In an era where cyber risk is almost daily news, governments have been working to develop tools to help businesses protect themselves against those who want to steal or misuse data.
The UK Government has launched a set of basic measures that any organization can use to reduce cyber risk, following a review of cyber attacks by the Government Communications Headquarters (GCHQ). Termed the “Cyber Essentials Scheme1”, this initiative is voluntary, rather than a legal requirement. However, the aim is that involvement in it should become mandatory for certain Government procurement contracts, especially those for information technology and communications. Given the size of the UK Government’s IT spend, this is likely to be a strong incentive for adoption and over time the measures may be adopted as a form of industry standard.
Cyber Essentials aims to encourage businesses to build at least a basic level of cyber security into their operations, on the premise that relatively simple steps might help to prevent some 80% of attacks to which they would otherwise be vulnerable. The measures:
- lay out a procedure for creating resistance to cyber risk;
- provide a mechanism for that resistance to be certified; and
- enable organizations to display their level of cyber security through certification.
External certification is designed to allow customers, suppliers and perhaps insurers to know whether an organization meets a measurable minimum standard. Companies that demonstrate compliance with Cyber Essentials may enjoy a competitive advantage over those that do not. The certification process is evolving and we will write a further update on this aspect shortly.
From a compliance and risk management point of view, the Cyber Essentials measures should set a benchmark against which management may be held accountable: cyber risk management is, of course, a corporate governance issue. Standards like these may also be used in the determination of negligence; losses that could have been prevented by the adoption of the Cyber Essentials may turn out to be uninsured and may be more easily shown to be the responsibility of the organization that failed to prevent them. Cyber Essentials could also play a role as a benchmark for compliance with general data protection requirements on information security, which is becoming an ever bigger issue, with fines of up to 5% of annual worldwide turnover being proposed under the EU Data Protection Regulation.
Most businesses are likely to focus on the “10 Steps to Cyber Security” launched by the UK Government in 2012 and certification under the new Cyber Essentials. As part of the recent focus on cyber risk, lawyers and risk managers will need to consider liability and how to address it, and the extent to which contracts with suppliers should contain provisions governing cyber and information security. There is likely to be a call for suppliers to show Cyber Essentials certification, and for buyers to rely on and refer to that certification.
Alongside the work of any business in reducing exposure to cyber risk, cyber insurance is a critical consideration. Risk managers and IT specialists should be reviewing the kinds of insurance cover their business has; what cyber risks are excluded and what insurance cover best meets their needs and addresses perceived threats?
Insurers are working to exclude cyber risks from standard insurance policies and many are providing separate cover for them. It is too soon to know how insurers will react to a Cyber Essentials certification; it may become a prerequisite for buying cyber insurance; certainly it could affect premiums. Insurers are already in dialogue with the Department of Business, Innovation and Skills about how Cyber Essentials will work and to what extent they will support and recognize it.
For those businesses that have not already done so, carrying out a cyber risk assessment and due diligence of potentially vulnerable business activities and their contractual position should be a priority. An audit and review of the terms on which third party services are provided should focus on areas of the business where information technology underpins critical business activity and review IT services agreements, cloud computing, remote data processing, as well as communications services agreements and the associated insurance cover.
Companies should consider setting up a cyber Risk Register linked to their corporate governance risk systems and a centralized register of the contracts that seek to address such risks. This way it is possible to monitor, manage and insure the risks which they carry and understand which vendors exclude liability. Legal and financial advisers, risk managers, IT functions and data protection officers will need to work together to understand how exposure and risks arise, assess liability, quantify it, and determine whether and how contractual mitigation may be formulated. From a management point of view, it may be important to be able to show shareholders, customers and suppliers that there is a governance program in place which regularly evaluates the cyber risks that could affect the business and deals with data protection.