1. Managing cyber risk for board members
On 7 June, the Institute of Chartered Secretaries and Administrators ("ICSA") published a guidance note for company boards addressing issues around cyber risk and strategies for best managing these risks. The ICSA was commissioned to produce this guidance by the Department for Business, Innovation & Skills ("BIS") and adds to the earlier guidance published by BIS in September 2012.
The ICSA guidance points out that company boards need to manage cyber security risks, as they are business-critical rather than simply being an IT issue. The guidance recognises that the internet may bring immeasurable benefits for businesses, but it does so with new risks. It goes on to highlight the comparative newness of cyber risks and the level of vulnerability most companies face. The guidance encourages company boards to consider the particular threats that would be relevant to their businesses and to make an active decision about the balance between the risk the organisation is prepared to take and the cost to be incurred in targeted spending to protect the organisation from cyber attack. The guidance stresses that such protection needs to be robust, relevant and up to date in order to counter increasingly more sophisticated cyber threats.
The guidance identifies five main types of cyber risk faced by companies, noting that each company will have a different combination of risks associated with their specific threats:
- Censure and embarrassment – Impacting the company's brand through negative publicity. This has been seen recently through 'hacktivism' of company websites stopping customers from accessing the site.
- Client loss – A reduction in revenue resulting from customers abandoning the company or service following a loss of service or confidential information. This was seen last year when Sony's PlayStation network was hacked and customers' personal information was released to the public.
- Direct fraud – The theft of money or digital content by electronic means. In many instances it is organised crime that is involved in this type of activity.
- Sabotage or disruption of business operations – This most commonly manifests itself as the disruption of services to customers, and sometimes involves the blackmail of online businesses.
- Cyber espionage – The silent copying of information for commercial purposes is most relevant to industries with high research and development costs.
The guidance recommends that each board should carry out an assessment of risks and the consequences in the same way as they would in relation to other key risks, both current and potential, emerging risks. The 8-page guidance also recommends that the board monitor cyber risk on a regular basis in order to understand the flaws in internal controls and make adjustments and improvements when needed.
The guidance draws on the Government’s Cyber Security Guidance for Business (2012) which was prepared by CESG, the information security arm of GCHQ, in order to increase awareness of cyber threats to organisations. The CESG guidance is worth noting as it not only offers ten practical steps to achieving cyber security, but also reveals three case studies of organisations that have fallen victim to cyber attacks.
The CESG guidance champions the importance of having a risk management regime in place and also encourages the potential of information-sharing exchanges about cyber threats and cyber security with other organisations, for example, within the same business sector, in order to increase awareness of potential cyber threats and ensure that appropriate measures are in place to combat any such threats.
The importance of this issue is further underlined by the director-general of the domestic security services MI5 and the director of GCHQ together with the Science Minister, David Willetts, writing to all the chairmen of the FTSE 350 companies, in July of this year, to take part in a "cyber governance health check". The check involves both the chairman of the company and the head of the audit committee completing a questionnaire intended to assess how well the company handles issues such as protecting intellectual property and safeguarding customer data. This latest government action is intended to ensure that cyber awareness goes all the way to the top of the company. This lack of awareness is confirmed by a survey conducted by KPMG which found that FTSE 350 firms are leaking data that could be used by a range of cyber attackers.
The threats posed by the internet are likely to increase over time and are likely to inflict severe consequences on an organisation. It is essential that company boards educate themselves on these potential risks and seek ways to mitigate these risks. It should be understood that the risk assessment of potential cyber threats should form part of a company's corporate governance regime and not dismiss the issue as a responsibility of the IT department.
2. Cabinet Office launches consultation on draft identity assurance principles
On 17 June the Cabinet Office launched a consultation on the draft identity assurance ("IA") principles, first published in April 2012. The purpose of this consultation is for the government to gather views and further develop its ideas around transforming government services to make them more efficient and effective for users. The Cabinet Office has stressed that at the heart of the principles are the issues of privacy and security, and the government recognises the need to make services more convenient and accessible by moving them online.
IA is a method for providing users with a simple, trusted and secure means of accessing public services while ensuring that personal information is kept private and secure. To that end the Identity Assurance Privacy and Consumer Advisory Group ("PCAG") was established to aid the government in developing an approach to identity assurance that: (1) ensures users are in control of their information; (2) information is not centralised; and (3) users have a choice of who provides the services on their behalf.
- The initial draft published last year identified nine basic principles as well as a detailed explanation for each principle. The principles are:
- The user control principle - identity assurance can only take place if the user consents or approves them.
- The transparency principle – identity assurance can only take place where the user understands and when the user is fully informed.
- The multiplicity principle – the user can use and choose as many different identifiers or identity providers as they want to.
- The data minimisation principle – the user requests or the transaction is designed in a way to use the minimum amount of data necessary to meet the user's needs.
- The data quality principle – the user chooses when to update their records.
- The service-user access and portability principle – the user has to be provided with copies of all their data on request and can move/remove that data whenever they want.
- The governance/certification principle – the user can trust the scheme because all participants have been accredited.
- The problem resolution principle – if a problem occurs, the user knows there is an independent arbiter who can find a solution.
- The exceptional circumstances principle – any exception to the application of the above has to be approved by Parliament and is subject to independent scrutiny.
According to the PCAG's commentary notes, the principles are not merely devoted to privacy or data protection, but rather cover all aspects of a user-centric service. This initiative also has implications for service providers to the public sector, as well as those which may provide IA services. The principles are limited to their application to any Identity Assurance Service in the UK, with a particular emphasis on the UK Government's objective to deliver many services electronically by 2018. The Identity Assurance Programme’s aim is to have an agreed, operational set of principles by the end of this year that will support the first iteration of a simple, trusted and secure identity assurance service to be offered to users.
The consultation closes on 12 September 2013. A copy of the consultation can be found here.
3. EU Commission Public Procurement Communications
The European Commission has published two communications relating to public procurement: (1) building open ICT systems and (2) improving e-procurement (including a proposed Directive on e-invoicing).
Under its Digital Agenda for Europe (DAE), the European Commission has committed itself to promoting the complete digitisation of public procurement in the EU, or 'end-to-end e-procurement', by mid-2016. As part of this transition, the EU proposed in December 2011 to make mandatory the "e-notification", "e-access" (to procurement documents) and "e-submission" phases of public procurement as part of this transition.
In the first of the communications, the Commission identified a number of problems arising from the current 'locked-in' ICT systems of many public organisations, which can act as an obstacle to Community-wide digital procurement. According to the Commission, providers' exclusive knowledge of how their systems work has led to 'extensive use of brand names in procurement documents' which has created:
- an effective monopoly for suppliers of those brands;
- a subsequent lack of competition for new products;
- a risk of undermining business continuity; and
- unnecessary spending of €1.1 billion per year by public authorities.
The Commission communication on 'open ICT systems' advises Member States to promote the use of ICT systems based on standards rather than proprietary technology, on the grounds that standards-based systems would make it 'easier to develop the necessary cross border services'. The Commission has also published the 'Guide for the procurement of standards-based ICT, Elements of Good Practice' to aid the transition for Member States, which includes advice on how to engage with the market and examples of best practice in Member States where standards have already been set up.
The second communication, entitled 'end-to-end procurement to modernise public administration', supports the accompanying draft 'e-invoicing' Directive which proposes to make it mandatory for public authorities to accept e-invoices that correspond to a newly-established EU standard.
The Commission believes that e-procurement can improve administration efficiency, reduce costs, facilitate cross-border trade and can maximise the advantages of the Single Digital Market. Despite these benefits, its adoption is still limited in the EU. The communication advises Member States on key actions to be taken for the implementation of end-to-end e-procurement, including the development of national strategies and market objectives, as well as promoting the participation of SMEs.
The Commission's 'open ICT systems' communication is available here. The 'end-to-end e-procurement' communication is available here. A copy of the draft Directive on electronic invoicing in public procurement is available here.
4. The Article 29 Working Party on "profiling"
The Article 29 Working Party (the "Working Party") has proposed a definition of 'profiling', and general improvements to Article 20 of the proposed European Union General Data Protection Regulation (the "Regulation"). Article 20 concerns a data subject's right not to be subject to a measure based on profiling. The Working Party is concerned about the protection of individuals with regard to the processing of personal data and its free circulation.
Organisations and data controllers regularly collect and use the personal information of individuals, often without their knowledge, to respond more effectively to consumers' behavioural patterns or interests. This lack of transparency can have a significant impact on data protection risks; the Working Party considers it important to mitigate risks associated with privacy and data protection posed by profiling to avoid anxiety among data subjects.
- Developing the Definition
A definition for profiling based on the 2010 Council of Europe Recommendation on profiling is proposed, by the Working Party, which describes profiling as "any form of automated processing of personal data, intended to analyse or predict the personality or certain personal aspects relating to a natural person, in particular the analysis and prediction of the person’s health, economic situation, performance at work, personal preferences or interests, reliability or behaviour, location or movements".
- Improvements to Article 20
The Working Party has suggested improvements to Article 20 of the draft Regulation to mitigate risks for data subjects. Article 20 concerns a data subject's right not to be subject to a measure based on profiling. The improvements include:
- broadening the scope of Article 20 to focus not only on the outcome of profiling, but also to encompass the processing of personal data;
- bolstering transparency and data subject control by, e.g. imposing additional information and disclosure requirements for data controllers within Article 20 and underlining the importance of explicit consent as a legal basis for data processing; and
- imposing greater responsibility and accountability on data controllers regarding the use of profiling techniques, e.g. implementing a data protection impact assessment and ensuring technical safeguards are put in place (such as anonymisation, data minimisation processes and usage of standard default settings).
While the suggestions of the Working Party are not binding, they are persuasive, and could result in future developments increasing obligations of data controllers engaged in profiling. It should be noted, however, that the Working Party's proposals are intended to be relevant only to the extent that processes and outcomes significantly affect the interests, rights or freedoms of the data subject.
A copy of the advice paper is available here.