Dealing with the threat of cyber attacks

We continue to see a rise in high profile cyber-attacks on numerous organisations, such as British Airways and Marriott. These cyber-attacks often come with severe consequences such as compromise of personal information, service interruption, loss of confidential information or intellectual property, breach of law or contract where service providers are involved, regulatory investigation and regulatory action (including fines), as well as significant reputational and brand damage. However, a cost that is often not considered is the cost of interruption to the business and the resources required to deal with high-profile security incidents, from the cost of remediating the security flaws that led to the breach to the time and cost associated with dealing with regulators, affected individuals, and other stakeholders. 

There are numerous studies on the financial consequences of major cyber-attacks and data breaches.  For instance, according to a study conducted by IBM[1], across the United Kingdom, the average cost of a data breach increased from $3.68 million in 2018 to $3.88 million in 2019, which is the sixth highest cost globally when compared to other regions. In the same study, they advise that the worldwide average cost of a data breach has increased to $3.92 million. To put this into context, on a global level, the cost per lost data record was $150.

The global average time to contain a data breach was 279 days in 2019. This illustrates just how significant the disruption to your business can be following a data breach. This disruption has a direct impact on the costs associated with handling a data breach.

In this study, IBM concluded that the loss of customer trust has serious financial consequences for the organisations studied, and that lost business was the largest contributor to the total cost of a data breach.

This article seeks to address the risks associated with cyber security and the steps directors can take to mitigate the risks for their organisations.

What is cyber security?
Cyber security refers to the technical and organisational measures that both controllers and processors should put in place to mitigate the risks to their data and information systems.  The GDPR requires that this is done by taking into account: the state of the art; the costs of implementation, and the nature, scope, context and purposes of, processing; and the varying likelihood and severity of risks to the rights and freedoms of natural persons.

Examples of security measures, which are deemed to provide an appropriate level of security include:

• the pseudonymisation and encryption of personal information;
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• the ability to restore the availability and access to personal information in a timely manner in the event of a physical or technical incident; and
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The extent of statutory obligations on cyber security depends on the type of organisation you are and the type of personal information (i.e. any information that relates to an identifiable individual) that it holds.  For example, telecommunications companies, Internet Service Providers, digital service providers and operators of essential services are under additional obligations concerning the security of their networks and services and mandatory notification of security breaches.

Why is cyber-security important?
Personal information is an invaluable business asset for an increasing number of companies and many organisations have made the decision to entrust third parties with the processing of their information.  This approach, while more cost effective than building internal processing capabilities, increases an organisation's exposure to cyber threats.

Despite the efforts that organisations have made to implement appropriate security measures, organisations are still faced with skilled adversaries and a constantly evolving threat landscape.  This is supported by IBM's findings in that malicious attacks were the most common and most expensive root cause of breaches.

As a result, for the vast majority of organisations, it is not a question of if they will suffer a serious cyber-attack; it is a question of when it will happen.

What action can the board take?
Since the introduction of the GDPR, cyber security has become a board level issue.  Data protection regulators expect to see evidence of board-level backing on information governance and cyber security.  

It is crucial to continually assess the risk of a cyber-threat to an organisation and to determine vulnerable areas in existing systems and policies. The board should understand the organisation's statutory and contractual obligations around cyber-security. With a deeper understanding of these issues, a board can effectively approve budgets, allocate resources and appoint executives responsible for cyber security to ensure that obligations are met and inherent risks of cyber-threats are mitigated.  With accountability going to the heart of the GDPR, it is necessary to appoint a member of staff who is accountable for cyber risks and assess whether there is sufficient separation from those who run the systems on a day-to-day basis.

Recommendations
Most of the work that is required to enable organisations to satisfy legal obligations and meet expectations around cyber security must be done before an incident occurs.   We have listed our top five measures that all organisations should seek to implement:

1. Understand the legal regimes that your organisation is subject to and continually assess these with board level engagement.
2. Implement Article 30 data processing records, which detail the organisation's data flows.
3. Carry out a risk assessment on existing data processing systems and carry out appropriate cyber security due diligence on any new systems that you may use, including third party due diligence.
4. Ensure that the organisations operational security measures are appropriate, in accordance with legal requirements. In the IBM report, it was reported that among the 26 cost factors studied, there was a diverse set of cost mitigating factors that either helped reduce costs preventatively or in the aftermath of a breach. Extensive use of encryption, data loss prevention, threat intelligence sharing and integrating security into the software development process were all associated with lower-than-average data breach costs. Among these, encryption had the greatest impact, reducing breach costs by an average of $360,000.
5. Create a clear incident management plan and ensure that staff are trained on it.

Cyber-attacks are inevitable; however, the factors that will significantly reduce an organisation's cost of dealing with a cyber-attack rely on cyber readiness. Organisations that are proactive, rather than reactive, in their approach to cyber will be far more successful in keeping their business  running smoothly in the wake of a cyber-attack and, if an attack does occur, these cyber ready organisations have the best chance of limiting the costs incurred in dealing with them.

Sabba Mirza is a Senior Associate in Fieldfisher's Privacy, Security and Information Law Group in London.