Written by Laura Scaife and Stephen Lansdown, Commercial, Hill Dickinson:
You may have seen in the press and as has been reported on this site recently that the U.K. parliament’s intelligence and security committee, which oversees Britain’s intelligence services, has said in its annual report that the threat of attack from cyber activity “is at its highest level ever”.
This may lead you to wonder what exactly therefore is at threat. According to the committee, the key categories of data which are most vulnerable to compromise relate to intellectual property, personal details and classified information. Clearly if such data is accessed by hackers and used for unauthorised purposes this can result in significant financial, reputational and even personal harm.
Clearly cyber security is an important issue for businesses who may hold large amounts of data about their clients and employees. Indeed the committee’s report said that in 2012 more than 200 email accounts of British government workers in 30 departments were targeted in an attempt by unidentified hackers to steal unspecified confidential information, however private-sector businesses were also highlighted as targets for attack. In order to meet the demands that the threat is placing upon businesses the report has suggested that companies take responsibility for their cyber security.
One area of major concern in the UK and as highlighted by Andrew Haldane, the Bank of England’s executive director for financial stability, is the financial system and industry. In order to manage data security firms operating in this area need to be especially alive to the requirements imposed by the Data Protection Act 1998 (DPA 1998) and the Senior Management Arrangements, Systems and Controls Sourcebook (SYSC) (which has been transferred in part to each of the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) in relation to clients and customers.
The PRA which is concerned in this area with the assessment of the risks that data is exposed wants financial institutions to demonstrate that they are addressing and managing risk issues arising from information security and that their safety and soundness is not at risk e.g. exposure to threat of systemic financial crime risk. The predecessor of the FCA, the Financial Services Authority (FSA) took a dim view of failure by very high profile firms to manage this area indeed a number of firms have been fined for misdemeanors, such as Zurich who were fined £2,275,00 and HSBC receiving a penalty of over £3,000,000.
Early signs indicate that the FCA will adopt a similarly firm stance with much of the FSA’s behavior and materials in this area remaining of application, for example the requirements of Principles 2 and 3 (PRIN 2.1.1 R) and SYSC are concerned with possible weaknesses in firms’ systems which open up the possibility of the UK financial system being used for financial crime (e.g. SYSC 3.2.6 R, in the FCA Handbook) as customer data is valuable in this context. These requirements also directly support the general DPA 1998 principle requiring businesses keep personal data secure by taking appropriate technical and organisational measures against unauthorised processing and accidental loss or damage. Again, the FCA picks up from the FSA in the fight against financial crime.
Managing the Risk
While there is an understanding of the risks presented, and the regulatory framework which maps out the area, the key issue for businesses holding such data how to practically manage the risk presented and implement frameworks which govern data in a manner which reduces their vulnerability to attacks. As part of a cyber-strategy firms should consider putting together an information strategy plan which deals with the following sorts of issues:
- Draft a statement of intent which sets out the firm’s stance towards data security and requirements imposed by the relevant regulatory bodies
- Take organisational ownership and responsibility of data so that there are clear lines of responsibility
- Implement an information asset management and destruction policy
- Adopt a separate policy in relation to human resources information
- Impose physical and environmental security and access control
- Roll-out training on cyber security including delivering the policy
- system development
- Introduce business continuity in the face or threat of attack
- Draft a policy which identifies key areas of risk and how they will be managed
- Implement an incident management strategy which can be put into action, should an attack occur
It is possible that some of these issues will be dealt with in other policies and procedures but, where this is the case, they must be developed and adapted to reflect the underlying information management and security provisions. They key is to pin down, define and implement your firms policies and not to leave them floating about in cyberspace thereby leaving gaps for the cyber attackers, it is an old adage but one that has much wisdom…protection is the best form of defense…