Legal Briefing

Cyber security: a matter for the board

The In-House Lawyer Logo

Technology, Media and Telecoms | 16 June 2016

Almost half of the FTSE 350 businesses surveyed regard cyber attacks as the biggest threat to their business when compared with other key risks. This statistic, taken from the government’s latest FTSE 350 Cyber Governance Health Check report published this May, suggests that the message that cyber and data issues are a business, rather than technology, risk is starting to get through. However, the report – together with the latest Cyber Security Breaches Report – highlights that while some progress is being made, corporate Britain must do more.

And while cyber and data issues are now on the agendas of many senior executives, for those lawyers advising them the issues involved are becoming more complex. Increased regulation, technological developments and the impact cyber and data risk has on an increasing range of business activities all contribute to this changing risk profile. It is therefore as important as ever to keep your organisation’s approach to cyber and data issues under review, and ensure you are up to speed with developments.

Increased regulation and guidance

The current high level of interest in cyber and data risk, particularly among the legal and compliance community, can in part be explained by increased regulation in these areas.

The last few months have seen agreement reached on two contentious pieces of legislation:

  • The General Data Protection Regulation (GDPR) (agreed on 14 April) will require a culture shift for many organisations in terms of how they approach personal data, and elevates the sanctions for non-compliance to competition-style fines. Interestingly, an Ovum report published at the end of last year found that 52% of organisations believe that the GDPR will result in fines for their business – a worrying statistic for legal advisers, and a warning that for many there is much to be done between now and when the new law bites in May 2018.
  • The Network and Information Security Directive (NIS) – political agreement was reached on this cyber-specific law in December 2015. It will bring with it security and breach notification requirements for digital service providers and operators of essential services such as banks and energy companies. And even if your business will not be governed by the NIS regime when it is in force, these requirements will surely begin to set the bar of appropriate behaviours for all large companies.

We have also seen a renewed effort by the government to raise the cyber profile. It has announced a £1.9bn government investment to tackle cyber, will open a new National Cyber Security Centre this autumn (which it says will offer industry a ‘one-stop shop’ for cyber support) and has urged organisations to ‘take action’ on the back of research published in its FTSE 350 Cyber Report and Cyber Security Breaches Survey. This includes adopting, as a minimum, its Cyber Essentials Scheme.

The impact of technology

Fast-paced technological developments have increased data-related business opportunities together with the corresponding risks.

The rise of new technologies which generate increasing amounts of valuable data or which connect more products and services to networks (both localised networks and the internet) are changing the data and cyber landscape. Big data and the increased use of data analytics are key examples of this. The increased use of cloud for a wider range of services is another, as organisations become more comfortable integrating cloud services into their supply chains. But the rapid growth of the Internet of Things (IoT) is arguably one of the biggest game changers in this area.

At their most severe, cyber and data breaches can prevent a business from trading and result in the loss of share price, customers and competitive edge.

IoT is the next step towards a fully interconnected environment, and it raises many new opportunities and challenges for those involved. These include opportunities to exploit and analyse new streams of data from IoT-enabled devices and develop related services. However, this raises new data protection and cyber security issues – a fact that has not escaped the attention of the regulators. The Information Commissioner’s Office recently announced that it is leading this year’s Global Privacy Enforcement Network Sweep which will focus on IoT devices such as smart electricity meters and watches that measure health.

Interestingly data and cyber concerns have also helped increase the popularity of some new technologies. Blockchain, the distributed ledger technology which is gaining traction in the fintech sector (and beyond), has been hailed by some as the answer to many of the information security issues faced by more traditional systems. This may be an overly simplistic view, particularly as Interpol demonstrated a potential weakness last year which could result in blockchain being embedded with malware. However, its use of encryption, decentralisation and verification and the fact it creates an immutable ledger are attractive to those facing challenges in ensuring complete information security.

A business rather than technology risk

Perhaps the most important reason that data and cyber issues are currently so high on the agendas of company boards and the lawyers that advise them is the acknowledgement among most organisations now that these are key business, rather than technology, risks.

At their most severe, cyber and data breaches can prevent a business from trading and result in the loss of share price, customers and competitive edge (where IP and business intelligence is targeted). Cyber terrorism brings a new threat for those operating in critical service sectors, and cyber and data issues are increasingly impacting financing and M&A decisions.

A risk that can be managed

While the risks in this area increase, so too does the guidance available. Recent government-backed research also helps organisations understand where UK businesses are making improvements and where failings still exist. For example:

  • 69% of businesses say cyber security is a high priority for senior managers, and yet only 51% have taken recommended actions to identify cyber risk.
  • Despite ‘supply chain’ being regularly discussed as a key risk, only 13% of all businesses set cyber security standards for their suppliers.
  • Some organisations report experiencing a breach at least once a month, and the most common attacks detected involved viruses and malware that could have been prevented using simple cyber hygiene measures set out in the government’s Cyber Essentials Scheme, suggesting some firms are still not getting the basics right.

Seven key steps to cyber preparedness

Engaged
Making cyber risk a core element of an organisation,s risk register, with executive engagement at the highest levels.

Informed
Ensuring senior executives are fully informed of their organisation’s cyber risks, mitigations and planning.

Educated
Employees and other insiders pose a big cyber risk, often through unintentional or ill-advised actions. Education is key to avoidance and mitigation.

Committed
Cyber criminals’ capabilities expand as technology develops. Organisations are legally required to invest to keep step with industry and technology developments.

Aware
Even with the best prevention technology, organisations will be regular victims of attempted cyber attacks, and should deploy technology and processes to spot attempts and mitigate their impact.

Supported
Few organisations have the skills in-house to support an effective cyber strategy. Bridge any gaps by retaining external agencies and engaging with industry groups.

Primed
Preparation is the best mitigation for a cyber breach. Cyber incident response plans should be specific, detailed, signed off at board level and regularly audited.