1. Spring | Law
65 Chandos Place
London
WC2N 4HG
T: +44 (0) 20 7395 4870
F: +44 (0) 20 7395 4871
W: www.springlaw.co.uk
/company/spring-law
@SpringLawUK
1
Spring | Risk
Managing Risk – The Board & Cyber Security
2016 is already shaping up to be the year when cyber risks are a rolling news story. In most industries, cyber risk
continues to rise as company operations become more reliant on technological advancements in order to reach wider
markets, faster. The risks to companies are becoming more complex and are aggressively evolving, exponentially
increasing vulnerabilities across most sectors. Whether highly targeted or entirely random, cyber-attacks threaten
business operations and data security which increases the company’s exposure to liability with the equally severe
consequences on business reputation. This should be a signal to boards of companies of all sizes that if cyber risk and
security is not at the top of the agenda, they are behind the mark.
Market indicators are pointing to 2016 being the tipping point for cyber risk. A risk consultant and Institute of Risk
Management Board member recently said “in 2016, we will enter a new phase in the war against cybercrime.”
Companies will be unable to maintain a passive stance where cyber risks are an abstract threat ‘out there’ that can be
controlled simply by buying a piece of software or changing passwords monthly. The pressing need is for companies to
assess and control risks by actively seeking them out before they are left with crisis management/disaster recovery as
their only response.
In a recent survey by the HM Government on Internet Security Breaches it was shown that 90% of large organisations
and 74% of small businesses suffered a security breach within the last year; the worst breaches causing £1.46m -
£3.14m and £75k - £311k worth of damage respectively. These losses are up from the previous year and are expected
to continue to rise in the future. The important question for companies now is not ‘what happens if there is a breach,
but what is the plan for when there is one?’
Cyber resilience is about managing the risk in a focused and practical way. Management teams should take the time to
clarify their ‘crown jewels’, the information, property or assets which are at the heart of the business. This will vary, of
course, but may include intellectual property, customer and client information, employee data and records, financial
data, patents or source code. Once the ‘crown jewels’ are identified the business needs to weigh up the risks of losing
them against the cost of various levels of protection for them. This will typically include a combination of hardware,
software, staff training, and process driven monitoring.
Those responsible for the oversight of departments should be reporting information about risk developments directly
to the board; this accountability factor is crucial to the development of a sustainable risk culture. Having a fully
informed board will allow them to implement policy, whether it is employee training or incident response, and
procedures effectively. Systems, policies and procedures will need to be regularly monitored and updated to reflect
changes or advancements in risks and insurance should be sought to increase protection and maximise the
opportunities for de-risking the business.
However, it’s not all doom and gloom. Boards and company executives who appreciate the potential magnitude of
these risks and embrace cyber resilience within their risk culture will be better placed to take advantage of the ever
changing technology advancements. This will drive business growth whilst minimising the financial and reputational
damage of any security breaches in the future.