Cyber-security is an issue for most individuals and all sizes of organisation, and within organisations it is now generally accepted that it should be a board-level matter, and not one for the IT department to tackle alone.
The risk of the threat is ever increasing for a plethora of reasons: more companies depending on their online offering, more companies depending on intellectual property held electronically and more companies holding ever increasing levels of information on customers and employees electronically being just the tip of the iceberg. On the other side cyber criminals are becoming more sophisticated. Companies can undergo a cyber-breach without realising it has even taken place. As well as the general risk to an organisation’s reputation, there are legal obligations and financial exposures that may result from data/security breaches.
The fact that the taking of some small basic steps can significantly help reduce the risk prompted BIS, in collaboration with others, to publish its 10 Steps to Cyber Security suite of advice and its Cyber Essentials scheme: https://www.gov.uk/government/policies/cyber-security.
The role of the general counsel in cyber-security
The role of the general counsel in helping to ensure that not only current regulations are followed, and new regulations foreseen, but also that best practice is embraced by organisations is illustrated by the fact that the “Association of General Counsel and Company Secretaries working in FTSE 100 Companies (GC100)” thought fit to produce a guidance note on this topic for general counsels and company secretaries in February this year. The general counsel can often help to ensure that cyber security gets the high level attention it deserves.
We often work with boards on their role, and when advising on the content of their matters reserved look to ensure that oversight of cyber security is given suitable prominence. Among a number of helpful resources for companies, perhaps most tellingly, BIS has issued a note aimed specifically at non-executive directors, drawing their attention to the kinds of questions they should be asking of themselves, their board colleagues, and board committees. Questions include:
- Have we identified and understood the value of our company’s critical information and data assets?
- What is that small percentage of information within our business that makes it competitive?
- What assurances do we have that adequate technical controls and processes (e.g. the ‘basics’) are in place to protect these assets?
- Do we have assurances that our staff, suppliers, cloud providers, contractors, overseas subsidiaries and partners can be trusted to safely access our critical information and data assets?
- Do we have assurance that our software is up-to-date?
As part of a package of prudent defence measures to mitigate cyber risks, consideration can also be given to the purchase of a dedicated cyber risk insurance policy. Clearly when looking to see if cyber risk is being appropriately managed internally, there is overlap with a general review of the management of risk: does information on new risks flow up, down, and across the organisation? Is the risk register a meaningful document? Cyber risk is after all just one of a number of risks on which boards will want to satisfy themselves that the appropriate risk identification and management processes are in place, and working effectively.