As reported recently in the Irish Times, the Central Bank has issued a timely reminder to regulated firms that they must plan, implement, test and utilize robust systems and controls to minimize the impact of Cyber-Attack on their business and the wider financial system.
Cyber-attack is one of the real and present dangers for modern business.
In the UK estimated breach costs in 2015 for a large company were £1.46 M and the UK's National Crime Agency recently announced that Cybercrime is now larger than any other crime in the UK.
The risks posed by Cyber-Crime for businesses, their owners and directors are not as well understood as they should be. The regulatory & financial risks presented by Cyber-Attack don't just arise for regulated firms.
By way of example, where a company has failed to take prudent steps to prevent and minimize the impact of a cyber attack, the directors of that company may find themselves prosecuted/fined for breaching the following:
1. Data Protection Obligations- including The Data Protection Acts 1988 & 2003; the DP Commissioners Code of Practice on Personal Data Security Breach; and the Central Banks Best Practice Guide;
2. Directors Duties under the Companies Act 2014- where directors can be obliged to indemnify for breach of their fiduciary duties;
3. Civil Liability- for breach by directors of their statutory duties of care; and
4. Liability for contractual breach: where they have failed to honor contractual commitments to keep third party data confidential.
In addition to the above concerns the EU has a raft of fresh legislation coming down the pipe- such as the new General Data Protection Regulation (GDPR) which will replace our existing Data Protection Acts from May 2018.
"Business closing" fines may be imposed under the GDPR for breaches of Data Protection obligations by a company. Depending on the offence, fines of up to the higher of 4% of annual worldwide turnover or €20 M may be imposed under the GDPR when it comes into force.
They are coming for you- Can you afford not to be Cyber-Attack ready?
The Central Bank of Ireland has warned that regulated financial firms here are not implementing “sufficiently robust” IT systems and controls and must increase their resilience to technology failures to “minimise the potential impact on their business, reputations and the wider financial system”. In guidance published on Tuesday on IT and cyber security risks, the Central Bank said regulated firms should assume that they will be the subject of a “successful cyber-attack or business interruption”.