The cyber-attack suffered by Hacking Team revealed unexpected vulnerabilities of systems with considerable consequences for businesses whose cyber risk strategy shall be reassessed.

The press extensively covered during the last days the case concerning the cyber attack suffered by the Hacking Team, a government-sponsored provider of device monitoring solutions.  Following the attack, over 1 million emails from Hacking Team where published by Wikileaks showing a number of vulnerabilities that were being used by the group – such as a bug in Adobe Flash that can be exploited to get complete control of a computer – which has meant that anyone can counteract them as well as use them for their own ends.

The above made me think about a recent comment from John Chambers of Cisco that at the World Economic Forum declared

There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.

What are the consequences of a cyber attack?

Under a legal standpoint there are 3 most likely consequences of a cyber attack

  1. it can trigger claims from customers as it might occur in the recent cases of stolen credit card details.  The peculiarity of a country like Italy is that in such disputes the burden of proof of having adopted any measure to prevent the data breach will be on the business rather than the claimant through the so called “probatio diabolica“;
  2. it can lead to sanctions and data breach notification obligations under data protection law.  The upcoming EU Privacy Regulation will require any type of entity processing personal data to notify data breaches to both the relevant data protection authority and the individuals affected by data breaches, unless they prove to have adopted adequate security measures to prevent the cyber attack.  Additionally it will increase fines for privacy breaches up to 2% of the global turnover of the breaching entity;
  3. it can affect customers’ trust in the business and its technology/products.  The reputational damages deriving from a data breach might be massive especially for emerging technologies such as the Internet of Things whose success is often linked to the need to create trust in such technology by customers.

Data is the currency of the future

We recently ran a Big Data Workshop with representatives from different industries which emphasized the value of customers’ data, including big data, for their business.   During the workshop I mentioned that last year we assisted one of our major clients on a € 2+ billion acquisition in Italy, and the ability by the buyer to use in compliance with applicable data protection laws the seller’s customers database for its business was a deal breaker since it was essential to create the synergies and the economies of scale behind the deal.

A cyber risk is not only a risk of a cyber attack.  It is also the risk of lack of compliance with data protection laws which – if identified – might not only trigger the sanctions, claims and trust related consequences mentioned above, but also prevent a business from using the data unlawfully processed.

In a world where data exponentially represents a major asset for a company, the inability to use it is a considerable financial loss.

Can the cyber risk be insured?

We ran a very interesting seminar on cyber risk last year with colleagues from the insurance, criminal law, litigation and privacy departments.  Cyber risk insurance policies are becoming extremely popular with different products available on the market that have to deal with regulatory restrictions relating for instance to the type of risk can be covered.  In particular, in countries like Italy administrative fines for breach of privacy regulations for instance cannot be covered by means of insurance policies under applicable laws.  A cyber risk insurance policy can mitigate business related risks, but it cannot be the sole solution.

Security is not a technical issue

There is an interesting comment on the topic

Security is a business issue, not a technical issue

And I believe that such sentence clearly identifies the topic.  Security in a connected world cannot be considered anymore to be an issue to be dealt only by technicians.  Security flaws might arise from the most unpredictable sources such as our employees’ smartphones or their home computers connecting to the company’s system.

Do you have a cyber risk strategy?

The solution might not be the monitoring of any employee’s activity.  As stressed by Italian data protection authority in their guidelines on the usage of Internet and emails, the monitoring of employees usage of electronic devices is prohibited and even in case of non-systematic checks it require to put in place adequate policies compliant with privacy regulations.  The Italian Government is reviewing a law proposal which should “relax” regulations on the topic, but this is still an issue.

The level of internal cyber security is exponentially becoming a legal issue since such level shall be adequate to the risk associated to the processed personal data.  And such need will be further emphasized under the new EU Privacy Regulation.  The purchase of a reliable security product is not the solution to any cyber risk, since as John Chambers reminded us a cyber attack is always likely to occur.  It is essential to have a cyber risk strategy to manage contractual relationships with suppliers as well as measures to be taken in case of data breaches.

privacy by design approach might help to mitigate risks, but the whole business of a company shall be structured to protect data as one of its most valuable assets!