Barely a week passes by without a report of a high level cyber-attack. The focus on the hacking of the medical records of our top athletes including Sir Bradley Wiggins and Tour de France winner Chris Froome has rather drawn the attention away from a recent report by Reuters on 31 August 2016 of concern about another attack on the interbank money transfer services of SWIFT, a Belgian co-operative owned by member banks and used by 11,000 financial institutions globally. Reuters reported that the contents of a private letter by SWIFT to its customers appeared to suggest that there may have been further cyber-attacks against its banking customers. The attacks occurred after SWIFT updated security procedures following earlier heavily publicised breaches in February this year.
The February 2016 SWIFT attacks were particularly significant, not simply because a large amount of money was stolen, but because the attackers used a combination of known methods to compromise a key global financial system.
Dealing with cyber security breaches is a particularly challenging issue for business. Attacks are difficult to detect, easy to copy and have become increasingly sophisticated. Digital evidence is transient in nature and breaches often raise cross border complications having been perpetrated by foreign based attackers.
The Department for Business and Skills’ 2015 Information Security Breaches survey found that 90 percent of large organisations had suffered a security breach in the previous year and the Government has classified cyber-attack as a tier 1 threat to the country, alongside terrorism, military crises and natural hazards. The recent letter from SWIFT is reported to have warned customers that the threat of cyber-attacks “is persistent, adaptive and sophisticated – and it is here to stay.” It is clear therefore that underestimating and downplaying the threat and consequences is no longer an option for businesses.
The risks and implications of a successful attack on a business are significant. The most obvious is data breach where sensitive information is lost, leaked, stolen or damaged. This can give rise not only to claims for damages against the business but to regulatory enquiry and fines. Additionally, directors can potentially be vulnerable to claims for a breach of fiduciary duty.
Legal requirements in relation to cyber security in the UK arise primarily from the Data Protection Act 1998, which requires organisations to take “appropriate technical and organisational measures” to protect personal data from unauthorised access, damage, loss or disclosure. These measures must ensure a level of “appropriate” protection, based on the harm that may be caused to individuals in the event of a data security breach and the nature of the data. Although there is no requirement for businesses to prevent the occurrence of a cyber breach in practice the Regulator has set the bar at a high level for meeting the requirement for appropriate protection.
Important key preventive steps for a business to take are: (1 ) a risk assessment to identify areas of vulnerability within the business embracing the whole organisation and supply chain; (2) the training of staff; and (3) consideration of the appropriateness of external solutions, such as cloud providers, as an effective method of mitigating risk. All preventative systems should be constantly reviewed and refined and not be regarded as merely a compliance box-ticking exercise.
The SWIFT experience shows that cyber-breaches are now a part of corporate life and businesses must have systems in place so they can react quickly and effectively when they occur. Any response plan must factor in all practical steps that will be taken in the event of an attack. Time is of the essence in cases of this kind and the security of crucial evidence a major issue, especially when dealing with digital media, which by its nature may be transient.
Considering how a later internal investigation will be handled must be decided in advance of any attack and bear in mind that if investigations can be conducted under legal privilege, it may protect the business from the need to disclose potentially sensitive and damaging material in any later proceedings.
The landscape is changing. Data Protection Regulation is expected to be passed by Europe within the next 12 months and, unaffected by Brexit, this Regulation will replace the Data Protection Act in the UK. Although Security obligations will remain broadly the same, fines will be significantly increased and there will be obligations to report serious data security breaches to the Regulator. Additionally, there is also a Cyber Security Directive currently being discussed that will require operators of ‘critical infrastructure’, including certain financial services infrastructure, to put in place measures to prevent cyber security attacks and to report significant attacks to the regulator.
It is vital that in the current climate all businesses take appropriate steps to meet the ongoing and increasing threat of cyber-attack and to meet their regulatory obligations.