Cyber risks – A clear and present danger

Cyber risks – A clear and present danger
30 May 2016

If it is not clear by the title, let me spell it out for you – cyber risks are here. It is a risk that is not only very real but one that can be truly devastating to a company should their systems and data be hacked. A digital security breach can reveal sensitive company trade secrets which can lead to massive losses and liability claims.

Take the very recent exploit of Standard Bank, what has become known as the “Japan heist”. In an article entitled “How fraudsters may have exploited Standard Bank in Japan ATM heist” written by Prinesha Naidoo of Moneyweb, the following is set out:

Three hours, around 100 people, 1 400 Japanese ATMs and 1 600 counterfeit credit cards, was all it took for fraudsters to exploit Standard Bank in Japan. The bank, which stands to lose up to R300 million, described the attack as a ‘sophisticated, coordinated fraud incident‘.”

Those numbers are astounding. Within only three hours, R300 million was stolen by what is being described by Kalyani Pillay, CEO of the South African Banking Risk Information Centre (SABRIC) as “an incident of transnational organised crime that was well planned and executed.”

According to Naidoo’s article, Steven Powell, co-head of forensics at ENSafrica said that “In order for external parties to gain access [to credit card information], there usually involves some sort of collusion”. He added that “Standard Bank would have to investigate whether its security measures were compromised internally or externally as well as whether the security breach was isolated to Japan.”

And that is actually the crux of Cyber Risk – are your security measures in place and are they adequate?

Is it something that we can insure against?

Kind of…. Insurers and Re-insurers are discovering that there is a growing and real need to insure companies across all industries and spectrums against these potentially devastating risks – and that means increased premiums for those Insurers and Re-insurers eager to tuck into a slice of the proverbial cyber pie. In Price Waterhouse Cooper’s January 2016 Top Issues publication, the following was outlined –

The biggest challenge for insurers is that cyber isn’t like other risks. There is limited publicly available data on the scale and financial impact of attacks and threats are very rapidly changing and proliferating. Moreover, the fact that cyber security breaches can remain undetected for several months – even years – creates the possibility of accumulated and compounded future losses.

According to PWC –

Cyber insurance is a potentially huge but still largely untapped opportunity for insurers and reinsurers. We estimate that annual gross written premiums will increase from around $2.5 billion today to $7.5 billion by the end of the decade.”

Freshfields, Bruckhaus, Deringer, a world-wide legal practice, warns that “Cyber crime can derail your company… Whatever your industry, cyber security is a worldwide concern. As you hold more data, and your staff use their own devices, you can become more vulnerable to security breaches… Those breaches can have significant legal and reputational effects upon companies. As shown by recent data breaches, and related litigation, this is not just an IT issue.”

Understanding leads to prevention

While insurance provides a handy safety net should things go awry, where law is concerned, prevention is often better than the cure. In order to even start combating Cyber Risk, we first need to understand what it actually entails. According to Kennedy’s article, “Cyber risks – an insurance perspective”, cyber risks can be understood quite simply:

Two of the most common forms of cyber risks are Cyber-attacks and data breaches. Cyber-attacks can take many forms:

Hacktivism – where a company’s website is hacked into and used as a platform to promote views.

Denial of service attacks (DoS) – when a site is bombarded with millions of emails from a bogus source, thereby blocking access to the site by legitimate users. This happened to the Amazon and PayPal sites recently, when they were forced to stop online trading as a result of DoS attacks by people protesting against the arrest of Julian Assange.

Cyber-extortion – where attackers threaten to carry out a DoS attack or to implant viruses in a company’s website or network.

Data breaches can occur as a result of human error – for instance, unencrypted data is lost or sent to the incorrect recipient – or by hackers, employees or others stealing or otherwise gaining access to sensitive data.

An article on the Hedgeweek website entitled “Cyber security – a Global Persceptive” sets out the lengths the US Legislature is taking to ensure the protection of companies against cyber-crime, which includes the House of Representatives passing a new cybersecurity bill –

the Protecting Cyber Networks Act (PCNA) – to allow file sharing between government intelligence agencies and private companies and raise the overall awareness of hacking.

Have South African companies heeded these warnings?

A call to arms

What is abundantly clear is that this is not just an IT issue, something you can “dial a nerd” for and consider your job done. What this is, is a global risk. Something that as legal practitioners we need to get ahead of. It is all well and good to have the insurers and reinsurers make their mark in this currently untapped risk market but we need to prevent the risk from happening in the first place. A seemingly daunting and almost impossible task. However, as with everything, you can tackle this “one bite at a time”.

How do we fight Cyber Risks?

  1. Identify the specific risks to the business and what needs the most protection. For example, in a company like Coke, intellectual property might be the most important asset which is vulnerable to cyber-attack. For Bid or Buy, the stability of online platforms and the security of customers’ personal data may be paramount.
  2. Assess the potential consequences of the various types of possible attack. Essentially, what would the impact to the company’s reputation be, to its share price, to its goodwill? What is the litigation risk? What would be the impact on the business be if its activities were disrupted for a short or for a sustained period of time? How much risk can the business accept? This is a really important balancing act and from a legal perspective will need some risk management. For example, ensure senior management in all areas of the business are fully aware of the IT security and all the risks that potentially exist.
  3. Devise a strategy to address the identified cyber risks. This is likely to involve preparation of both a cyber risk management plan and an incident response plan. A cybersecurity review is vital.
  4. Ensure that the systems and security measures are properly and regularly tested (here you can most certainly get a hold of “dial a nerd”),
  5. Implement appropriate staff training and education. Many attempts to compromise information involve what is known as “social engineering”, which is effectively the skilful manipulation of people and human nature to trick information out of a company. Online social media platforms need to be properly monitored and staff trained here according to what they can say and what they can’t say with regards to the company online. A social media policy will most definitely be needed. Proper training can help reduce or prevent completely this type of risk.

Clearly, cybersecurity is more than just tightly worded policies and endless procedures. It is a legal risk management exercise which undoubtedly entails keeping your eyes wide open, ears to the ground and your paper trail well and truly up to date because if you are ever in the same shoes as Standard Bank, your legal team needs to be properly armed with their trail of governance to ensure real combative steps are taken.

(This article is provided for informational purposes only and not for the purpose of providing legal advice. For more information on the topic, please contact the author/s or the relevant provider.)

Technology Law articles on GoLegal