Editor's Insight

Cyber risk - increasing survivability? By Mark Bailey, Partner at Speechly Bircham

Cyber risk is now a board level responsibility¹. The benefits of a cyber risk strategy to a business should be clear. Adopting a risk management approach to cyber security can result in significant benefits for an organisation:

• strategic - risk identification and evaluation;


• financial -  in particular reduced losses from cyber threats; and 


• operational - including adequate contingency plans to deal with cyber threat.

The directors set the culture of a business. UK and EU legislation and regulation however also compel boards to be responsible for direct supervision of the business' conduct and reputation. Other examples include:

• Bribery and corruption: in particular following the advent of the Bribery Act 2010;


• Data protection: the new data protection regulation is likely to come into force in 2016 and will place explicit duties on the data protection officer, who must be associated with the board;


• Community and environment: the Companies Act 2006 requires directors to have regard to the community and environment (section 172(1)(b)).

Cyber security is a complex issue. To illustrate the complexity by analogy, a tank requires in its design a detailed evaluation against specific threats that it may encounter in the field of: (a) mobility (speed); (b) weight (armour); (c) firepower (weaponry). A balance of all three elements is required: without speed it will be destroyed, without armour it will be destroyed, without firepower it will be destroyed. The proper balance in the field against the threats it encounters results in increased survivability for tank and crew. Cyber security also has three corners:

• Physical security - protection of the assets, data centre networks and communications;


• People - personnel reliability;


• Data security - protection of data, which is the life blood of any business, including encryption and storage. 

The chances of survivability for the business are greatly increased if the board can oversee and manage these issues with adequate information. The risks may be different for an online business compared with a more bricks and mortar business, but a similar armoury of weaponry may need to be engaged. Online deals site Living Social is only one of the latest companies to be compromised². Potentially 50 million accounts were affected by this breach, resulting in names, email addresses, passwords and dates of birth being compromised. In this situation credit card information does not appear to have been assessed, but the breach may well trigger compulsory notifications to data protection authorities and law enforcement officials together with an expensive customer communications programme. Current estimates of the cost of data breaches tend to result in the average cost of a stolen record being somewhere between £71 and £79³. So how can lawyers promote survivability for a business? Lawyers need to be engaged in these debates at the highest level to improve governance and contract control:

• Information security is a technology issue for IT and system designers, but it also needs well integrated processes and policies to back these up, particularly in relation to the human aspects of data of information security where as much as 40% of recent cyber attacks have resulted from malicious insiders (see Ponemon survey).


• Liability is mitigated by understanding the regulatory obstacles and risks; for example, obligations on reporting data breaches, risk of Information Commissioner and data protection authority fines, and specific interventions by regulators. The old Financial Services Authority has proved particularly active in this regard and its 'Dear Chairman' letters to banks in recent months have concentrated on insuring infrastructure reliability.


• Using the same risk management methodologies for outsourcing and internal projects is essential, otherwise complexity and risk are increased.


• Cyber liability insurance is a powerful tool to manage risk, new policies include immediate response to data breaches, and access to a crisis team including legal, PR, technical and forensic, as well as cover to pay for the breaches arising.


• Coherent contracts should be built and managed according to the risk profile of the business. Is the company's real risk limitation of liability in contracts project risk, or is it reputational risk which can result from a breach of confidentiality or data breach?  What degree of risk is the business prepared to accept and does it regard its contracts as a revenue tool, a risk management tool or a process or a part of its sales process?

The complexity of modern business increases and with this comes a requirement to redesign cyber threat and security each time that the world changes. Survivability is key!

Mark Bailey Partner

Speechly Bircham

mark.bailey@speechlys.com

1. See the Cabinet Office and CESG's paper of 2012 which posed 10 key questions for CEOs and boards about the necessity for a cyber policy: http://www.cesg.gov.uk/News/Pages/10-Steps-to-Cyber-Security.aspx

2. See Computer Weekly, Monday 29 April, www.computerweekly.com/news/2240182794/another-online-firm-hit-by-data-breach

3. See Ponemon Institute 2011 Cost of Data Breach Study - United Kingdom (March 2012).