The UK government has issued details of its Cyber Essentials Scheme to assist organisations with their cybersecurity measures. The scheme allows organisations to apply for one of two levels of cybersecurity “badge” certification:
Obtaining and marketing the cybersecurity badge should demonstrate confidence in that organisation’s cybersecurity measures to consumers and the public. The cost of obtaining a badge will depend on the certifying body. Companies bidding for certain government contracts will have to be certified in accordance with the Cyber Essentials Scheme from 1 October 2014.
The Cyber Essentials Scheme documents can be downloaded at: www.cyberstreetwise.com/cyberessentials/#downloads.
Additionally, the new Network and Information Security Directive, known as the Cyber Security Directive, sets out cybersecurity requirements applicable to certain market operators and information system providers. It is likely to come into force in 2015 or 2016. European countries will need to implement legislation to give effect to this directive, which can take up to an additional two years. There are also similar obligations to take security measures for all organisations that process personal data under the new General Data Protection Regulation, which is also expected to come into force in 2015 or 2016 (and will be directly effective soon after, without the need for each European country to implement local legislation). A breach of the General Data Protection Regulation can expose the organisation to a potential maximum fine of the greater of EUR 100 million or five percent global turnover.
The scheme focuses on Internet-originated attacks against an organisation’s IT system (recognizing that many organisations will need to implement cybersecurity measures for the other services they provide). Organisations should conduct cybersecurity risk audits and take steps to mitigate against these risks.
The five key controls (identified by CESG, the information security arm of GCHQ) of the Cyber Essentials Scheme are:
The government believes that organisations can mitigate against the damage caused by cyber attacks and reduce the risk of a phishing or hacking attack if they implement Cyber Essentials and also continually review their cybersecurity risks.
The key cyber threats facing organisations are:
The specific cyber threats for a particular organisation will depend on the nature of its business and the type of information held by it. Organisations should also consider taking out insurance coverage to reduce the financial consequences of a cyber attack.
The key to minimising the impact of an attack is detecting it quickly. Many organisations are unaware they have suffered an attack until sometime after the incident, occasionally when sensitive information is published in a blog or a website. As soon as an attack has been detected, organisations should:
1. Implement an Incident Response Plan
Organisations should have an Incident Response Plan ready for when an attack is made. A Technical Incident Response Team should already be primed to step-up and deal with an attack and to implement the Incident Response Plan. The Team should liaise with senior management, shareholders, lawyers and independent cyber experts as necessary being contacted to deal with the attack as soon as possible. The goal should be to minimise any disruption to the business and to maintain consumer confidence.
A forensic analysis of the attack by cyber experts, to determine the scope of the damage and the risk of another or an ongoing attack, should be conducted as quickly as possible. Insurance providers may need to be notified. Lawyers may need to be instructed to safeguard evidence, conduct or assist with internal investigations and prepare to defend the organisation against claims and also to deal with notification obligations (see below).
2. Comply with notification obligations
Some European countries have current obligations to notify data protection authorities about personal data breaches. (In the UK, only some organisations such as Internet service providers and telecommunications operators must notify the UK data protection authority within 24 hours of a breach.) After the new General Data Protection Regulation is in force, all European data controllers will have to notify the data protection authority about a breach incident which compromises personal data without undue delay. There are parallel obligations under the proposed Network and Information Service Directive (although Internet service providers will now be excluded from this obligation). Other regulatory bodies may also need to be notified. In some instances, individuals whose personal information has been compromised may or should also be notified.
3. Issue a PR statement and social media messages
Public statements, across all forms of media, should be issued to reassure consumers and stakeholders, to preempt a potential backlash and to regain confidence in the organisation.
The government’s Cyber Essentials Scheme is a useful starting point for organisations who are only recently, or who have not started, to consider cybersecurity risks to their businesses. Cybersecurity professionals view the chances of businesses becoming victims of a cyber attack as being almost inevitable. According to UK government research, 87 percent of small firms in the UK experienced a cybersecurity breach in 2012. Ninety-three percent of large firms were also targeted. Some incidents caused more than £1 million in damages.
The Cyber Essentials badge certification does not provide a clean bill of health but just confirmation that the organisation’s cybersecurity measures are satisfactory at the time the assessment is conducted. It is crucial that organisations continually review the risks their businesses face, including the structure and make-up of their workforce, geographical operations and the sensitive nature of their business information. Cybersecurity measures should be reviewed and updated accordingly. The government recommends that organisations with badge certifications recertify at least once a year to retain the badge. Additionally, there are other cybersecurity standards that organisations can consider implementing, such as ISO 27001.
Pulina Whitaker is a Partner in the Labor & Employment Practice in King & Spalding’s London office. She is a UK-qualified lawyer.
Celebrating 125 years of service, King & Spalding is an international law firm with more than 800 lawyers in Abu Dhabi, Atlanta, Austin, Charlotte, Dubai, Frankfurt, Geneva, Houston, Moscow, London, New York, Paris, Riyadh (affiliated office), San Francisco, Silicon Valley, Singapore and Washington, DC. The firm represents half of the Fortune 100 and, according to a Corporate Counsel survey in August 2009, ranks fifth in its total number of representations of those companies. For additional information, visit www.kslaw.com. This article provides a general summary of recent legal developments. It is not intended to be and should not be relied upon as legal advice.