Out-Law News | 06 Sep 2012 | 1:31 pm | 3 min. read
Technology law specialist Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that the need to insure against the risk of cyber attacks was particularly important since firms could face huge costs for losing personal information via system breaches under proposed changes to the EU's data protection regime.
Scanlon was commenting after the Government published new cyber risk management guidance (2-page / 306KB PDF) for businesses on cyber security. The guidance stressed the "benefits" for business chief executives and other board-level managers in adopting a "risk management approach to cyber security".
The guidance called on senior executives to ask themselves a number of questions about whether the security of "key information" is robust enough and whether they have a "full and accurate picture" of how cyber attacks could impact on their firms' reputation, share price and ability to do business, among other things.
The executives should question whether they are sufficiently briefed on who likely perpetrators of cyber attacks may be and what the motive and methods of attack may be, and whether they are encouraging "technical staff" to share information with other firms that could help identify and prevent such attacks, the guidance said.
Other questions executives should ask themselves is whether they have a written information security policy in place that they are sufficiently "championing", and whether staff within their organisations are aware and suitably trained to observe the policy through their practices, the Government guidance recommended.
Scanlon said that figures on the effect of cyber attacks show that senior executives at firms are still not addressing the issue seriously enough.
"It seems incredible that CEOs and Boards still need to be told to ask these basic information security questions," he said. "But market statistics, particularly those from the US, suggest that this is necessary and that many organisations are not giving information security the attention it deserves at Board level."
"How many organisations have thought through their cyber insurance strategy? The reported statistics suggest few. With proposed changes to data protection regulation in mind, businesses need to think seriously now about quantifying their exposure to increasing compliance costs in terms of dealing with breach response reporting requirements, the catalyst for which may not only be changes in regulation but simply current industry expectations, exposure to claims brought by data subjects and larger regulatory fines," Scanlon added.
In January the European Commission published a draft General Data Protection Regulation in a bid to reform the fragmented and outdated data protection framework that currently exists across the EU.
If the draft Regulation comes into force companies would be required to notify any individuals concerned and regulators with certain information about any personal data breach "without delay and, where feasible, not later than 24 hours after having become aware of it". The information should include recommendations over what people can do to "mitigate the possible adverse effects of the personal data breach".
Under the Commission's proposals regulators would have the power to fine businesses up to 2% of their annual global turnover for failing to notify breaches or for other serious breaches of the Regulation.
"Protecting key information assets is of critical importance to the sustainability and competitiveness of businesses today," the Government said in its guidance. "Companies need to be on the front foot in terms of their cyber preparedness. Cyber security is all too often thought of as an IT issue, rather than the strategic risk management issue it actually is."
In separate guidance (20-page / 3.12MB PDF) the director of UK intelligence agency GCHQ said that businesses could repel about 80% of "known attacks" simply by "embedding basic information security practices for your people, processes and technology". The guidance identifies 10 steps firms can take to reduce their vulnerability to cyber attacks.
The 10 steps firms should take include developing a "mobile working policy" for staff and ensure devices contain security features that "protect data both in transit & at rest".
Companies should also form a plan for responding to cyber attack incidents and test that the plans work, the guide said. Businesses should also limit the number of people that can access key information, monitor user activity on these accounts and control who can access "audit logs," it said.
In addition, companies should establish a policy that sets out who in the firm can access "removable media", limit the types and use of that media and make sure that checks of the media for traces of malicious software are conducted prior to the media being loaded on to systems, the guide recommended.
The Government has also published an 'advice sheet' that further details (22-page / 4.93MB PDF) the 10 steps that companies should take to address the threat of cyber attacks. Companies should "apply the same degree of rigour to assessing the risks to its information assets as it would to legal, regulatory, financial or operational risks," according to the advice.
In July the European Commission launched a consultation on proposals that could see businesses required to report when their "essential" systems, including the internet, have been disrupted due to "cyber incidents". The Commission said its aim is to "enhance preparedness, strengthen the resilience of critical infrastructure as well as to foster a cyber-security culture in the EU."