A recent consultation from the Department for Digital, Culture, Media and Sport (DCMS) has proposed fines of either £17 million or 4% of global turnover for firms that fail to take cyber security seriously.
The department wants to prevent cyber-attacks that could result in major disruption to services such as transport, health or electricity networks. It say there must be a more pro-active approach to detecting attacks, developing security monitoring and raising staff awareness, as well as ensuring incidents are reported promptly
The move follows in the wake of the WannaCry attack, which severely affected many businesses and the NHS. If these penalties are implemented, the consequences could be disastrous for affected businesses, so what should risk managers be doing in the meantime?
Room for improvement
Firstly, they should be ensuring the board sits up and takes notice and the Government’s latest Cyber Governance Health Check calls for ‘cyber maturity among FTSE 350s to improve at a faster rate’ if the UK is to stay ahead of rising security challenges. Beyond this, there is also no doubt that many smaller firms have even more to do.
So what are the likely objections from board members that risk managers will need to overcome? These are just some of them:
- They believe the business is unlikely to be targeted by cyber criminals
- Reluctance to face up to the risks – perceived as too technical
- They believe it should be the IT department’s remit
- They fear being shown up because of a lack of knowledge
- They put off covering the topic formally because they believe they need better briefing or specialist training
- They are more focused on the General Data Protection Regulation (GDPR) and data compliance
- They have purchased cyber insurance and believe this will provide adequate protection
These proposed new UK government fines are at a similar level to those set by the EU for the GDPR (€20 million or 4% or annual global turnover – whichever is higher) and this comes into force in May 2018. But while ensuring compliance with this is currently centre stage, protecting data should not be the sole focus and the government wants businesses to take a holistic approach in terms of monitoring threats and investment in systems and people in addition to data privacy issues.
Further, insurance can be worthwhile, not least in the post-breach support it can provide, and the market has expanded considerably. But while this may prove useful protection, it should be remembered that insurers demand rigorous standards of security – they have no interest in providing cover to lame ducks that lay themselves open to cyber breaches.
Putting cyber security high on the agenda
Certainly the potential for high fines should be an easy way for risk managers to ensure cyber security is high on the agenda – but they may also need to encourage a longer-term cultural shift.
This means ensuring there is far more emphasis on cyber hygiene and there is a commitment to training at all levels. Human error is often to blame and some recent cyber attacks were avoidable – namely there were patches available for vulnerabilities, however, some organisations did not keep their security up to date and so were breached.
The government has stated that it sees the penalties as a “last resort” and they will not be imposed if the business affected by the attack can prove they assessed the risks adequately. Even so, they should indeed act as a spur to action and putting comprehensive cyber security measures into place now is a wise business strategy for the future.