The rise and rise of cyber-crime

The desire to digitise businesses in particular in the financial services industry with FinTech, has seen adoption of new technology and reliance on internet based services outpace our understanding of how to protect effectively against its abuse.

Despite relative inexperience in the challenges of the digital world, insurance companies are nevertheless embracing it wholeheartedly as big data and analytics are (rightly) seen as key avenues for revenue growth. But just as insurers are waking up to the potential value of the data they hold, so attacks on the industry are rising rapidly.

Businesses are still burying their heads in the sand: a recent survey by TheCityUK¹ revealed that less than half of large UK firms surveyed have cyber security as a top 10 risk, and only one in four has a cyber-response plan. Tellingly, less than 20 percent of companies surveyed have involved broader business functions than IT in their cyber planning, suggesting this is being viewed as a problem just for techies to worry about.

The reality is that cyber-security needs to be a C-suite agenda item. Indeed, the self-assessment questionnaire which the PRA circulated last summer requiring insurers to self-certify as to whether they have “effective risk management practices in place to address cyber security risks”, coupled with the view of the Bank of England that cyber risk is one of the risks which should be considered as part of an insurer’s “ORSA” (i.e. own risk and solvency assessment) required by Solvency II (notwithstanding that it may be difficult to quantify accurately), show the direction of travel for the importance of effective top-down governance of cyber risk. It also needs to be high on the list of considerations for the in-house legal function, just as other key business risks are.

So what can (and should) the in-house legal be doing?

Get the Board’s attention: Cyber risk should be subject to Board governance in the same way as any other material business risk. TheCityUK has developed a 10 point cyber checklist for the Board to consider², which could form the basis of such governance, as follows:

• The main cyber threats for the firm have been identified and sized
•  There is an action plan to improve defence and response to those threats
• Data assets are mapped and actions to secure them are clear
• Supplier, customer, employee and infrastructure cyber risks are being managed
• The plan includes independent testing against a recognised framework
• The risk appetite statement provides control of cyber concentration risk
• Inwards insurance has been tested for its cyber coverage and counterparty risk
• Preparations have been made to respond to a successful attack
• Cyber insights are being shared and gained from peers
• Regular Board review material is provided to confirm the status of the above

Help develop an effective cyber-security strategy: Key to developing an effective cyber-security strategy is to understand that you cannot protect everything, and accordingly to identify the principal risk points on which to focus. The in-house legal function should be at the heart of this risk assessment and should feed into the Board and the IT function its assessment of key areas where risk exists (recognising that this is a dynamic concept which will change over time).

Make sure terms and policies are up to date: Despite advances in sophistication of cyber-attacks, the overwhelming majority of successful cyber breaches originate from employee interaction with email and the internet. Ensure that usage policies are refreshed and backed up with suitable training, and that employee terms and conditions enable you to deal with wrong-doers.

Find the weak links in the supply chain: You are only ever as secure against cyber threat as the weakest link in the supply chain. A highly publicised hack on American retailer Target in 2014 was perpetrated by hackers accessing Target’s network through a connection with its air conditioning maintenance provider. Review your procurement contracts to consider whether cyber security is adequately addressed.

Consider cyber-security angles in new developments within the business: Cyber-security should become a staple consideration in your risk assessment of any given transaction, in the way TUPE and tax are. This is particularly true in an industry which is not only focused on digitisation, but which has also seen significant consolidation – acquisition is as fertile a ground for the creation of cyber-security threats as any IT procurement, since an acquirer inherits the security standards of the target.

Consider your cyber response: You need a response plan. Your organisation will have business continuity/disaster recovery plans already but are you familiar with them? Do they extend to the impact of a cyber-breach? Who would you call first if a cyber-attack occurred? How would you interact with the regulators? What is the communications strategy? It is imperative that the plan has legal input to ensure it mitigates the regulatory and reputational risks which flow from cyber-attacks.

1. “Cyber and the City”, May 2016
2. Ibid.