actual URL. Beware of shortened URLs (bit.ly, tinyurl) or misspelled domains (e.g., hsoconsortiun.com). |
| Request for banking changes | Any request to change bank account information for supplier or member payments must be verified through a second channel (phone call to a known and verified contact). This is the most common fraud in the oil & gas sector. |
| Spelling and grammar | Fraudulent emails often contain spelling errors, machine translations, or unnatural phrasing. |
| Request for credentials or personal data | No legitimate entity will ask for your password, social security number, credit card details, or bank account information via unsolicited email. |
| Suspicious sender domain | Verify that the sender's domain matches the entity's official website. For example, @example.com is not Example's official domain (the official one is @example.com.ve). |
06. ACTION GUIDELINES: WHAT TO DO AND WHAT NOT TO DO
DO NOT:
- Do not click on links or open attachments from suspicious or unsolicited emails.
- Do not reply to the email or provide any personal information, credentials, financial data, or confidential Consortium information.
- Do not make wire transfers based solely on instructions received by email. Always verify by phone using a number you know (not the one appearing in the suspicious email).
- Do not forward the suspicious email to other contacts without first reporting it to the security team.
- Do not attempt to investigate on your own or "respond" to the attacker.
DO the following:
- Do not interact with the suspicious message.
- Report the incident immediately to the Consortium's Information Security Officer at security@huronsmithoil.com or by phone at +1 (866) 954-5938
- Forward the suspicious email as an attachment (not as a direct forward) to security@huronsmithoil.com for analysis. If forwarding as an attachment is not possible, take a screenshot.
If you have clicked a link or downloaded a file:
- Disconnect your device from the network immediately.
- Notify IT/security without delay.
- Do not attempt to delete the files on your own.
If you have provided credentials or financial data:
- Change your passwords immediately.
- Notify your bank or financial institution if applicable.
- Document all details of the incident.
07. INFORMATION SECURITY ON THE CONSORTIUM WEBSITE
The website https://www.hsoconsortium.com implements the following security measures to protect users and prevent phishing attacks and other cyber threats:
7.1. Technical measures
- TLS 1.3 encryption for all communications (valid SSL certificate).
- Anti-spoofing protection via email authentication (SPF, DKIM, DMARC) for the hsoconsortium.com domain.
- Continuous monitoring of web traffic and emails to detect malicious activity.
- Web application firewall (WAF) to block injection attempts, cross-site scripting (XSS), and other vulnerabilities.
- Real-time intrusion detection/prevention (IDS/IPS).
- Geographic blocking: In compliance with OFAC General Licenses 46B, 48A, and 49A, the website automatically blocks access from IP addresses, domains, or jurisdictions associated with China, Russia, Iran, North Korea, or Cuba. Any access attempt from these countries is logged and reported to authorities.
7.2. Organizational measures
- Strong password policies for administrator and registered user accounts.
- Mandatory multi-factor authentication (MFA) for privileged access.
- Periodic mandatory training for all employees and Consortium members on phishing detection and security best practices.
- Incident response plan updated and tested semi-annually.
7.3. Personal data protection
- Personal data collected through the website is processed in accordance with our Privacy Policy and Venezuela's Organic Law on Protection of Personal Data (LOPDP) and the U.S. CCPA.
- Passwords are never stored in plain text; secure hash functions (bcrypt, Argon2) are used.
- Financial data (if any) is tokenized and not stored on the Consortium's servers.
08. PHISHING SIMULATIONS AND TRAINING
HSO Consorcio will implement periodic phishing simulation campaigns to assess and improve our collective awareness. These simulations:
- Are a training tool, not punitive.
- Identify specific training needs.
- Reinforce a culture of cybersecurity and regulatory compliance.
Users who "fall" for a simulation will receive immediate, personalized training on how to better identify threats. Aggregated results will help the Consortium focus its awareness efforts.
09. INCIDENT REPORTING
If you are a victim of a phishing attack or suspect that Consortium, member, or client information has been compromised, you must report it IMMEDIATELY following the protocol below:
| Incident type | Reporting channel | Maximum deadline |
|---|---|---|
| Suspicious email (no click) | security@huronsmithoil.com | 2 hours |
| Clicked link or downloaded file | legal@huronsmithoil.com + call to +1 (866) 954-5938 | Immediate (within 30 minutes) |
| Disclosure of credentials or sensitive data | security@huronsmithoil.com + call + notice to legal@huronsmithoil.com | Immediate (within 15 minutes) |
| Unauthorized financial transfer | Immediately contact bank, then security@huronsmithoil.com | Immediate |
Speed of detection and reporting is key to minimizing damage and complying with regulatory notification deadlines (e.g., 72 hours under certain U.S. state laws, or within the timeframes established by Venezuela's LOPDP).
10. CONSEQUENCES OF NON-COMPLIANCE
Negligent or intentional non-compliance with this policy that results or could result in a security incident may lead to consequences including:
- Mandatory remedial training.
- Written warning.
- Temporary suspension of system access.
- In serious cases (gross negligence, bad faith, or violation of OFAC compliance obligations), termination of contractual or employment relationship.
- Legal and financial liabilities for both the company and the individual, including civil or criminal penalties under Venezuela's Special Law against Computer Crimes or the U.S. CFAA.
The Consortium reserves the right to report serious incidents to regulatory authorities (OFAC, Department of State, or Venezuela's Public Ministry) as applicable.
11. CONTACT AND REPORTING
For any inquiries, incident reports, or requests for assistance regarding information security and phishing:
Email (security): security@huronsmithoil.com
Email (legal and compliance): legal@huronsmithoil.com
Phone: +1 (866) 954-5938
Web form: available at https://www.hsoconsortium.com/contact
Chief Information Security Officer (CISO): appointed by HSO Consorcio and accessible via the above channels.
12. UPDATES AND REVIEW
This policy will be reviewed at least annually or after any significant security incident. Updates will be notified to users via the website and by email to registered members.
Last updated: 10 April 2026