At the recent Scot-Secure cyber security conference, a number of speakers emphasised the importance of getting board level input to ensure that an organisation is properly prepared for a cyber-attack. That requires senior management to have an understanding and awareness of cyber risks and the allocation of appropriate resources, together with a clear strategy within the organisation for dealing with cyber-attacks and insider threats.
However, a recent survey revealed confusion within many organisations as to who should be responsible for leading the organisation’s response to a cyber-attack.
The survey, by BAE Systems, suggested that 50% of IT staff believed that the organisation should have a board level lead when deciding how to respond to a cyber-attack, whereas over a third of board level executives believed that IT staff should take the lead. The survey obtained responses from over 1,000 IT managers and C-suite executives from across the world.
The report suggests that such confusion could lead to organisations being ill-prepared for a cyber-attack, potentially putting them at risk.
It’s an area to which board level executives in the EU should devote close attention.
We’ve already seen the harm that a cyber-attack can cause to a business from incidents such as the 2015 cyber-attack on TalkTalk. In that case, TalkTalk incurred substantial damage to its reputation and received a record £400,000 fine from the Information Commissioner for having inadequate security measures in place to deal with cyber-attacks. It is estimated that the incident will cost TalkTalk up to £60m. TalkTalk lost more than 180,000 customers following the incident.
In May 2018, a new law, called the General Data Protection Regulation (GDPR), will come into force. The UK’s Information Commissioner describes the GDPR as a “game changer for everyone,” requiring organisations to undergo a “culture change” to ensure that privacy is embedded throughout the organisation. Some already do that, but others will need to carry out a wholesale review of the way in which they approach privacy and data security.
So what is changing and how does this impact on what an organisation should be doing to protect itself against cyber-attacks and insider threats?
Governance and accountability
Firstly, the GDPR introduces new obligations for organisations in relation to governance and accountability. Whilst the legal test for the adequacy of security measures is not changing, organisations will be under an express obligation to demonstrate compliance.
That means organisations will need to be able to explain the security measures they are putting in place and justify the approach that they have taken. This won’t just cover internal policies and procedures, but also those of suppliers handling data on behalf of the organisation. In the case of cyber-security, this might include outsourced IT suppliers hosting and managing key IT infrastructure and systems.
Tools such as privacy impact assessments and appropriate record keeping and auditing will become essential to being able to demonstrate compliance. Regular penetration testing of IT systems, and reviews of best practice and new technologies to protect against cyber-attacks and mitigate their impact should become the norm.
Organisations also need to ensure that they carry out appropriate staff training and other activities to raise awareness. For example, at Scot-Secure we heard that Skyscanner created a series of fake news articles about a fictitious cyber-attack on the company’s systems to demonstrate to staff what might happen. It’s a great way of bringing cyber risk to life for employees and helping to embed a cyber-risk aware attitude throughout the business.
Under the GDPR, boards will need to ensure that they retain sufficient oversight….
Responsibility for data protection compliance and strategy therefore needs to be assigned to the correct level within the organisation, with appropriate budget and resource allocated. Under the GDPR, boards will need to ensure that they retain sufficient oversight with clear reporting lines and accountability, in order to demonstrate compliance.
Secondly, the GDPR will introduce mandatory breach reporting obligations in certain situations. Such reports will need to be made to the regulator within 72 hours – not 72 business hours, but 72 hours. That means if an organisation is hacked on a Friday night it should be reporting that breach by the Monday night. Among other things, the report has to outline the nature of the breach, the impact on data subjects and the steps that are being taken to address the breach and mitigate its effects.
…if an organisation is hacked on a Friday night it should be reporting that breach by the Monday night
That’s a big ask. It will require organisations to have detailed detection systems, breach reporting procedures, breach registers and response plans in place to ensure that security breaches are promptly identified, investigated and reported.
Bearing in mind the potential adverse reputational issues and enforcement action arising out of a security breach, organisations will want to ensure that the board is aware of a breach and the organisation’s proposed action plan as soon as possible.
Data Protection Officer
If an organisation is a public authority or undertakes “regular or systematic monitoring” of individuals or “large scale” processing of sensitive personal data or criminal records then it must appoint a Data Protection Officer (DPO). Whilst we are still awaiting final guidance on how these requirements will be interpreted, it is likely that many organisations will choose to appoint a DPO to oversee their data protection compliance, even if there is not a strict legal requirement to do so.
The GDPR requires that DPOs are empowered to operate independently…
The DPO’s responsibilities will include monitoring compliance and cooperating with data protection authorities such as the UK’s Information Commissioner. The GDPR requires that DPOs are empowered to operate independently, with a direct line to the board. That means the DPO cannot also hold a position such as IT Director or Marketing Director. The DPO must be free to carry out their role without undue influence (whether directly or through disciplinary action).
Given demand across the EU, it is anticipated that recruitment (and retention of existing DPOs) will be challenging.
Enhanced enforcement powers
Finally, national data protection authorities are being provided with even greater enforcement powers.
The Information Commissioner currently has powers to issue fines of up to £500,000. Under the GDPR, the maximum fine will be €20,000,000 or 4% of worldwide turnover. That puts data protection law compliance on a par with competition law. Even apparent administrative errors, such as a failure to keep appropriate written records are subject to fines of up to €10,000,000 or 2% of worldwide turnover. In addition, data subjects will continue to be able to bring claims for compensation, with the ability for groups of individuals to bring class actions.
These figures mean that data protection compliance should be on the risk register of any organisation that handles personal information. What is the risk of an attack? Where are our weaknesses? Is the data encrypted? Are we holding data that we don’t actually need to hold? These are all questions that the board should be asking. Cyber-attacks are a fact of life and organisations need to be prepared.
…it’s not good enough to just blame the “bad stuff” on criminals.
As TalkTalk found out to its cost, it’s not good enough to just blame the “bad stuff” on criminals. In addition to a “clean-up” that cost tens of millions of pounds, Talk Talk suffered substantial damage to its brand. That makes data protection an issue of trust. Organisations that do not take cyber security seriously will suffer, whereas those that are seen as trusted will flourish.
It’s clear that compliance with the GDPR will require leadership from the top and a commitment to devote the time and money required to ensure that the organisation makes that cultural shift. Organisations that leave it to the IT department do so at their peril.