Companies around the world are bracing for an avalanche of cyber security regulation, as governments scramble to introduce rules forcing corporate groups to build stronger defences against catastrophic hacks.
The toughest are expected to come from Europe, with regulations due by the end of the year that could enforce multimillion pound fines for businesses that suffer data breaches. The threat from hackers has come into sharp focus following an attack on TalkTalk last week, which the UK telecoms group said had left up to 1.2 million customer details vulnerable and left the company rushing to limit the damage to its reputation and business.
The US has already experienced cyber attacks on a much larger scale, starting with Target in 2013, where up to 70 million customer records were lost, and including the destructive attack on Sony Pictures last year. These high-profile hacking incidents are forcing global authorities to consider tougher regulations. In Brussels, negotiators from the European Parliament, 28 member-states and the European Commission are working on a deal to create new data protection rules by December.
One of the toughest proposed measures is a suggested fine for businesses representing up to 5 per cent of global turnover or 100 million euros — whichever is bigger — for a privacy breach. Such a fine would have wiped out most of TalkTalk’s 95 million pounds of pre-tax profits last year.
The rule would bring data protection into the same league as antitrust rules, whereby companies can be charged up to 10 per cent of turnover if they are found to have abused their market position.
Some countries — Belgium and the Netherlands for instance — are going further than the EU, by introducing fines for companies that suffer data protection breaches. Sweden, France, Australia and Israel have also created tough requirements for businesses running critical infrastructure.
The cost of cyber attacks on businesses is rising fast. It was up 14 per cent in the UK last year, according to the Ponemon Institute, a US organisation that specialises in cyber security research.
Ponemon’s data show that the average cost of cyber crime in the country is highest among financial services, utility and energy and communications companies. The cost to financial services groups is estimated to hit 8.5 million pounds per company this year, more than double the 3 million pounds in 2012. Utility and energy companies are expected to suffer the sharpest rise, with costs rising to 6.5 million pounds per business in 2015, compared with 5.2 million pounds last year.
However the financial impact of attacks on UK companies still lags behind the US, with the average hack costing a British business $6.3 million, less than half of the $15 million it costs in the US, according to Ponemon. Companies across the globe are already significantly increasing their security budgets, investing 24 per cent more in the last year, according to a recent report from PwC, the professional services firm.
They are buying new technologies that aim to make it easier to detect hackers and bolstering their security teams or using top cyber engineers to test how robust their networks are. But interviews with government officials and security analysts suggest cyber security standards in businesses internationally remain patchy, varying widely across sectors.
Governments are stepping in to ensure better standards at key companies. In the UK, for example, British security agencies, such as GCHQ, the UK’s electronic eavesdropping agency, and MI5, its domestic intelligence agency, are working with companies that provide “critical infrastructure,” such as in banks and power plant operators.
Experts say significant issues remain in “second tier” companies, including retailers and communications groups, which have less formal interaction with authorities, yet remain vulnerable as they hold sensitive customer details.
The financial industry has poured hundreds of millions of dollars worldwide into beefing up its cyber security teams, hiring former intelligence officials from spy agencies, or finding young tech minds from Chaos Computer Club, Europe’s largest hackers association. Banks are attempting to work together to tackle the problem, creating the Financial Services Information Sharing and Analysis Center, which shares information about security threats.
The trade body has 5,500 members, including JPMorgan Chase, Citigroup, Wells Fargo and HSBC.
Others are looking to outside providers to provide added security. Drax, the UK’s largest power station, which provides about 7 per cent of the country’s electricity, has employed Darktrace, a cyber security start-up that uses advanced technology to spot abnormalities across a company’s computer network. Other companies working with Darktrace include BT and Virgin Trains.
There has been some pushback from companies fretting about tougher rules. Businesses in Britain and Ireland have consistently pushed for lenient terms when it comes to informing customers about data breaches.
Privately, UK businesses argue that stiffer cyber regulations could lead to spiralling costs. People with knowledge of discussions over regulations in Europe expect a compromise, with policymakers expected to recommend a fine far bigger than what is currently available but smaller than the 5 per cent.
“It is the UK’s aim that the regulation strikes the right balance between the protection of personal data and not imposing disproportionate burdens on organisations that process data for legitimate purposes,” says one British official.
The government formalised its national security strategy in 2011, rolling out measures aimed at improving the resilience of British businesses. At the forefront was the creation of the Cyber Information Sharing Partnership through which companies are encouraged to share intelligence and detailed technical information on attacks they have suffered. The CISP has 750 organisations signed up to it.
GCHQ also runs informal, higher-level secret networks with companies of particular national importance. The UK’s biggest banks, for example, liaise regularly into a tight-knit information-sharing circle with GCHQ and the Bank of England.
Some businesses have to open themselves up fully to the government’s cyber surveillance work. Any organisation entering into a contract with the Ministry of Defence, for example, must effectively put its computers under GCHQ’s remit.
Officials are clear that they cannot act to protect every business. One UK senior security official recounts having to tell a large FTSE 100 company three times that its servers had been compromised by an aggressive foreign nation-state. The company did nothing. “At some point we had to throw our hands up in the air and walk away,” says the official.
The message that all companies, not just those providing critical infrastructure, need to strengthen their cyber defences is being better heard in the US, according to Austin Berglas, an executive at K2 Intelligence, a corporate investigations firm and a former Federal Bureau of Investigation agent who led probes into the hacking of JPMorgan Chase and masterminds behind the Silk Road website.
“Where the US is perhaps ahead of the UK is that everyone is in preparation mode thinking now is the time we need to spend the money to assess the networks and make sure our critical data are secure,” says Berglas.
However, he says a scattered approach to regulation can also be seen in the country. There is no US national breach notification law like the one being debated in Europe. Companies are bound by state laws that vary by each jurisdiction.
As in other territories, rules differ across US industries. American financial institutions face harder regulatory requirements when they have experienced a breach. Ensuring they have adequate cyber security standards is also part of regulatory bank examinations.
The US Securities and Exchange Commission requires companies to report breaches if they are believed to have a material effect on the company and could affect investors. Other key sectors also have onerous requirements. US health care providers must inform data breaches to the US Department of Health and Human Services, which has imposed fines on insurers and hospitals.
Berglas says government intervention will not be enough to tackle the problem. “Regardless of the regulation that doesn’t mean as a company you’re off the hook from protecting client data,” he says. “It’s your responsibility.”
— Financial Times
