Cyber risk management: A boardroom issue

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/cyber-risk-management-a-boardroom-issue/article/371440/


Cyber-security is an increasingly high profile and costly issue.  Whether
state sponsored cyber-attacks, cyber-espionage, hactivism or good old
fashioned cyber-crime, the impact of a cyber-security incident can be
significant.

In its 2014 Information Security Breaches Survey, PwC identified that while
the number of security breaches affecting UK businesses decreased in
comparison to the 2013 survey, the cost of individual breaches rose
significantly. The average cost to a large organisation of its worst
security breach was between £600,000 and £1.15m (up from £450,000 to
£850,000 in the 2013 survey). Indeed, 10 percent of organisations that
suffered a breach in the 12 months prior to the survey were so badly
damaged by the attack they had to change the nature of their business.

So what is the legal framework that seeks to compel organisations to take
steps to protect themselves from cyber-security threats and the
"non-technical" steps that organisations can take to protect themselves?

Legal framework: the current state of play

Currently, there is no overarching law on cyber-security; instead UK
companies have to comply with a plethora of laws and regulations.

The Data Protection Act 1998 obliges organisations to take appropriate
technical and organisational security measures to protect the personal data
they process.  A similar provision applies to telecommunications providers
pursuant to the Privacy and Electronic Communications (EC Directive)
Regulations 2003 (although the security measures to be adopted apply to the
services they provide not merely personal data).  The Information
Commissioner, the UK data protection regulator, has the ability to impose
monetary penalties of up to £500,000 on organisations that fail to comply
with these laws.

Listed organisations and financial institutions are also subject to
particular legal and regulatory requirements relevant to cyber-security.

Legal framework: Change is on the near horizon

In February 2013, the European Commission issued a draft cyber-security
directive.  If passed, the directive will oblige providers of critical
national infrastructure (including those in the transportation, energy and
financial services sectors) to take appropriate technical and
organisational measures to manage the (cyber-security) risks posed to their
networks and systems and to report security breaches to the relevant
regulator.  The Commission is hopeful that the directive will be adopted by
the end of 2014; there is currently an 18 month transposition period
following the date of adoption and so the directive is unlikely to be
effective before mid-2016.

The value of policies

What can organisations do to meet these requirements and protect
themselves? The PwC report notes that 70 percent of companies where
security policy was poorly understood had staff-related breaches, compared
with 41 percent where the policy was well understood.  Policies on
information security and data protection are critical to mitigating
cyber-security risk.

Policies will be one of the items organisations are measured against in the
event of a security incident, so having a comprehensive policy that is not
followed can be as detrimental to an organisation as not having a policy at
all.  To be effective, policies must be communicated throughout the
organisation, implemented and enforced.

Robust contracting process

Some of the most significant data security incidents of the last 12 months
have been caused by third party suppliers. It is critical to carry out
effective due diligence on third party service providers' security measures
and ensure robust contracts are in place with those providers. Given the
potential liability exposures for cyber-security incidents, considerable
thought should be given to any limitation on the service provider's
liability for breaches of the contractual security requirements.

Cyber insurance

Cyber insurance has been available in the UK and Europe for over 10 years.
 However, many businesses are only just appreciating its necessity.

Cyber insurance is not just about insuring financial loss due to a
cyber-incident, it is also key to managing risk. Insurers will demand
appropriate risk procedures are in place and implemented.  If they are not,
businesses may find themselves uninsured.

It is essential for businesses to do their homework before purchasing cyber
insurance to ensure:

1.     The business has the appropriate procedures in place to minimise
cyber-security risk

2.     Appropriate cover is being purchased that will respond to all
identified risks

3.     The policy will provide the necessary support, both beforehand (eg
the inclusion of risk management training in the policy) and in the event
of a claim (eg legal, IT, public relations and other support as well as
cover for losses)

If these three key points are considered when selecting a policy, a
business will be in a good position to manage exposures to cyber risks
through insurance.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!