The topic of cybersecurity was constantly in the headlines during 2015. This article looks at the need for cyber liability and why holding businesses properly to account could actually improve cybersecurity standards.
It could be argued that 2015 has been the year of the cyber hack. With telecoms group Talk Talk, extramarital affairs site Ashley Madison and, just this month, bars chain JD Wetherspoon among those losing hundreds of thousands of customers’ personal information, companies feel more at risk of cyberattacks today than ever before.
This level of cyber awareness has even reached the heights of central government departments, with Robert Hannigan, director of the UK’s Government Communications Headquarters (GCHQ) publicly criticising the free market as failing the cybersecurity challenge.
With PwC’s ‘2015 Information security breaches survey’ reporting over the summer that nearly nine of out 10 large organisations and three quarters of small to medium enterprises (SMEs) now experience breaches, he has evidence to back his assertion that that cybersecurity standards are “not yet as high as they need to be”.
Yet, driving these standards up across markets is not a simple task. After all, the key drivers for market change are regulation and incentivisation, and in the relatively immature cybersecurity market, these challenges are significant.
Some of the cited breaches were achieved using a common application vulnerability. Structured Query Language Injection – or SQL Injection as it is better known – has been listed on the industry standard Open Web Application Security Project (OWASP) Top 10 – a ranking for critical web application vulnerabilities that should be remediated as a matter of priority – for more than a decade. With avoidable cases such as these, important questions are being raised regarding accountability for breaches.
In June, a report by the Centre of Economics Research (CEBR) for Veracode revealed that security breaches now cost UK businesses £34bn a year. Yet, while companies lick their wounds following a breach, it is consumers who are left facing potential fraudulent claims and having to change their details. Cases have already been reported off the back of the Talk Talk breach of scammers using the stolen data to trick customers to part with their banking details in a bid to steal their cash.
So to avoid more potential losses in 2016, what can companies and their treasury departments do? Will acknowledgement of the risk and education on best-practice be enough to persuade businesses to change their habits? Probably not.
The introduction of legislation to drive up standards could be the way forward. With more legal accountability for the losses of data, organisations would be forced to improve their standards through fear of costly lawsuits.
Be clear and transparent
One might expect the business community to fight for the introduction of further legislation to govern their data protection practices. With the threat of weighty fines looming large should they not properly fulfil these duties, it is surprising that in a recent research report from the New York Stock Exchange (NYSE) and Veracode, nine out of 10 board directors stated that they believe regulators should hold businesses liable if they don’t make reasonable efforts to secure data
In fact, businesses are crying out for clear and objective standards with greater clarity detailing what a sufficient and responsible level of cybersecurity is.
The recent US case of Wyndham Hotels underlined the importance of cyber defence standards. Earlier this year the Federal Trade Commission (FTC) successfully sued Wyndham Hotels for having “unreasonably and unnecessarily exposed consumers’ personal data to unauthorised access and theft” following three breaches in just two years.
With the appeals court affirming the FTC’s authority for requiring companies to securely store customer data and punishing them if they fail to do so, American companies are left with little information other than that they may be held liable following a breach. Indeed, this trend looks to be extending globally; the British government launched an inquiry into the Talk Talk breach and the Hong Kong Privacy Commissioner for Personal Data (PCPD) is initiating a compliance check to decide if the company had sufficiently adhered to data privacy principles.
Insuring data
While we could be some time away from legislation in this space, cyber insurance will play a significant role in setting the standards for cybersecurity. With many firms already investing in cyber insurance, it’s not surprising that PwC reports the market is set to triple to about US$7.5bn over the next five years. However, what isn’t certain is that those companies paying into such insurance policies have the adequate cybersecurity processes in place to meet the required level to receive a return after suffering a breach.
Today, most companies are investing in cyber insurance to reduce the financial burden from a liability claim, and this developing trend could even result in improved standards across the security landscape. With increased liability comes heightened awareness; and with firms doing everything to ensure they’re covered by their cyber insurance, baseline standards of protection are sure to enhance.
Most of us understand that no organisation can ever be completely immune to a cyberattack. With valuable customer data and corporate reputations to bring down, no company is impenetrable. However, even though increased regulation won’t prevent cyberattacks, demonstrating a reasonable level of cybersecurity will help organisations address and defend against the risks.
Cyber hacking tools are becoming increasingly easy to access and more user-friendly by the day. With this in mind, enterprises must ensure they are doing their due diligence to protect their data, safeguarding their customers from thieves and scammers. With organisations turning to insurance to protect their balance sheets, turning to IT to protect their data should be the next destination.