Cyber security: the dos, the don’ts and the legal issues you need to understand
November 2015 | EXPERT BRIEFING | RISK MANAGEMENT
Cyber security and data protection are buzzwords at the moment and for good reason. Banks and other financial institutions face constantly evolving cyber threats. The nature of the threat and the means by which cyber attacks are perpetrated are growing ever more sophisticated and the potential fallout from a major cyber security breach can be huge.
The Department for Business and Skills’ 2015 Information Security Breaches survey found that 90 percent of large organisations had suffered a security breach in the previous year. The average cost of the worst single breach suffered by a large organisation was an eye-watering £1.46m to £3.14m. Data security breaches result in loss of consumer trust, which can have an immediate impact on sales. But the costs of a security breach will also include business disruption costs, compensation payments and regulatory fines.
The survey also found that the nature of cyber attacks experienced by organisations has shifted, with a lower number of denial of service attacks and an increase in attacks involving malicious software. Perhaps surprisingly with the growing awareness of cyber security risks, inadvertent human error was cited as the major cause of the worst security breaches, up to 50 percent from 31 percent in the previous year.
Against this background the legislators are proposing new legal requirements, both in relation to the protection of personal data and cyber security risk management. Organisations need to start planning now for the proposed changes to legal requirements and take steps to avoid cyber security breaches.
Legal compliance meets the real world
When considering cyber security priorities, it is important for organisations to understand their legal obligations. But it is equally important to ensure that the means of complying with legal obligations align with business objectives and areas of real risk; cyber security management should not be a box-ticking compliance exercise.
Legal requirements in relation to cyber security in the UK arise primarily from the Data Protection Act 1998, which requires organisations to take “appropriate technical and organisational measures” to protect personal data from unauthorised access, damage, loss or disclosure. Such measures must ensure a level of protection that is appropriate, taking into account the harm that may be caused to individuals in the event of a data security breach and the nature of the data. When deciding which security measures to put in place, the Act further specifies that organisations should consider the state of technological development and the costs of implementing the measures.
In practice, this means that the legal obligations permit a degree of flexibility to carry out a risk assessment and to tailor security measures to mitigate against areas of real risk. It is important to note that the Data Protection Act does not require organisations to prevent cyber security breaches from occurring but to take all appropriate measures to protect the data. If a cyber security breach occurs despite having taken all these measures, then there will be no legal breach. It is worth noting, however, that the regulator sets a high bar for demonstrating that all appropriate measures were in fact in place.
Steps to take
Carry out a risk assessment to identify areas of real risk within your organisation where the most serious damage will arise if a cyber security breach occurs. Focus resources on these high risk areas.
Ensure that you consider risks across the whole organisation, including through sub-contractors and other members of your supply chain. Ask, where is your weakest link?
Remember that cyber security is not just about technical measures. People are one of the biggest risks within your organisation and ensuring that they receive ongoing training on cyber security risks is a key part of your defence.
Consider external solutions. Does a cloud provider offer a better solution for certain areas of your business? Provided that you carry out appropriate due diligence and are satisfied with security measures offered by cloud providers, this can be an effective means of mitigating risk.
Ensure that policies and guidance are easy to understand and readily available for all staff and contractors. The regulator will expect you to have effective policies in place as part of your security measures. But policies will not assist in defending a fine if staff never refers to them or have difficulty understanding their practical application.
Steps to avoid
Don’t rely on a tick-box compliance exercise that does not take account of risk.
Don’t think that cyber security is just an IT issue. The whole organisation needs to take responsibility for managing cyber security risks.
Don’t consider cyber security management as a one-off exercise. Cyber criminals, so called ‘hacktivists’ and government-led cyber attacks are constantly evolving; your cyber security programme needs to do likewise.
Don’t sign up to a cloud service provider’s contract terms without a proper review. You need to be satisfied that your provider offers contractual obligations to protect your data and that you can access and retrieve your data in a usable format whenever you need to, particularly on exit.
Don’t forget about breach detection measures and breach management procedures. Data security breaches will happen no matter how good your security measures are. Ensuring that you are ready to deal with them swiftly and effectively is a key part of your defence.
Data Protection Regulation is expected to be passed by Europe within the next 12 months. This Regulation will replace the Data Protection Act in the UK. Security obligations remain broadly the same under the proposed new regime.
However, there are some key differences. Fines will be significantly increased (with one draft of the Regulation proposing fines of up to 5 percent of worldwide turnover), which will mean that the costs of a cyber security breach will be even higher. There will be legal obligations to report serious data security breaches to the regulator and to individuals where their privacy will be affected. Data processors will also have direct obligations in relation to data security for the first time. This means that contracts with IT suppliers and other supply chain providers will be negotiated differently, with more of a focus on carving up responsibility for different areas of risk and compliance.
There is also a Cyber Security Directive in the offing that will require operators of ‘critical infrastructure’, including certain financial services infrastructure, to put in place measures to prevent cyber security attacks and to report significant attacks to the regulator.
None of the proposed legislation is in final form yet. But the proposals signal the direction of travel for the regulator, with an ever increasing focus on ensuring that appropriate steps are taken to prevent cyber security attacks and the risk of higher penalties when breaches occur. Ensuring that you have an effective, risk-based cyber security programme in place has never been more important.
Alison Deighton is a commercial partner and head of data protection at TLT Solicitors. She can be contacted on +44 (0)333 006 0160 or by email: alison.deighton@TLTsolicitors.com.
© Financier Worldwide