Cyber risk: a business-critical issue for company boards

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

The risks

With targeted cyber attacks increasing in their scale and frequency, managing cyber risk should no longer be seen as simply an IT issue. There is a great deal at stake. As well as direct theft of money or digital content, which may include intellectual property and confidential information as well as personal data, an organisation may suffer reputational damage, loss of clients and disruption to its operations as a result of a cyber attack. There is also the potential for regulatory action leading to fines and other penalties, criminal investigation or prosecution and legal claims from customers or employees.

According to the Government's survey, the average cost to a large organisation of the worst security breach in the last year was £450,000 to £850,000, or £35,000 to £65,000 for a small business. At the top end of the scale, it has been reported that the total cost to Sony of the PlayStation hack in 2011 was $171 million. The fine of £250,000 imposed on Sony by the UK's data protection regulator, the Information Commissioner ("ICO"), earlier this year, was therefore a fraction of the real cost of the breach.

Fines such as this are likely only to rise. Significant developments in data security regulation are on the horizon and businesses will need to make sure they keep up to date and comply. In particular, under the new EU General Data Protection Regulation (discussed here), fines of up to 2% of global turnover could apply in future. This is significantly more than the current maximum fine of £500,000 which is available to the ICO.

Also in the pipeline is the Network and Information Security (NIS) Directive, which would impose new obligations on ecommerce platforms, social networks and key infrastructure providers to have formally documented security policies, undergo security audits and report cyber attacks to national authorities.

Managing the risks

As with other business-critical risks, prevention is better (and very considerably cheaper) than cure. At Olswang, we recommend proactive risk reduction, to help guard your organisation against cyber attacks and ensure you are fully prepared if the worst does happen.

Action points - things to do now

1. Analyse the vulnerable areas in your business, based on a fully informed risk assessment of data handling processes and policies across the organisation. The assessment should include the risks of using third party providers and the company's supply chain. Your business is only as secure as the weakest link in its supply chain.
2. Consider how company resources should be deployed to target the most critical areas in the most effective way.
3. Create or update your company's records management and retention policies. Ensure that data which you are not legally required to maintain, or have no legitimate business reason to maintain, is promptly and securely wiped.
4. Create and ensure compliance with data access protocols and limit staff access.
5. Ensure that policies cover home and mobile working and comply with best practice such as the ICO's BYOD guidance (discussed here).
6. Put in place a data security incident plan with an identified crisis team including clear reporting and escalation to the Board.
7. Keep a record of your notification obligations to your regulators, your customers and your employees and identify a notification subject matter expert.
8. Create standard questionnaires and risk assessment reports to be completed following a breach, with clear escalation paths.
9. Ensure that appropriate backup policies are in place.
10. Implement a training programme on data security for all staff.
11. Review insurance cover for cyber breach and data loss risks.

To help organisations manage their risk, Olswang offers comprehensive risk assessments including the Olswang Privacy Risk Assessment, an online tool to help companies audit their handling of personal data and identify key areas of risk. The benefit of solicitors carrying out the assessment is that this will maximise the chances of legal privilege protecting the inputs and outputs of the process, so that documents will not usually be disclosable to litigants or regulators. We can also partner with cyber security experts who carry out vulnerability testing and offer practical security measures. We also recommend that data security incident plans (point 6 above) are tested. A "war game" based on a mock security breach can be an effective way to do this and Olswang can work with clients to run this kind of test.

Government help is also at hand. In November 2011, the Government launched a Cyber Security Strategy for 'protecting and promoting the UK in a digital world'. As part of its Strategy, the Government is developing an industry-led organisational standard on private sector cyber security and in March 2013 a consultation was opened inviting responses from businesses on this topic. Businesses have until October 2013 to submit evidence and the Government will then 'select and endorse an organisational standard that best meets the requirements for effective cyber risk management'.

The Institute of Chartered Secretaries and Administrators also recently published a Guidance Note on cyber risk. This includes helpful recommendations in relation to understanding and assessing an organisation's cyber risk.

If your organisation does find itself the victim of a cyber attack, swift action and well-informed decision making will be key at the outset. We are experienced in helping to handle data crises, including dealing with media and online interest in the story.

For further information about the Olswang reputation management and data protection practice, including the Olswang Privacy Risk Assessment, please contact Ashley Hurst, Ross McKean or Louise Lambert.

Any information contained in this article is intended as a general review of the subjects featured and detailed specialist advice should always be taken before taking or refraining from taking any action. If you would like to discuss any of the issues raised in this article, please get in touch with your usual Olswang contact. This article was included in our Olswang Corporate Quarterly Summer 2013 publication.