Can corporates hack the increasing number of cyber attacks?
Cyber attacks have been a board-level issue for many years, but as technological advances increase, the scale and scope of the threat increases in tandem. It is therefore not surprising that cyber security has joined privacy, data protection, modern slavery, anti-bribery and money laundering, amongst others, as a key element of any business’s corporate governance strategy.
Mitigating the risk
Directors must ensure that cyber security is a part of the regular discourse at board meetings and companies need to be certain that they are protected from cyber attacks. The short and long-term impact of a cyber breach on companies can be devastating, including business interruption, loss of third party liabilities, reputational damage and business (albeit in a limited context) loss of share price. Equally, individual directors who fail to implement adequate procedures to prevent cyber attacks are vulnerable to claims from their shareholders for breaches of duty.
There are, of course, a number of steps that directors can take to mitigate the risk of cyber attacks and thereby mitigate the risk of claims being made against them for failing to implement adequate safeguards, which include:
- Robust policies on the protocols and procedures for governing data security, including a response plan in the event of a breach
- Regular and tested training of the protocols and procedures to ensure staff understanding
- Regular audits to ensure the protocols and procedures are being adhered to.
- Sufficient human and financial expenditure, such as having dedicated cyber security personnel - it is advisable to consider whether your current cyber security budget is adequate.
- Regular cyber risk assessments, including supply chain analysis. Your supply chains may not have their own robust policies and procedures in place. It is therefore imperative that you check this with them as any gaps within their cyber security could find its way back to you. You may want to consider stipulating that your supply chains have safeguards in place before working with them/continuing to work with them.
- Contingency plans, including data back up plans and disaster recovery plans.
The Computer Misuse Act 1990 (the Act) is nearly 30 years old but remains the main piece of UK legislation providing protection against cyber attacks. It has managed to stand the test of time due to its wide interpretation of the term ‘computer’, permitting future variants of technological developments to be covered. It offers protection by making it an offence for individuals to have unauthorised access to computer material for the use of committing further offences or creating damage.
To supplement this piece of legislation, is the more recent Directive on Security of Network and Information Systems (NIS). NIS is the first EU-wide legislation on cyber security, adopted by the European Parliament in July 2016 and transposed into English law in April 2018. The Act is aimed at individuals but NIS imposes penalties on essential service providers and corporate entities. Whilst NIS does not apply to all companies, it does create an overarching framework within which Member States must act and crucially, facilitates cooperation and information exchange, which has been critical in thwarting a number of cyber attacks. However, the consequences of a breach is the real sting in the tail and penalties for non-compliance are severe, with fines of up to £17 million.
As a cyber attack often compromises data protection, it must be considered in line with the EU’s General Data Protection Regulation (GDPR). The GDPR not only brings the issue of cyber attacks to the fore but makes those handling personal data accountable for properly handling that data and also comes with the threat of the fine, the maximum being up to 4% of annual turnover or €20 million (whichever is higher).
In an age of artificial intelligence, big data and rapid growth in innovation, cyber security strategies will need to continue to develop just as quickly. Management buy-in to the maintenance of an effective cyber security strategy as part of an integrated governance strategy will equally continue to be the essential starting point.