Cyber-security is an increasingly high profile and costly issue. Whether state sponsored cyber-attacks, cyber-espionage, hactivism or good old fashioned cyber-crime, the impact of a cyber-security incident can be significant.
In its 2014 Information Security Breaches Survey, PwC identified that while the number of security breaches affecting UK businesses decreased in comparison to the 2013 survey, the cost of individual breaches rose significantly. The average cost to a large organisation of its worst security breach was between £600,000 and £1.15m (up from £450,000 to £850,000 in the 2013 survey). Indeed, 10 percent of organisations that suffered a breach in the 12 months prior to the survey were so badly damaged by the attack they had to change the nature of their business.
So what is the legal framework that seeks to compel organisations to take steps to protect themselves from cyber-security threats and the "non-technical" steps that organisations can take to protect themselves?
Legal framework: the current state of play
Currently, there is no overarching law on cyber-security; instead UK companies have to comply with a plethora of laws and regulations.
The Data Protection Act 1998 obliges organisations to take appropriate technical and organisational security measures to protect the personal data they process. A similar provision applies to telecommunications providers pursuant to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (although the security measures to be adopted apply to the services they provide not merely personal data). The Information Commissioner, the UK data protection regulator, has the ability to impose monetary penalties of up to £500,000 on organisations that fail to comply with these laws.
Listed organisations and financial institutions are also subject to particular legal and regulatory requirements relevant to cyber-security.
Legal framework: Change is on the near horizon
In February 2013, the European Commission issued a draft cyber-security directive. If passed, the directive will oblige providers of critical national infrastructure (including those in the transportation, energy and financial services sectors) to take appropriate technical and organisational measures to manage the (cyber-security) risks posed to their networks and systems and to report security breaches to the relevant regulator. The Commission is hopeful that the directive will be adopted by the end of 2014; there is currently an 18 month transposition period following the date of adoption and so the directive is unlikely to be effective before mid-2016.
The value of policies
What can organisations do to meet these requirements and protect themselves? The PwC report notes that 70 percent of companies where security policy was poorly understood had staff-related breaches, compared with 41 percent where the policy was well understood. Policies on information security and data protection are critical to mitigating cyber-security risk.
Policies will be one of the items organisations are measured against in the event of a security incident, so having a comprehensive policy that is not followed can be as detrimental to an organisation as not having a policy at all. To be effective, policies must be communicated throughout the organisation, implemented and enforced.
Robust contracting process
Some of the most significant data security incidents of the last 12 months have been caused by third party suppliers. It is critical to carry out effective due diligence on third party service providers' security measures and ensure robust contracts are in place with those providers. Given the potential liability exposures for cyber-security incidents, considerable thought should be given to any limitation on the service provider's liability for breaches of the contractual security requirements.
Cyber insurance has been available in the UK and Europe for over 10 years. However, many businesses are only just appreciating its necessity.
Cyber insurance is not just about insuring financial loss due to a cyber-incident, it is also key to managing risk. Insurers will demand appropriate risk procedures are in place and implemented. If they are not, businesses may find themselves uninsured.
It is essential for businesses to do their homework before purchasing cyber insurance to ensure:
1. The business has the appropriate procedures in place to minimise cyber-security risk
2. Appropriate cover is being purchased that will respond to all identified risks
3. The policy will provide the necessary support, both beforehand (eg the inclusion of risk management training in the policy) and in the event of a claim (eg legal, IT, public relations and other support as well as cover for losses)
If these three key points are considered when selecting a policy, a business will be in a good position to manage exposures to cyber risks through insurance.
Contributed by Peter Given, managing associate, Bond Dickinson.