For years, security professionals have been saying “either you have been data breached or you just do not know that you have been data breached.” More recently companies are becoming aware of increased incidents of hacking, cyber-crime, hacktivism and cyber espionage. It seems likely that the number of attacks is going to grow. If your company experienced a data breach today, would your board of Directors be ready?
Why cyber security is no longer ‘just an IT issue’ but is an issue for Directors
If your company suffers an attack:
- your online business will come to an immediate standstill
- it can lead to a shut-down of the company servers
- you will need to hire a forensic IT investigator to determine what went wrong
- you will incur costs related to notifying everyone whose information has been compromised
- you will incur costs of data restoration, recollection and recreation
- you may face regulatory fines
- you may be in breach of an obligation to store customer data securely
- you may take possible liability in tort for failure to take reasonable security precautions whenstoring customer information
- you will be exposed to intangible costs, including brand reputation and damage, loss of productivity and customer confidence, a negative impact on business performance and aPR nightmare.
Cyber security is not only a concern of Google, Facebook, Apple, IBM or Amazon. It ought to be of concern to any company that uses data and relies on brand reputation to grow profit.
A security breach that results in a client’s data being stolen and used in a damaging fashion can lead to third-party liability claims. The theft of information through an attack can also result in expensive losses including reputational damage, liability claims from customers and action by regulators.
Industry regulators are increasingly asking whether organisations in the Financial Services sector are “cyber attack ready”? The Central Bank recently launched a review of the cyber security policies and procedures of asset managers, amid concerns that the investment industry has been slow to react to the threat of cybercrime. It has commenced cyber security inspections as part of its enforcement priorities for 2015 and will likely be assessing processes, controls and risk mitigation that such firms should have in place in order to minimise the risk of cyber attack.
The Irish Government is also recognising the dramatic rise in volume of data being handled by the State and the associated risks involved. The Government has published the National Cybersecurity Strategy, which outlines how Ireland will protect its computer networks and sensitive infrastructure like water and electricity in the event of a cyber attack. It has also established a National Cybersecurity Centre (NCSC) within the Department of Communications that will be tasked with securing government networks and critical national infrastructure.
Due to the ineffectiveness of current legislation to prevent cyber security attacks in Ireland coupled with the obligations imposed on Irish companies to prevent cyber security attacks, it is advisable that companies protect themselves against attack. Although the Irish Minister for Justice and Equality will enact legislation to give effect to the Budapest Convention on Cybercrime and Directive 2013/40/EU on attacks against information systems, companies must consider the need to mitigate against the possibility of cyber attack.
There is no silver bullet, so firms need to be dynamic in their approach to cyber risk. Cyber risk management should encompass people, policies, procedures, technology and insurance solutions.
Steps to mitigate against the risk
- Conduct proper background checks and ISO accreditation for third party service providers.
- Document due diligence exercises covering counterparties such as the security policies and measures undertaken by third party providers.
- Document the training afforded to employees on safeguarding data. Document the company’s efforts to train employees on information security, phishing,password creating/protection and network/access.
- Implement data encryption.
- Conduct annual risk assessment. Identify what ITbased information/intellectual property/data is most critical to the business and what value is at stake in the event of a data breach.
- Develop an incident response plan to be adopted in case of a breach.
- Document the company’s actions taken to detect, log and respond to unauthorised cyber-related activity.
- Review and consider updating insurance cover to specifically govern cyber attacks and consequences such as product recall, customer notifications and system changes.
- Co-ordinate in advance with your legal team. The involvement of lawyers is crucial to attract legal privilege, which may prove extremely important in the event of litigation.