Cyber risks – What does it all mean?
Ransomware. Phishing. Spearphishing. GDPR. The ICO. Personally Indentifiable Data. Cyber Insurance. Do you know the lingo?
What does the above mean to you as a business owner? If the above phrases aren’t on your radar, they need to be. Fast.
Modern business is often based on having an online presence, with the majority of businesses stating that their biggest and most important asset is their data. But what steps are business owners taking to adequately protect that data? The most recent government cyber risk survey found that 69% of businesses say their senior management consider cyber security as a very or fairly high priority, however, only just over half of those surveyed had done anything about identifying the risks.
Changing regulations coming into effect in May 2018 will most likely put cyber risk on the radar for those who aren’t already thinking about it. GDPR (the General Data Protection Regulation) is an enhanced version of the current Data Protection Act, with greater emphasis on processes and the adequacies of the steps taken to protect consumer data. Failure to demonstrate that you have taken these adequate steps can lead to the ICO (Information Commissioners Office) imposing highly punitive fines – up to EUR 20million or 4% of worldwide turnover, whichever is the greater. Irrespective of the fines however, in an increasingly litigious society where consumers are more and more aware of their rights, you could find yourself being sued by third party data subjects, and the reputational harm to your business can be catastrophic if you fail to protect consumer PII (Personally Identifiable Information). PII includes names, a DOB, addresses and email addresses, bank details, National Insurance numbers – the list goes on.
You therefore need to analyse your cyber risks and security on a 2-tiered basis. The first step is the mitigation of the risk, and the second step is the transfer of the risk, namely, cyber insurance. The principles are the same as protecting your building – you install locks and security, place sprinklers throughout your building in case of a fire, install an alarm – but you also purchase insurance to protect yourselves in the worst case scenario.
Let’s look at some key steps you can take to mitigate your cyber risk. You will need to demonstrate under GDPR that you have taken these steps, but it is also good business practice to establish what data you are holding and how to protect it.
- Find out what data you are holding on your systems. How much of this data falls outside of that necessary for contractual/legal/regulatory requirements? Remember – the more data you are holding, the greater your exposure in the event of a breach and the more consumers may have to be potentially notified. When was the last time you carried out a data cleanse?
- How is your data stored? Who hosts your data? It is fundamental in the run up to GDPR that all contracts with third party suppliers are reviewed and amended to ensure it is clear who is responsible for the data/who owns the data. It is also a good opportunity to review your relationship with any of your third party suppliers to ensure they themselves are GDPR compliant. The ICO will not be sympathetic to you if you are using third party suppliers who are not compliant as there is now a greater emphasis on data controllers – eg cloud suppliers, payroll and HR suppliers, website hosting etc.
- If you are taking card payments, you will need to have strict processes in place regarding how these payments are made, who is able to take these payments and how any information is stored. If you are storing payment information, you will need to ensure that you are PCI compliant.
- You will need to ensure your privacy statement is updated in order to be GDPR compliant. In addition to this, you will need to ensure your Business Continuity Plan/ Disaster Recovery Plan is up to date with clearly defined processes in regards to the recovery of data etc. One of the changes under GDPR is that consumers have a right to request data that you hold on them at no cost and you will need to identify in your processes how you will be able to obtain this for them. You will need to review where your servers are stored and how often data is being backed up to them.
- Ensure that staff are adequately trained in how to spot potential cyber attacks including phishing and spear phishing. Ensure that staff are required to change their passwords every 60 days if this is not already the case. Ensure that all devices/ laptops etc are encrypted.
- Review staff contracts so that they are updated stating that staff are aware of the data held on them.
This then leads us on to the next stage of protection – cyber insurance. Unfortunately, even the best protected systems can suffer from a breach as cybercrime continues to evolve quicker than the systems put in place to protect against it – risk transfer is then the fundamental next step of the process. Cyber insurance kicks in ‘post breach’, although many policies have useful tools which can be accessed throughout your policy period to provide you with risk advice, or helplines staffed by security professionals/lawyers who can advise if you have any concerns regarding your data. Some of the headline coverage areas offered by the majority of providers include:
- Ransomware/cyber extortion – covers paid ransoms (above your excess) and also provide consultancy services to assist in the management of the situation
- Breach Costs – forensic investigations, legal advice, notifying customers/regulators, credit monitoring to customers etc
- Cyber Business Interruption – loss of income, including from reputational damage, if a hacker or breach targets your systems and prevents your business from earning revenue
- Hacker damage – costs of repair, restoration or replacement if a hacker causes damage to websites, programmes or electronic data
- Crisis containment – support to mitigate reputational damage and the use of a PR firm to provide support in communication strategy etc
- Privacy Protection – defend and settle claims made against you for failing to keep customer’s personal data secure. Also pays the costs associated with regulatory investigation and settles civil penalties levied by regulators where allowed
- Multimedia liability – protection for mistaken infringement of copyright, or inadvertent libel of a third party.
It is important to get the ball rolling now to allow you sufficient time to prepare your business for GDPR. Talk to us for further advice in regards to cyber risk mitigation and transfer.