A few years back nobody had even heard of cyber risk. Now it’s widely considered to be one of – if not the – biggest threats facing companies of all shapes and sizes around the world.
Training workshops on cyber liability are currently among the most sought after courses my company offers its clients in the world of insurance and risk.
High profile news stories like the recent Talk Talk scandal clearly illustrate the scale of the problem. Governments, corporations and individuals are all routinely targeted by would-be fraudsters, saboteurs or data thieves.
No-one can say with any real certainty that they are not at risk from hackers, bot-nets, activists, terrorists launching dedicated attacks or simply churning out indiscriminate viruses, worms, trojans and all manner of related ‘malware’.
One recent survey found that 90% of large organisations and 74% of small businesses have experienced a security breach of some kind in the previous 12 months.
Any of these can result in direct harm to an organisation (through financial loss, business interruption or reputational damage), but also in significant liabilities to others whose data you may accidentally have let fall into the wrong hands.
Data breaches are an increasing concern for any organisation that holds customer records in electronic form. One recent survey found that 90% of large organisations and 74% of small businesses have experienced a security breach of some kind in the previous 12 months.
The costs of losing customer records can be between £50 and £150 per record. For firms with thousands of customers, this can easily amount to multi-million pound losses – not to mention the associated reputational damage.
The authorities are taking an increasingly keen interest in how well UK firms look after the data they hold. The body mainly responsible for data protection responsibilities is the Information Commissioner’s Office (ICO). The Data Protection Act, originally passed in 1984 and significantly updated in 1998 is the key piece of legislation.
Any firm (or sole trader) handling customer data has significant data protection obligations in terms of notification and registration – and must by law comply with the ICO’s eight data protection principles (see the ICO website for details).
Worryingly, given the ICO’s ability to impose significant fines for non-compliance, many UK firms (as many as 25% according to one recent survey) are unaware of these obligations. Even where this is not the case, many firms – or many of their employees at any rate – routinely flout the data protection standards legally imposed on them.
So-called cyber insurance can mitigate some of the costs of cyber attacks and data breaches, providing, for example, practical assistance and analytical support in the aftermath, and cover against some of the remedial, reputation management and business interruption costs. But insurance, of course, can never cover fines. As with most things in life, prevention is better than cure, and risk management is critical in protecting any organisation against cyber risk and data breach.
Insurance advisers, as we explain in the dedicated training we offer on this topic, have a valuable role to play in helping clients understand how to minimise the risks they face. This would typically involve taking precautions such as the following.
Make sure you do not hold customer or employee data without having notified the ICO. Never use data for purposes other than that for which you are authorised to use it. Never hold data that is not relevant to its authorised uses – or on customers who have ‘opted out’. Take all possible steps to guard against unauthorised disclosure. Check regularly that the data you hold is up to date and accurate, and delete it when no longer in use.
Most importantly, remember: data protection law is changing all the time as legislators struggle to keep abreast of the rapidly changing situation on the ground. So it’s essential for any firm that handles customer data (and that means virtually everyone) to check the ICO website regularly to keep abreast of current data protection obligations.
This is something we will all be hearing a lot more about in the months and years to come.