Cyber-attacks and data breaches are one of the key dangers for corporations today. Serious incidents continue to grab headlines, and for many organisations huge losses and costs are just a tick-tock away. But can we stop the timer? The short answer is “probably not” - however we can certainly try to slow it down.
Cyber-crime is on the increase, as high profile hack victims such as Sony, Target Corp and eBay know only too well. New cyber security vulnerabilities in established systems (such as Shellshock with its weakness for Botnet attacks), continue to provide new platforms for crime. Cyber risks are further compounded by the ever increasing sophistication of online criminals, who are often perceived to be one step ahead of law enforcement agencies and specialist cyber-security firms. Liability is also likely to flourish due to developments such as cloud computing and the Internet of Things (where more and more sensitive information is stored online and an increasing number of everyday devices are connected to the Internet).
Add to this, the risk of data loss from human error (the classic example being an unencrypted laptop full of sensitive information being left on a train) and the picture appears to be extremely worrying.
Organisations face significant losses when dealing with cyber-attacks and data breaches including, amongst other things, loss of or damage to data, software and essential IP, business interruption from network downtime, cyber extortion, wasted management time, and reputational damage. A recent report (the 2013 Cost of Data Breach Study: Global Analysis by Symantec and the Ponemon Institute) found that the cost of the average data breach in the UK was more than GBP 2 million.
With regard to data breaches, the situation is expected to become even more serious once the new EU Data Protection Regulation is finalised and finds its way into UK law. According to the latest draft approved by the European Parliament, businesses could be fined up to EUR 100 million or 5% of their annual worldwide turnover for certain data breaches (whichever is higher) and will be obliged to notify both national data protection authorities and the individuals affected. There is still some way to go before the final regulation becomes law. However, once it does, businesses suffering from cyber-attacks and data breaches are likely to see their related losses and costs increase dramatically.
Dealing with the risk
Organisations should consider a dual approach to help reduce exposure from cyber liability and data breach. In order to lower the risk of liability from the outset, IT security and information security should be given utmost priority. At the same time, organisations should think about purchasing appropriate cyber liability insurance to help cover their losses in the event of an attack or breach.
Organisations should ensure that at all times they employ up-to-date IT security packages and services. IT security should be monitored on an ongoing basis and updated as and when needed. These days many businesses employ relatively sophisticated, or in some cases state-of-the-art, IT security measures. Intrinsically linked to IT security is information security, which is also important for every modern business that deals with data. Information security standards and requirements are designed to protect entities from loss or theft of, or damage to, data (including personal data).
Although a number of organisations adhere to defined information security standards, there are issues with some policies. Some employ a one-size-fits-all approach to information security, meaning they are unwilling or unable to adapt their policies to reflect the particular circumstances to which the policies are required to apply.
This can prove difficult, for example, if a company wishes to outsource services to a third party, but is unable to do so because the third party cannot comply with the company’s information security policy (even though the third party’s own information security measures are already industry- standard).
On the other hand, some businesses appear to apply information security requirements on a selective basis (where, for example, ‘non-material’ services contracts can fall off the radar, even though the potential liability from data loss can be as problematic as if they were material contracts).
Accordingly, we think organisations:
- Must be looking to take a robust approach to information security in order to help reduce their potential liability, although such an approach should also be flexible enough to adapt to the commercial needs of the business, without compromising the security of data.
- Should at the same time be careful to ensure such information security standards are applied evenly across their operations to ensure all areas with potentially large data protection liabilities (including third party services provided under ‘non-material contracts’) are within scope.
Cyber liability insurance
As discussed above, as part of the dual approach, cyber liability insurance specifically designed to cover the risks associated with cyber-attacks and data breaches must also be a consideration for organisations who wish to mitigate their potential liabilities.
Although widely adopted in the US (due in large part to US data privacy laws with stricter sanctions for data breaches), demand for cyber liability insurance is comparatively low in the UK. However, with risk set to increase once the new EU Data Protection Regulation comes into force, it is only a matter of time before such insurance also becomes common-place within the UK.