Information security and system resilience are strategic issues for every business, with media reports of security breaches in businesses, government agencies and other organisations now a daily occurrence.
This is the first in a three part series that analyses the latest best practices in relation to cybersecurity. The second e-bulletin will review the key elements of a crisis management plan to ensure a swift, and effective, response to a cyberbreach while the third summarises the steps being taken to address cybersecurity issues and encourage a coordinated approach, and response, to a cyberattack, in particular in Asia-Pacific.
1. The importance of cybersecurity policies
A data and security breach can have serious operational, financial, legal and reputational implications for any organisation, including:
- Financial loss from fraud and theft.
- Operational disruption.
- Loss of business.
- Reputational loss.
- Compensation claims.
- Mandatory notification requirements (including to regulators/authorities, those affected or under stock exchange rules).
- Regulatory action/sanctions/fines/relationship issues (including possible criminal offences or revocation of licences).
- Director/officer liability.
- Legal fees.
- Restoration and remedial costs.
- Loss of business value.
- Issues for transactions (e.g. as a result of disclosures during mergers and acquisitions due diligence).
- Possible loan defaults.
- Insurance related issues.
If confidential information, trade secrets or intellectual property are compromised during a breach, such disclosures can seriously damage a company’s ability to compete.
Organisations should also consider whether they have breached any third party contracts or applicable law by failing to protect confidential information or failing in security measures. If a business has been negligent, it must be prepared for claims for damages from those affected.
Cyberattacks constitute a criminal offence in most jurisdictions in Asia. However, it is often very difficult to seek redress against cybercriminals, with complex traceability, forensics, evidential, jurisdictional, law enforcement and mutual legal assistance treaty issues.
2. A sound cybersecurity policy
A cybersecurity policy can help prevent or manage cyber attacks and demonstrate compliance with standards and regulations to mitigate a business’s liability to regulatory enforcement if cyber attacks do occur. A cybersecurity policy should apply across product development, all stages of the supply chain (including being adhered to by external parties), internal operations and customer-facing functions.
Below are examples of some of the measures which ought to be included in a cybersecurity policy:
- Robust policies and procedures.
- Regular training sessions for staff to impart good practices and strengthen awareness of threats to security.
- Only hold necessary data in systems that can be compromised.
- Ensuring computer networks are secure.
- Appropriate access controls (e.g. considering stronger authentication measures where appropriate).
- Identify important data and adopt adequate measures to detect and prevent the unauthorised access, copying or transmission of data.
- Encrypting data.
- Appropriate computer security software and using suitable computer security settings.
- Updating computer security and IT equipment regularly.
- Ensuring suppliers are able to provide the requisite standard of IT security.
Data loss prevention measures
- Confidential data at endpoints (data in computers or portable devices) should be strongly encrypted. Organisations should implement appropriate measures against data theft, loss and leakage from endpoints.
- An organisation should not allow the use of unsafe internet services such as social media sites, cloud-based internet storage sites, and web-based emails to communicate or store confidential information. An organisation should only send information through encrypted channels to protect data traversing a network or being transported between sites (data in motion).
- Confidential data at rest (data in servers, databases, backup media and storage platforms) should also be encrypted, and access to systems controlled. Organisations also sanitise IT systems of confidential information prior to disposal.
3. Cybersecurity and contracts
Well-drafted contracts can promote appropriate behaviours to minimise cybersecurity risk, mitigate the impact of cyber attacks, and allow the recovery of losses caused cyber attacks.
Allocation of risk and liability will need to be carefully considered (e.g. who is responsible for what in the event of a breach of cybersecurity, including non-compliance with law or regulation and any confidentiality restrictions).
Force majeure clauses, relieving performance of a contract if a party is affected by circumstances outside its control, should carefully reflect what cybersecurity measures each considers reasonable for the other to take, and should define the severity of cyber attack that would constitute force majeure.
Business continuity and disaster recovery clauses should define what each party should do to prevent cyber attacks, and require the creation of a BC/DR plan, with concrete objectives and payment obligations in the event of a cybersecurity threat.
Insurance clauses may require each party to maintain cybersecurity insurance cover. Cybersecurity insurance policies are increasingly being taken out or required by organisations.
Processes and procedures to be followed in the event of a cyberattack should be included in relevant contracts, for example in order for a party to comply with mandatory or other notification requirements or manage other risks.