This page contains a Flash digital edition of a book.
20 legal focus


Cyber Risk – a tier 1 threat to UK business


The Government takes the problem of cybercrime so seriously that it has classified cyber-attack as a tier 1 threat to the country alongside terrorism, military crises and natural hazards. But is this message reaching businesses and what measures can they take to protect themselves? Stevens & Bolton LLP (S&B) recently hosted a cyber risk seminar which assessed the most important steps businesses should take to protect themselves from attack. Partner Michael Frisby (pictured) and associate James Evison report


A changing world


Almost all businesses are now dependant on the Internet, with its opportunities but also unprecedented threats. Cyber- attacks are an almost daily occurrence and the risks come from a range of sources. Malicious software can be downloaded from the Internet by almost anyone and then used to launch an attack. These ”commodity threats” probably represent the greatest cyber threat to UK businesses and are increasingly used by organised criminals to steal information and extort money.


Nation states, particularly in the developing world, are developing cyber espionage capabilities to steal valuable intellectual property. Disgruntled or ex-employees can steal important data and pass it to competitors. Hacktivists have attacked businesses whose activities they disapprove of across a range of sectors including life sciences, financial services and the entertainment industry.


The value of cybercrime is already thought to outstrip the drug trade.


Understanding the impact of cyber crime


As a first step businesses should assess the different ways in which a cyber-attack might affect their operations and the potential losses and liability they might be faced with.


Frisby outlined the implications of contractual and tortious claims, the regulatory implications and director‘s potential personal liability in the event of an attack. He also considered how existing insurance policies might respond to an attack and identified some potential issues arising from dedicated cyber risk policies available in the market.


Beverley Flynn, partner and head of data protection, highlighted the


www.businessmag.co.uk • prepare a response plan


• put in place appropriate policies and standards, procedures and training


• review business arrangements, contracts and insurance policies.


In the event of an attack, if investigations were conducted under legal privilege, this would protect the business from having to disclose potentially damaging material in later litigation. It is therefore important to involve lawyers as soon as an event takes place.


risks which businesses can face in relation to loss of personal data and in particular the obligations under the Data Protection Act 1998 (the Act). Data controllers must ensure that they take appropriate technical and organisational measures against unauthorised processing or accidental loss of personal data. Appropriate internal policies and plans must be put in place, and reasonable steps must be taken to ensure the reliability of any third-party data processors such as outsourced IT, software hosting and payroll providers. A well-drafted contract placing appropriate obligations on the third-party data processor is therefore essential.


A business which fails to take these steps may unwittingly find itself in breach of the Act if it, or a supplier, is subjected to a cyber attack. This could result in the business facing claims for damages from data subjects, an investigation and penalty of up to £500,000 from the Information Commissioner‘s Office (ICO), a prosecution leading to an unlimited fine or claims for breach of contract and confidentiality.


What should businesses be doing to protect themselves?


From a legal perspective there are a number of actions businesses should take:


Simon Kendall of the Department for Business, Innovation and Skills flagged government initiatives such as the ‘Ten Steps to Cyber Security‘ and the ‘Cyber Essentials Scheme‘.


To report or not to report?


If a cyber attack occurs should the attack be reported to the police, the ICO or other industry specific regulators?


From a law enforcement perspective businesses are encouraged to report all cyber-crime. This can be done through www.actionfraud. police.uk or, where a crime such as a distributed denial-of-service (DDOS) attack is in progress, this can be reported directly to the police.


However, in practice businesses will have to quickly weigh up a number of factors before deciding whether to make a report to the police, not least whether they risk reputational damage from which it may be hard to recover. There may also be contractual implications if the attack becomes public knowledge.


With regard to a loss of personal data through cyber attack, businesses will need to weigh up the potential impact of making a report to the ICO and the subsequent investigation with the risks of not reporting. There


is no legal requirement under the Act itself to report an attempted attack or a loss of personal data to the ICO. However the ICO believes that ”serious breaches” should be brought to its attention and factors to consider will include the sensitivity and volume of data and potential and actual detriment which individuals may suffer.


The future


Cyber criminals will continue to look for new ways to exploit weaknesses and businesses will need to evolve and adapt to keep up with the threat. Putting a plan in place to protect from and respond to an attack is part of the solution but in itself it is not enough. Businesses must keep up to date with new regulatory requirements and the changing legal framework to ensure the plan remains fit for purpose. The insurance market also continues to evolve and having the appropriate type and level of cover could help to mitigate risk.


Practical steps to prepare for and protect against a cyber- attack: • Leadership – senior management must know the risks, the potential impact and ensure preventative action


• Ownership – someone must own the problem of keeping the business cyber secure


• Preparation – review contracts and business arrangements. Ensure policies, protocols, procedures and training are all in place. Implement appropriate security standards. As a minimum SMEs should consider adopting the government- backed Cyber Essentials standard.


• Advice – seek advice and support from professional advisers to ensure that appropriate protections are put in place


• Testing – plan for an attack and test the plan. Make sure key staff know what steps to take and who to call in the event of an attack.


Speakers included: Michael Frisby, dispute resolution partner, Beverley Flynn, partner and head of data protection, DS Rob Bryant of the South East Regional Organised Crime Unit, Simon Kendall, head of the cyber security private sector engagement team at the Department for Business, Innovation and Skills and Andrew Rogoyski of CGI UK.


THE BUSINESS MAGAZINE – SOLENT & SOUTH CENTRAL – JUNE 2015


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40