updated on 09 June 2015
QuestionWhy is cyber security grabbing the headlines and what does it mean for businesses?
Following a series of high-profile breaches in 2014 - the so-called "year of the data breach" - cyber security has become an inescapable part of good corporate governance. Former European commissioner, Neelie Kroes, said: "Whatever sector you're in, online security needs to form part of your business model. A habit as automatic as locking your front door." Cyber security's recent rise to prominence should not come as a surprise. Cyber attacks are increasing in scope, sophistication and severity at a time when businesses and governments are moving an increasing share of their valuable assets to the digital sphere.
Cyber security has become a pressing concern for many of the world's governments. In April 2015 the US House of Representatives voted to pass two bills aimed at encouraging the sharing of cyber security information between private companies and the US Department of Homeland Security in order to create a 'live immune system' against cyber threats. President Obama, in his most recent State of the Union address, pledged an additional $14 billion to the US annual cyber security budget. In the United Kingdom the government has classified cyber security as a 'tier one' threat alongside international terrorism and David Cameron has recently appointed Baroness Shields to lead the United Kingdom's internet safety and security strategy.
The corporate world is also beginning to see cyber security as a priority. Although the high-profile hacks of companies like Sony, eBay and Target have captured the public's imagination, they represent only the tip of the iceberg. Government statistics show that 90% of large organisations suffered a security breach in the past year and the results of a recent survey published by the Department for Business, Innovation and Skills noted that the majority of FTSE 350 respondents expected cyber risks to increase in 2015.
As the frequency and complexity of cyber breaches increase, so does the cost. The latest estimates show that the cost to a large organisation of a single breach has doubled over the past year to between £1.5 million and £3 million. In addition to the financial costs, companies which fail to maintain robust cyber security measures face a number of legal risks. These include potential breaches of governance and disclosure obligations, fines by regulators and claims by affected individuals.
Directors who fail to show informed and active engagement with the company's cyber security strategy may infringe their duty to promote the success of the company. Further, when discharging their functions, directors must also exercise care, skill and diligence – a standard that considers the competence of both the director in question and that which could reasonably be expected of a person carrying out the same role. As a result, the standard expected will be particularly high in respect of directors of companies with significant online assets and systems.
The loss of sensitive information, the disruption to a company's online systems and the remedial costs associated with a cyber breach can significantly impact a company's earnings and share price. Target, following a data breach which affected more than 110 million customers, suffered a 46% fall in profits. It is estimated that Sony's costs could reach $100 million following the hack it suffered in December 2014 and it is believed to have lost over $170 million as a result of the breach of its Playstation Network in 2011.
However, the consequences of a cyber breach can extend much further than the affected company. The exposure of personal data and sensitive information that often results from a cyber breach may lead to follow-on crimes such as theft, identity fraud and even insider trading.
Although individual directors need not become cyber security experts, they must ensure that the company employs such expertise at an appropriately senior level and that the board remains actively engaged with the cyber security dialogue.
Interestingly, Sir David Walker, chairman of Barclays, described cyber expertise on the main board as a "necessary ingredient" of good governance and it appears the City is taking heed. Standard Chartered has recently appointed Iain Lobban, former GCHQ director, to its financial crime risk committee and KPMG has hired Curtis Baron, the former head of Royal Bank of Scotland's resilience operations.
Companies with shares listed on the London Stock Exchange must also consider their obligations under the UK Corporate Governance Code. The code requires directors, among other things, to assess and mitigate the principal risks facing the company. Though a company is not legally obliged to comply with the code, any failure to do so must be explained and could result in negative publicity and shareholder pressure. Indeed, in the wake of the cyber breach suffered by Target, its chief executive and chief information officer resigned from their roles amid considerable public and shareholder discord.
A cyber breach can also result in civil actions from affected individuals and fines by regulators. The Information Commissioner's Office can require organisations to commit to certain courses of conduct to remedy a data breach and can levy fines of up to £500,000. The Financial Conduct Authority (FCA) has the power to impose unlimited fines on regulated financial firms deemed to have inadequate governance arrangements, systems and controls to minimise cyber threats. For example, in August 2010 Zurich Insurance was fined £3.25 million for failing to take reasonable care to ensure that it had effective systems and controls in place to manage risks relating to confidential customer information. More recently, the RBS Group was fined £56 million by the FCA and the Prudential Regulation Authority for various information technology failures.
Further, affected customers may be able to bring actions on the grounds of breach of contract, negligence or under the Data Protection Act 1998. Class actions and derivative actions brought by shareholders for wrongs against the company are also possible; though class actions are a more developed concept in the United States than in the United Kingdom.
UK-listed companies may also be required to make various disclosures in respect of cyber security.
Companies wishing to raise equity or debt finance may be required to publish a prospectus detailing, among other things, the principal risks facing the company. Such information must also be included in a company's annual report.Disclosure of these risks may include information on a company’s cyber security strategy and the potential consequences of a cyber attack - particularly where the company operates in a high-risk industry (eg, the financial services industry) or relies heavily on online systems and assets (eg, a technology company).
Further, under the disclosure and transparency rules, a UK-listed company must make an announcement in respect of any information which: (i) relates directly or indirectly to the company; (ii) is not generally available; (iii) is sufficiently precise; and (iv) if made generally available, would be likely to have a significant effect on the share price (assessed by asking whether a 'reasonable investor' would use the information as part of his or her investment decisions). Although the effect of a hack on a company’s share price appears to be relatively fact specific, it is likely that a significant cyber breach would require disclosure under this test.
The discrepancy between the large number of companies that have been hacked and the relative scarcity of disclosure indicates that many companies are erring on the side of non-disclosure. The position in the United Kingdom stands at odds with that in the United States, where disclosures are generally more frequent and comprehensive; perhaps due, in part, to the Securities and Exchange Commission's specific guidance on the issue.
Companies are understandably reluctant to disclose that they have suffered a hack due to the potential reputational, financial and legal implications. However, this position will become harder to maintain as the frequency and scale of hacks increases and the move toward greater information sharing gathers pace. This progression is illustrated by Europe's Network and Information Security Directive, which aims to encourage cross-industry collaboration against cyber threats, and the United Kingdom’s cyber-security information sharing partnership, which provides a platform for secure information sharing between companies and government.
Companies with an effective cyber security strategy will not only be able to mitigate the legal, financial and reputational risks posed by cyber breaches; they will also be best placed to take advantage of the benefits afforded by developments in technology. As the regulatory landscape develops, it will not be long before companies are left with little other option. The draft General Data Protection Regulation, for instance, contemplates a strict data protection regime with severe penalties of up to €100 million or 5% of worldwide turnover. It would be unrealistic to expect a company to achieve immunity from cyber breaches - the threat is simply too dynamic - but it is now untenable for boards to shy away from proper engagement with the issue.
However, simply making cyber security a board-level issue will not suffice on its own. The change, to be truly effective, must extend throughout the organisation and inform everything that it does. A number of recent high-profile hacks are believed to have occurred as a result of a 'weak link' in the system. It is thought that the hackers of Target obtained access to its systems via the network of one of its fridge suppliers. Similarly, the breach of JP Morgan's systems is thought to have occurred via an employee's computer. The cyber security discussion must start at the highest levels of a company’s management, but it must not end there.
Given the nexus between cyber security and legal outcomes, it is also important that lawyers have an understanding of this area to enable them to advise on the specific legal risks posed by cyber security and to appreciate the changing commercial environment in which many of their clients operate.
Mark Zarwi is a trainee solicitor at Slaughter and May.