The average cost of severe online security breaches now starts at £1.46 million – up from £600,000 in 2014, according to government research published in June 2015. Not only is the cost increasing, but also the number of cyber-attacks. John Chambers, CEO of Cisco, recently predicted an exponential rise in both the number of attacks and volume of successful penetrations. Effective cyber defence requires a different approach to traditional compliance models.
Cybersecurity has become a top-tier risk for businesses. The sophistication of cyber weaponry means any hacker, if determined enough, can penetrate organisational security boundaries to access/remove sensitive data. For many businesses, this is likely to have already happened, typically without even being aware given the ability of the hacker to cover their tracks.
Attackers innovate rapidly and work anonymously to place themselves beyond the reach of law enforcement. Arrests are rare and the cyber underworld has its own information sharing network, meaning vulnerabilities once found are rapidly distributed.
Unfortunately investing in defensive measures alone is not the solution. Attacking techniques evolve as quickly as new counter measures arrive, whilst the demand from staff and customers to have multi-channel/24x7 access to resources means an ever increasing number of points of entry to corporate systems. The growth of the Internet of Things provides a further field of potential target, whilst outsourcing and extended supply chains create some of the best opportunities to penetrate systems through third party connections via backdoors built into components.
Even where a hack may pose little risk of actual harm to consumers, the reputational harm of an attack is likely to be significant if it becomes public. There’s also the risk of business disruption, loss of competitive advantage (if trade secrets are stolen) and the handling of any regulatory inquiries that may flow from the breach, together with associated forensic analysis and PR/legal costs.
Cyber risk management requires a more agile approach to risk management than other boardroom level risks – a multi- disciplinary approach is needed that looks not only across internal business lines but also works collaboratively with industry peers. The most effective models anticipate an exchange of information about emerging threats within industry sectors, supported by a coherent information governance strategy within the business.
QUESTIONS TO ASK YOURSELF:
- Do you have a strong governance program in place?
The NACD Cyber-Risk Oversight Handbook, which DLA Piper lawyers helped to draft, provides a helpful roadmap for demystifying cybersecurity and establishing a structure so directors can meet their duty of care.
- Do you have an incident response plan in place, and have you tested it?
Implementing an incident response plan for cyberincidents and conducting tabletop exercises to gauge how your business would act to an incident is a key countermeasure to reduce the costs flowing from a data breach.
- Are you conducting periodic cybersecurity risk reviews?
Companies often need to conduct outside assessments to meet duties of care and to pass third-party cybersecurity audits required by customers.
- Are you managing your supply chain risk?
Addressing vendor and supply chain risk is an important part of cyber-risk management. One part of this effort involves managing vendor agreements to require, among other things, providing notice of suspected (not just actual) breaches, requiring third-party security audits and obtaining adequate indemnification. A related test for purchasers and suppliers is tracking agreements that need updating when open for renewal and mapping notification obligations in the event of a breach. It can also be important to obtain third-party security audits further down the supply chain of component suppliers.
- How do you respond to a breach?
It is critical to respond quickly and effectively to an incident, conducting a thorough investigation to events on the ground whilst in parallel handling any regulatory notices/messages to customer who may be affected. In the case of a payment card breach, it is important to upload affected card numbers through a merchant’s payment card processor so that the numbers are flagged for fraud monitoring to avoid potential card fraud.
- Does your insurance adequately cover data breach risk?
Insurance is a key part of risk management and can offer significant protection for monetary costs incurred from data breaches. Finding the right coverage for your organisation’s risk posture is important.
- Are you addressing cybersecurity risk in M&A transactions?
Over the past decade, M&A transactions have resulted in some costly security liabilities. Cybersecurity risk has grown so important that it merits particular attention in the due diligence process. Furthermore, cybersecurity risk must be addressed during post-merger integration. Legacy systems are often vulnerable to attack and it is important, where possible, to implement post-merger security solutions reflecting best practices.
- Are you keeping up with rapidly changing regulatory requirements?
Cybersecurity and data security are topics of great concern to policymakers. Requirements are changing rapidly around the world and enforcement is increasing. While compliance with regulatory requirements is no guarantee against a security incident, suffering a reportable security incident when out of compliance can significantly increase risk, penalties and adverse publicity.