According to Elizabeth Denham, the new Information Commissioner at the Information Commissioner’s Office (ICO), “Cyber Security is not an IT issue, it is a boardroom issue”.
She was speaking in the aftermath of one of the most significant and high profile cyber-attacks in UK history, where the communications company TalkTalk was hit with a record £400,000 fine and costs of £45m in managing the event, along with a £15m trading loss. 28,000 customer card details were leaked and 95,000 subscribers were lost during the months after the hack.
This sends out a very strong message to businesses, around where the responsibility lies for cyber security and the potential damage that can be done in the event that a cyber-attack should occur. Interestingly, had TalkTalk been hacked under the forthcoming GDPR regulations the potential fine could have been £73m!
Real Risk: Cost of Cyber Attacks
Types of Cyber Threats
There are a number of different types of attack a threat actor can deploy to circumnavigate security and an organisation’s operation process and controls.
These are categorised as follows:
Each year, businesses around the globe dedicate increasing levels of time, budget and labour in identifying, preventing and mitigating cyber threats. The cat-and-mouse game of cyber security means that new trends emerge almost daily, requiring at-risk organisations in all industries to stay ahead of these new and evolving risks to revenue and reputation.
Criminals are migrating to the darknet, the rise of ransomware-as-a-service, an increase in the operational security of hactivist operations and notable trends in DDoS attacks against a widening array of victims is being seen across all industries. Critical vulnerabilities in prominent software applications have enabled malicious actors to increase their exploitation activities and level of impact, which is likely setting the stage for a continued wave of breaches for the years ahead. No business is safe from this threat.
Where Do the Costs Come From?
The Ponemon Institute conducted interviews using a representative sample of companies with on average a minimum of 1,000 seats.
Their data showed the percentage spread of costs after suffering a breach to be as follows:
- Business Disruption — Business disruption remains the highest external cost and a key motivator for cyber-crime prevention. As a cost it has increased from 38% of total external costs in 2012 to 47% in 2015. Information loss also accounts for 26% of external cost. Business disruption includes costs associated with business downtime and loss of customers.
- Revenue Loss — Revenue loss refers to losses connected with loss of sales due to reputational damage, fines and other legal costs.
- Information Loss — This refers to the costs linked to data loss and theft, which has increased slightly over the last four years.
- Equipment Damage — This is often a small cost which illustrates the scale of the level of business disruption and revenue loss associated with a cyber-attack. However, in some cases like the Shamoon virus which Saudi Aramco fell victim to in 2012, 50,000 hard drives had to be replaced, so this isn’t always an insignificant cost.
- Reputational Damage — As well as the direct costs experienced as a result of a cyber breach, there is also the cost of reputational damage which can be harder to quantify and far more damaging. According to Raconteur, the causes of such reputational damage can be broken down into the following. (The percentages relate to a survey of large organisations and which cause they felt damaged their company’s reputation the most):
Notable hacks at Sony, TalkTalk and Ashley Madison resulted in long-term reputational damage with a knock-on effect on customers, clients and share prices. High profile resignations also frequented media headlines as the bad news continued.
In the case of communications company TalkTalk, the costs of their cyber-attack ran into the tens of millions. But where exactly did that money go?
The following case study shows where TalkTalk were forced to invest when a simply executed cyber-attack led to thousands of their customers having their bank details stolen.
Costs in Context:
TalkTalk
In October 2015, the UK communications company TalkTalk was hit by a relatively simple cyber-attack. In the attack, less than 4% of customers had their sensitive details accessed, including 28,000 cases where users’ bank details were stolen.
This led to the largest fine ever imposed by the Information Commissioner’s Office, but it is a drop in the ocean compared with the total cost to the company of the
cyber-attack in other areas.
Cost of Fine: £400,000
Total Cost of Cyber-Attack: £60 million
So where did the money go? According to an article in Management Today, the company had to spend in the following areas:
- Customer service – the company experienced an upsurge in calls from customers worried about the safety of their data, so the company had to hire and train additional staff to cope with the demand
- Marketing and PR involving a reputation damage limitation exercise
- Fixing their cyber security. After such a costly hack, some of the money went into “the costs of restoring our online capability with enhanced security features”
- Customer retention. In an effort to stem the flow of deserting customers, (around 95,000 customers left in three months directly after the attack), TalkTalk offered incentives such as free upgrades to TV packages, free mobile SIM cards and free landline calls, as well as a collection of new security features
The Worst is Yet to Come?
Changing Legislation
Although it seems like an increasing number of cyber attacks are making the headlines, the statistics are telling us that in fact this should be a far more frequent occurrence. If 90% of large organisations suffered a security breach in 2015, why aren’t they all making the headlines?
Part of the mystery is due to current legislation. Under the existing UK Data Protection Act 1998 (DPA), companies that suffer data breaches or cyber-attacks are under no obligation or requirement to notify regulators, however there are 3 exceptions to this rule:
1. If the company is a service provider (which triggers The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR))
2. If the breach is likely to adversely affect the personal data or privacy of the company’s subscribers or users
3. If a company cannot demonstrate that the data was encrypted (or made unintelligible by a similar security measure)
So what does this mean in real terms? If a firm does not make the breach public then:
- The overall cost of the breach is kept low
- Reputational damage is limited
- Potential fines are avoided
But all of this is due to change.
In 2018, new EU wide legislation called the EU General Data Protection Regulation (GDPR) is going to change the game in terms of how cyber attacks are reported and policed.
Among the headline changes due to be enforced as part of this legislation are:
- Compulsory notification obligations for all companies which suffer data breaches
- 72 hours timeframe to make notification to the relevant supervisory body (in the UK it is the Information Commissioner’s Office) of any breach
- Non-compliance will bring fines of up to 4% of annual worldwide turnover (or €20m whichever the greater)
- A range of other changes such as requiring significant processors to have a Data Protection Officer
Of course, further complexity is added with the UK voting to leave the EU. However, as the ICO are the supervisory authority of the UK, and have spent several years contributing and preparing the DPA to be updated to the new EU regulation, it is likely that regardless of exiting the EU, the ICO will ensure the new DPA will be in line with that of the GDPR. It is also expected that the ICO will bring in a similar legislation to GDPR in order the UK can easier negotiate new trade deals post-Brexit. This has been further ratified by the UK Government’s announcement on the 2nd October stating that a new Bill will convert existing EU law into UK law at time of Brexit.
A recent statement was released by the UK Government confirming the UK will be implementing the General Data Protection Regulation (GDPR). The Secretary of State Karen Bradley MP used her appearance before the Culture, Media and Sports Select Committee to say:
“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
Full article can be seen here. Clearly, UK firms must now move fast to implement the necessary changes to ensure compliance by 2018 deadline.
FinTech Insurance, FinTech Insurance, Review, FinTech Deposit Insurance, FinTech FCA Insurance, FinTech FSCS Insurance, FinTech Cyber Insurance, FinTech Directors and Officers Insurance, FinTech Professional Indemnity Insurance, FinTech Insurance Broker, FinTech Insurance Broker London
Summary and Takeaways
As businesses continue to develop and implement systems which collect and store customer data, the risk of cyber attack will continue to rise. It is the responsibility of the company to safeguard vulnerable systems and ensure every measure has been taken to prevent a successful breach from occurring, and where cyber attacks have been successful, the results have often been devastating.
As organisations continue to embrace online systems and move increasing amounts of data to the cloud, it’s more important than ever for members of the board to understand the scale of the risks that they are vulnerable to and put in place a plan to manage and transfer as much of this risk as possible to guard against the worst effects of a cyber attack.
Takeaways
- The risk of cyber attack is growing across every sector – as is the cost
- It is the responsibility of the organisation to put sufficient measures in place to guard any data that they manage
- The scale of the risk and the potential fallout from a cyber attack means that security is no longer an IT issue, it’s one that needs to be managed at board level
- New legislation will result in higher fines and more publicity for companies that are hit by a cyber attack in future – increasing the effects of reputational damage
About the Author
Simon Gilbert, Founder and Managing Director of Elmore
Simon Gilbert has 15 years of experience working in the heart of the insurance industry throughout the world’s leading business centres. Simon’s appearance on CCTV America advising on cyber insurance and his expertise in this rapidly growing area of risk, coupled with more than a decade at the fore of the insurance industry make him a formidable force and partner in securing clients bespoke insurance for their needs.
About Elmore Insurance Brokers (Elmore)
Elmore is a City of London based brokerage firm with partnerships in place to offer world leading insurance and re-insurance for customers. Providing best value to clients is our cornerstone value, upheld by our promise to be forward-thinking specialists, providing a global perspective through our international network and advising on the risks of today for the challenges of tomorrow. We offer advisory, broking and claims management services under one roof, with particular expertise in the rapidly growing field of cyber insurance.
