Cyber risk is increasingly on the agenda for all businesses. However, the professions, and in particular accountants, have been singled out by bodies such as The Department for Business, Innovation & Skills (BIS) as a particularly vulnerable group. Why is that the case and what can be done to manage cyber risk from a legal perspective in 2016?
“Cyber risk” is a collective term for business exposures arising from the loss or impairment of data. It can arise from the activities of third parties, such as hackers, insider fraud, or more mundane but equally serious problems such as technical failure or human error. The principle exposures are, briefly:
- business continuity issues/lost profits arising from disruption to business from the loss or corruption of data
- regulatory issues arising from the compromise of regulated data (principally personal, but also commercially or market sensitive data) including the cost of dealing with regulatory investigations and fines
- liability exposures to third parties (ie as a result of losing their confidential data or being unable to provide contracted services)
- the costs of notifying data subjects and providing remedial services, such as credit monitoring
- reputational damage.
In the context of cybercrime, accountants are currently in the spotlight as they (and other professional services) are said to be seen as the “soft underbelly” for cyber criminals. As traditional targets for cybercrime, such as financial institutions, tighten their security, criminals move their attention to service providers who may have access to the same sensitive data, and sometimes a “back door” to client systems, but may not necessarily have the same degree of sophistication when it comes to putting in place robust cyber security measures.
Typical issues depend on the size of the business involved. At the smaller end of the profession problems typically arise from straight forward issues such as lost laptops, keeping information in unencrypted format or simply failing to realise that they need to register as a data controller or processor for the purpose of the Data Protection Act. At the other end of the spectrum, large firms are targets due to the volume of commercially sensitive data to which they have access. Accordingly, whilst their security measures are generally more robust the consequences of a data loss or breach are more severe.
Factors to consider – pre-incident
From a legal perspective there are a number of steps which can be taken to reduce the risk of a breach, speed up the response, mitigate losses and ultimately justify the firm’s conduct to regulators or clients in the event of a breach. These include:
- data security policy review – ensuring that data security policies are up to date and are robust. Typically this will include issues such as confirming what regulated data is held, where it is held (in particular, even in a relatively small business with overseas clients or outsourced IT systems, data may be subject to regulation in a number of different jurisdictions) and ensure procedures are in place to minimise the amount of regulated data and safeguard it adequately
- breach response plan/readiness – (in conjunction with technical experts) putting in place an effective breach response and recovery plan. This will include issues such as confirming the location of critical assets, establishing the team in the event of a breach and looking at contractual issues such as counterparty exposures and service supplier arrangements to avoid unwelcome surprises in the event of an incident (see below). For firms who do not have access to an integrated breach response service or appropriate cyber insurance, that will also include identifying the team that they will call on in the event of a breach to provide breach management, IT forensics, legal assistance, public relations support and other ancillary services, such as notification services or credit monitoring. For some firms additional readiness training or exercises will be appropriate
- counterparty review – as well as questions of access and assistance in the event of a breach, there is a more general question of ensuring the adequacy of agreements, often based on precedents drawn up in the pre-digital age, to deal with a cyber incident. Where one’s own clients are concerned assessment needs to be made as to whether limits of liability are appropriate and whether the parties’ roles and respective responsibilities are properly defined. Conversely, in the case of a firm’s own service providers, it is necessary to ascertain whether contracts provide for adequate assistance and redress in the event of an incident.
Factors to consider – post incident
Issues for consideration once an incident is underway include:
- notification issues: it is necessary to confirm what data is affected, what regulators might be involved (eg ICO, FCA, PCI or Stock Exchange) and whether notification is necessary or desirable. It will also be necessary to consider notification requirements in overseas jurisdictions. Finally, it will be necessary to consider whether any contractual obligation to notify a client or other third party who has provided data arises (under, for example, non-disclosure agreements)
- access issues: as mentioned above, legal input is sometimes required in obtaining access to data held by third parties such as data centres or other third parties, such as hosting providers. Other issues may arise in obtaining disclosure from service providers or employees who are thought to be implicated in a breach
- liability claims: breaches often give rise to liability claims. Although it is possible for data subjects to bring claims where they have suffered financial loss as a result of a breach (and potentially for distress alone following the recent Google v Vidal Hall decision), claims from commercial counterparties for failure to perform contractual obligations are a much more common, and usually more serious, issue the rest: a multitude of other legal issues potentially arise – it may be necessary to obtain an injunction to prevent the misuse of confidential information, misappropriated funds may need to be traced and employment law issues may arise, if the issue arises from the activities of an insider, to name but a few.