Cyber risk management: a boardroom issue

Cyber-security is an increasingly high profile and costly issue. Whether it be state sponsored cyber-attacks, cyber-espionage, hactivism or good old fashioned cyber-crime, the impact of a cyber-security incident can be significant. By Peter Given, Managing Associate at Bond Dickinson’s Southampton Office in Hampshire.

  • 9 years ago Posted in

IN ITS 2014 INFORMATION SECURITY BREACHES SURVEY, PwC identified that while the number of security breaches affecting UK businesses decreased in comparison to the 2013 survey, the cost of individual breaches rose significantly. The average cost to a large organisation of its worst security breach was between £600,000 and £1.15m (up from £450,000 to £850,000 in the 2013 survey). Indeed, 10% of organisations that suffered a breach in the 12 months prior to the survey were so badly damaged by the attack that they had to change the nature of their business.

This article summarises the legal framework that seeks to compel organisations to take steps to protect themselves from cyber-security threats and considers “non-technical” steps that organisations can take to comply with the law and protect their position.
Legal framework: the
current state of play
Currently, there is no overarching law on cyber-security; companies in the UK have to comply with a plethora of laws and regulations that are relevant to cyber-security.
The Data Protection Act 1998 (which implements European data protection directive 95/46/EC) obliges organisations to take appropriate technical and organisational security measures to protect the personal data they process. A similar provision applies to telecommunications providers pursuant to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (although the security measures to be adopted apply to the services they provide not merely personal data). The Information Commissioner, the UK data protection regulator, has the ability to impose monetary penalties of up to £500,000 on organisations that fail to comply w ith these laws.
Listed organisations and financial institutions are also subject to particular legal and regulatory requirements relevant to cyber-security. Financial institutions regulated by the Financial Conduct Authority (FCA) are obliged by the requirements of the FCA Handbook to: (i) have in place appropriate systems and controls to comply with regulatory requirements and standards; (ii) maintain adequate policies and procedures to ensure compliance; and (iii) take reasonable care to organise their affairs responsibly and effectively with adequate risk management systems. Similar requirements apply to listed companies under the FCA’s Listing Rules.
Legal framework: what’s on
the horizon?
Change is on the near horizon in the realm of cyber-security legislation. In February 2013, the European Commission issued its proposal for a draft cyber-security directive. To become law, this directive needs to be agreed between the Commission, the European Parliament and the Council of the EU. Among other things, the directive will oblige providers of critical national infrastructure (including those in the transportation, energy and financial services sectors) to take appropriate technical and organisational measures to manage the (cyber-security) risks posed to their networks and systems and to report security breaches to the relevant regulator. The Commission is hopeful that the directive will be adopted by the end of 2014; there is currently an 18 month transposition period following the date of adoption and so the directive is unlikely to be effective before mid-2016.
The Commission has also proposed a draft general data protection regulation to replace the current European data protection directive. This regulation, when enacted, would apply across the EU member states without the need for national implementing legislation. This law also requires the approval of the Commission, Parliament and Council.
The proposed regulation continues the requirement for organisations to protect the personal data they process, but goes further to oblige organisations to notify security incidents. The regulation also provides for significant fines for non-compliance (up to EUR 100m or 5% of annual worldwide turnover, whichever is the greater). The regulation has a two year transposition period and so is unlikely to apply before 2017/18 at the earliest (assuming that agreement between the legislative bodies is reached in 2015 as is currently expected).
The path to compliance
So what can organisations do to meet the requirements of these current and impending laws and to protect themselves from cyber-security issues? The UK government has issued the 10 Steps to Cyber Security and, according to PwC’s 2014 report, this is now one of the most popular security resources for UK businesses. But what other “non-technical” steps can businesses take?

The value of policies
The PwC report notes that 70% of companies where security policy was poorly understood had staff-related breaches, compared with 41% where the policy was well understood. Policies on information security and data protection are critical to mitigating cyber-security risk.
It is not sufficient, however, to have a comprehensive suite of policies, unless these are communicated throughout the organisation, implemented and enforced. Policies will be one of the items which an organisation will be measured against in the event of a security incident and so having a comprehensive policy that is not followed can potentially be as detrimental to an organisation as not having a policy at all.
Policies should be clear, concise and built into staff training and awareness activities. At a minimum, organisations should consider having a data protection and information security policy, supplemented by policies dealing with specific risk areas (such as mobile or home working).
Robust contracting process
Some of the most significant data security incidents of the last 12 months have been caused by third party suppliers. The cyber-security incident at US firm Target which affected the personal data of 110 million customers is alleged to have occurred following an attack on one of Target’s suppliers that compromised network credentials held by the supplier to access Target’s electronic billing system.
When engaging third party service providers it is critical to carry out effective due diligence on their security measures and to ensure that there is a contract in place which sets out the security measures to be applied by the service provider in the provision of services. This is expressly required by the Data Protection Act. Contracts should also address the need to report security incidents and contain rights to audit the service provider’s compliance with the measures required. Given the potential liability exposures for cyber-security incidents, particularly in the light of the proposed changes in law, considerable thought should be given to any limits on the service provider’s liability for breaches of the contractual security requirements.
Cyber insurance
How can businesses use insurance to better manage cyber-security risks and reduce the significant cost that a cyber-event can cause?
Cyber insurance has been available in the UK and European market for more than 10 years and in the USA its use is widespread. However, many businesses are only just beginning to appreciate its necessity.
In order to have appropriate and effective cover in place, a business needs to consider its risks and what type of policy is needed. There are a wide range of both ‘stand-alone’ and ‘add on’ cyber policies on the market and the products are continually evolving to extend cover as cyber-crime becomes more sophisticated and far reaching.

For example, while the majority of policies have until recently only covered classic cyber risks such as data breach and hacking, we are now seeing products extending to events such as property damage, business interruption and extortion. In addition, cyber insurance is not just about insuring financial loss due to a cyber-incident, it is also key to managing the risk in the first place.
One of the first questions the underwriters will ask when approaching insurers for cover is what procedures are currently in place and exactly what the business is doing about managing the risk. Accordingly, businesses need to work with their brokers and insurers in order to protect themselves as far as they can, rather than simply relying on the policy to respond in the event of a cyber-related incident. Insurers will demand that appropriate risk procedures are in place and implemented.

If they are not, businesses may find themselves uninsured. Insurers are also providing much more than just a cheque for financial losses caused by cyber events. In this regard, a full service support can be provided, not only in the immediate aftermath of a cyber-incident, but also beforehand in form of risk management training. Should a claim be necessary, the policy could often cover the provision of legal, IT, public relations and other support.

Given all the above, it is essential for businesses to do their homework before purchasing cyber cover to ensure that:
 The business already has the appropriate
procedures in place to minimise the risk of
a cyber-incident (including suitable policies)
 Appropriate cover is being purchased
that will respond to all identified risks
 The policy will provide the necessary
support both beforehand and in the event
of a claim
If these three key points are kept in mind when considering what policy to select, businesses will be placing themselves in a good position to manage the exposures to cyber risks through insurance.