Peter Given, pictured, Managing Associate at Bond Dickinson’s Southampton office in Hampshire, writes about the issues around cyber security and organisations.
Cyber-security is an increasingly high profile and costly issue. Whether state sponsored cyber-attacks, cyber-espionage, hactivism or good old fashioned cyber-crime, the impact of a cyber-security incident can be significant.
In its 2014 Information Security Breaches Survey, PwC identified that while the number of security breaches affecting UK businesses decreased in comparison to the 2013 survey, the cost of individual breaches rose significantly. The average cost to a large organisation of its worst security breach was between £600,000 and £1.15m (up from £450,000 to £850,000 in the 2013 survey). Indeed, 10% of organisations that suffered a breach in the 12 months prior to the survey were so badly damaged by the attack they had to change the nature of their business.
This article discusses the legal framework that seeks to compel organisations to take steps to protect themselves from cyber-security threats and the ‘non-technical’ steps that organisations can take to protect themselves.
Legal framework
There is no overarching law on cyber-security; instead UK companies have to comply with a plethora of laws and regulations.
The Data Protection Act 1998 obliges organisations to take appropriate technical and organisational security measures to protect the personal data they process. A similar provision applies to telecommunications providers pursuant to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (although the security measures to be adopted apply to the services they provide not merely personal data). The Information Commissioner, the UK data protection regulator, has the ability to impose monetary penalties of up to £500,000 on organisations that fail to comply with these laws.
Listed organisations and financial institutions are also subject to particular legal and regulatory requirements relevant to cyber-security. Financial institutions regulated by the Financial Conduct Authority are obliged to:
1) have appropriate systems and controls to comply with regulatory requirements and standards;
2) maintain adequate policies and procedures to ensure compliance; and
3) take reasonable care to organise affairs responsibly and effectively with adequate risk management systems.
Change is on the near horizon
In February 2013, the European Commission issued a draft cyber-security directive. If passed, the directive will oblige providers of critical national infrastructure (including those in the transportation, energy and financial services sectors) to take appropriate technical and organisational measures to manage the (cyber-security) risks posed to their networks and systems and to report security breaches to the relevant regulator. The Commission is hopeful that the directive will be adopted by the end of 2014; there is currently an 18 month transposition period following the date of adoption and so the directive is unlikely to be effective before mid-2016.
Value of policies
So what can organisations do to meet these requirements and protect themselves? The PwC report notes that 70% of companies where security policy was poorly understood had staff-related breaches, compared with 41% where the policy was well understood. Policies on information security and data protection are critical to mitigating cyber-security risk.
Policies will be one of the items organisations are measured against in the event of a security incident, so having a comprehensive policy that is not followed can be as detrimental to an organisation as not having a policy at all. To be effective, policies must be communicated throughout the organisation, implemented and enforced.
Contracting process
Some of the most significant data security incidents of the last 12 months have been caused by third party suppliers. It is critical to carry out effective due diligence on third party service providers’ security measures and ensure robust contracts are in place with those providers. Given the potential liability exposures for cyber-security incidents, considerable thought should be given to any limitation on the service provider’s liability for breaches of the contractual security requirements.
Cyber insurance
Cyber insurance has been available in the UK and Europe for over ten years. However, many businesses are only just appreciating its necessity. Cyber insurance is not just about insuring financial loss due to a cyber-incident, it is also key to managing risk. One of the first questions an underwriter asks when approaching insurers for cover is what procedures are currently in place and exactly what the business is doing about managing the risk.
Accordingly, businesses need to work with brokers and insurers to protect themselves as much as possible, rather than simply rely on the policy to respond in the event of a cyber-related incident. Insurers will demand appropriate risk procedures are in place and implemented. If they are not, businesses may find themselves uninsured. It is essential for businesses to do their homework before purchasing cyber insurance to ensure:
1) The business has the appropriate procedures in place to minimise the risk of a cyber-incident (including suitable policies)
2) Appropriate cover is being purchased that will respond to all identified risks
3) The policy will provide the necessary support both beforehand (eg the inclusion of risk management training in the policy) and in the event of a claim (eg legal, IT, public relations and other support as well as cover for losses)
If these three key points are considered when selecting a policy, a business will be in a good position to manage exposures to cyber risks through insurance.
About the author
Peter Given is a Managing Associate at law firm Bond Dickinson, specialising in data protection and privacy law. He advises clients on data protection matters in a variety of contexts, including in relation to general data protection compliance, data processing and outsourcing arrangements, direct marketing, data subject access requests and cross-border transfers of data. Peter has undertaken secondments to a global US-based financial institution and a major European pharmaceutical organisation. In both secondments Peter supported the internal legal teams on a variety of matters and projects, including those relating to data protection and privacy.
