A recent survey by BAE Systems revealed confusion within many organisations as to who should be responsible for dealing with their response to a cyber-attack.
The survey, which obtained responses from over 1,000 IT managers and C-suite executives from across the world, suggested that 50% of IT staff believe that there should be a board level lead when deciding how to respond to a cyber-attack. In contrast, over a third of board level executives believe that IT staff should take the lead.
The report suggests that such confusion could lead to organisations being ill-prepared for a cyber-attack, potentially putting them at risk.
The TalkTalk cyber-attack in 2015 shows the harm that a cyber-attack can cause to a business. In that case, TalkTalk incurred substantial damage to its reputation and received a record £400,000 fine from the Information Commissioner for having inadequate security measures in place to deal with cyber-attacks. It is estimated that the incident will cost TalkTalk up to £60 million.
In addition to reputational damage and financial loss, changes to data protection law should also be pushing cyber risk up the boardroom agenda. In May 2018, the General Data Protection Regulation (GDPR) will come into force, requiring organisations to undertake a wholesale review of the way in which they approach privacy and data security.
Governance and accountability
Firstly, the GDPR will introduce new obligations on organisations in relation to governance and accountability, with an express obligation to demonstrate compliance.
That means organisations will need to be able to explain what security measures they have put in place and justify the approach that they have taken. This will cover not only their internal procedures but also those of suppliers handling data on behalf of the organisation, such as outsourced IT suppliers hosting and managing key IT infrastructure and systems.
Tools such as privacy impact assessments and appropriate record keeping and auditing will become essential in order to demonstrate compliance. Regular penetration testing of IT systems and reviews against best practice and new technologies to protect against cyber-attacks and mitigate their impact should become the norm.
Boards will need to ensure that they retain appropriate oversight of data protection compliance, with clear reporting lines.
Secondly, the GDPR requires organisations to report certain breaches to the Information Commissioner within 72 hours. The report will need to set out the nature of the breach, the impact on data subjects and the steps that are being taken to address the breach and mitigate its effects.
This will require organisations to have in place detailed monitoring systems and breach reporting procedures.
Enhanced enforcement powers
Finally, national data protection authorities are being provided with even greater enforcement powers.
The Information Commissioner currently has powers to issue fines of up to £500,000. Under the GDPR, the maximum fine will be €20 million or 4% of worldwide turnover. In addition, data subjects will continue to be able to bring claims for compensation, with the GDPR also proving the ability for groups of individuals to bring class actions.
These levels of fines mean that data protection compliance should be on the risk register of any organisation that handles personal information.
It’s clear that compliance with the GDPR will require leadership from the top and a commitment to devote time and money to ensure that the organisation makes that cultural shift. Organisations that leave it to the IT department, do so at their peril.
Martin Sloan (@lawyer_martin) is a partner in the Commercial Services Division at Brodies LLP