The threat of cyber security breaches is increasing. Serious consequences can follow a breach, including potential regulatory issues, business liability, damage to reputation and costs of remediation. 90% of large organisations report that they have suffered an information security breach – an increase of 9% since 2014*
For FCA regulated companies adequate cyber security measures are an integral part of regulatory compliance. Apart from the regulatory ramifications of a data theft, a company may be liable to its customers or suppliers under breach of contract or negligence.
The UK Government’s 2015 Information Security Breaches Survey highlights the increasing prevalence, scale and cost to businesses large and small throughout the UK. The average cost (to surveyed companies) caused by a breach, including business disruption, regulatory fines and compensation, has increased to as much as £311,000 for small businesses and £3.47m for large organisations. The damage to their reputation and trust, as well as loss of confidential information, intellectual property and trade secrets, can be far more significant and impossible to repair.
Spotlight on cyber security
Financial crime is one of the seven priority themes outlined in the Business Plan for 2016/17, with growing concerns about the impact of cybercrime on digital transactions. The FCA’s Business Plan highlights particular concerns around legacy systems, cyber- attacks and organisational resilience highlighting some of the significant challenges currently facing firms.
The FCA will be working collaborating with the Treasury and the Bank of England and other authorities to ensure a joined-up and risk-based approach to cyber-crime. It also intends to provide education tools to help firms deal with the risk of cyber-crime and respond swiftly to cyber-attacks.
Cyber security is also a focus at an EU level. Negotiators of the European Parliament, the Council and the Commission have agreed on the first EU wide legislation on cyber security: The Network and Information Security Directive. The text of the Directive is awaiting approval by the European Parliament and Council.
10 practical steps to help protect your business
Cyber security is a continuing and critical challenge which requires more than a simply technical response. The way an organisation prepares can both reduce the likelihood of a breach incident occurring and improve the outcome should an incident occur.
Using our international reach, we help our clients to develop solutions in a way that make sense for their businesses globally. Here are ten steps to help protect your business from this evolving global risk.
- Review and develop your policies and procedures, including on data protection, cyber security and employee conduct. Consider how you will embed those policies through clear corporate communications and focused training.
- Tailor your contracts to ensure that you have the best protection as regards your customers, suppliers of critical IT systems and employees (e.g. through restrictive covenants) and in your corporate acquisitions.
- Remember the “threat from within”: consider the range of processes and tools you might deploy to counter the unauthorised activities of personnel but try to avoid the bear traps lying within data protection and other laws concerning monitoring.
- Engage with the Cyber Security Information Sharing Partnership and the Financial Services Information Exchange, government initiatives, to share cyber threat and vulnerability information.
- Review best practice standards across the industry. These include the National Institute of Standards and Technology framework and standards such as ISO/IEC 27000 and ISO 17799. The latter appears in the FCA Handbook as an example of a security standard.
- Consider your cyber insurance policy coverage. Is the level of cover adequate? Consider the HM Government report on ‘UK Cyber Security – the role of insurance in managing and mitigating the risk’ for further guidance.
- Optimise your incident response planning -including communication strategies, investigation and strategy formation.
- If a breach has occurred, take quick and decisive action across multiple jurisdictions. Consider legal action (injunctions) to contain damage, ensure you notify and liaise with regulators, and take steps to protect your brand through reputation management in the traditional and online media.
- Conduct effective investigations, interface with regulators and provide guidance on any criminal liability flowing from information security breaches.
- Assess liabilities and rights. Consider whether it is appropriate to pursue claims against third party IT suppliers (in cases of external data breaches) and employees (in cases of internal data breaches). Think about how you will handle customer complaints and claims against your organisation arising from a loss of customer data.