Cyber security – the risks to your organisation
The recent news that foreign exchange company Travelex is being held to ransom by hackers after a cyber attack is a reminder to organisations that cyber security is a business-critical issue. The gang claiming to be behind the hack has demanded £4.6m and explained that they hacked into the Travelex databases six months before the ransom demand was issued on 31 December 2019, spending that period downloading client data including names, dates of birth, credit card details and national insurance numbers.
The attack has led to Travelex taking down its website in 30 countries and turning off its computer systems. Could your business recover from such an attack asks our Commercial team?
Cyber security and GDPR
GDPR put cyber security in the spotlight. The large fines that could now be levied on organisations that breach data protection legislation have encouraged organisations to turn their attention to the question of how best to protect the information they hold electronically.
Even so, cyber security goes much further than data protection. According to the government Department for Business, Innovation and Skills “cyber security is about protecting your computer-based equipment and information from unintended or unauthorised access, change or destruction”.
Why organisations need to worry about cyber-security
Cyber crime is a growing threat that all organisations need to take notice of. Most businesses depend on some form of digital communication or services whether that be email systems, websites, online banking, databases, social media accounts or online ordering and invoicing. Even desk telephones tend to be networked. Could your business continue to function if you lost access to these systems?
The 2019 Cyber Security Breaches Survey conducted by the UK Government revealed that 32% of businesses surveyed identified incidents of breaches and attacks in the previous 12 months. The bulk of these attacks were phishing emails, reported by 80% of businesses, whilst 28% of businesses reported others impersonating their organisations online and 27% reported receiving viruses and other malware including ransomware.
Cyber security breaches and attacks can be costly to businesses. When trying to identify the cost and length of time it took businesses to recover from breaches and attacks, the above survey highlighted that business owners often focus only on the initial impact, and do not consider additional costs such as new staffing processes that may need to be put in place, staff costs to the business in dealing with an attack or the cost of loss of reputation and trust from customers. The figure of the average cost for dealing with a breach of £4,180 is therefore probably significantly less than the actual cost to business.
Cyber security and the law
Organisations are required by law to protect personal data. They are also likely to be subject to contractual confidentiality requirements under agreements with suppliers, customers and other stakeholders.
It is important that organisations have, and are able to demonstrate that they have, robust systems in place to protect their digital assets, such as systems for regularly backing up data. Well drafted IT Policies, data protection policies and disaster recovery policies are all essential. These policies should be regularly tested.
Businesses may also seek to rely on force majeure clauses in their contracts to limit their exposure to liability for cyber breaches and attacks. A force majeure clause can protect a party from liability if it is prevented from fulfilling its contractual obligations due to an event outside of its reasonable control. Such clauses need to be carefully drafted to ensure they are fit for purpose and can be relied upon, and businesses need to understand the limitations of such a clause. It is also important that organisations understand the contracts they are offered by third parties who may also seek to rely on force majeure clauses in relation to cyber attacks.
What should organisations do to protect themselves?
Organisations should review and update their relevant policies and procedures, and ensure their anti-virus software is kept up-to-date. Organisations may also consider cyber insurance to provide further protection.
Contracts with key suppliers, especially external IT providers, should be carefully reviewed to ensure organisations understand the cyber security provisions included. For example, if a business’s IT provider is the subject of a cyber attack, what provisions are in place to ensure the business can continue to operate and receive IT services?
Cyber attacks and breaches can happen to anyone. You only need to search online for ‘Travelex’ or ‘Eurofins Scientific’ to see what impact a malware attack can have on a business. It is critical in this digital world that organisations do all they can to protect themselves. These however are the headline issues. Many businesses may receive something as simple as an email purporting to be from an established supplier, notifying a change in bank details for payment. Payments made to the new account will not provide a defence for the business when the supplier demands their payment, so policies and procedures to double check such communications need to be in place.
The National Cyber Security Centre provides a detailed document entitled 10 Steps to Cyber Security, which sets out advice relating to policies and training and provides other guidance which can help businesses protect themselves from cyber crime.
For advice on data protection, IT policies, or any contractual matters including force majeure clauses, please contact our commercial team at Bermans.