UK Government launches new Cyber Essentials measures
In an era where cyber risk is almost daily news, governments have been working to develop tools to help businesses protect themselves against those who want to steal or misuse data.
The UK Government has launched a set of basic measures that any organization can use to reduce cyber risk, following a review of cyber attacks by the Government Communications Headquarters (GCHQ). Termed the “Cyber Essentials Scheme1”, this initiative is voluntary, rather than a legal requirement. However, the aim is that involvement in it should become mandatory for certain Government procurement contracts, especially those for information technology and communications. Given the size of the UK Government’s IT spend, this is likely to be a strong incentive for adoption and over time the measures may be adopted as a form of industry standard.
Cyber Essentials aims to encourage businesses to build at least a basic level of cyber security into their operations, on the premise that relatively simple steps might help to prevent some 80% of attacks to which they would otherwise be vulnerable. The measures:
- lay out a procedure for creating resistance to cyber risk;
- provide a mechanism for that resistance to be certified; and
- enable organizations to display their level of cyber security through certification.
External certification is designed to allow customers, suppliers and perhaps insurers to know whether an organization meets a measurable minimum standard. Companies that demonstrate compliance with Cyber Essentials may enjoy a competitive advantage over those that do not. The certification process is evolving and we will write a further update on this aspect shortly.
From a compliance and risk management point of view, the Cyber Essentials measures should set a benchmark against which management may be held accountable: cyber risk management is, of course, a corporate governance issue. Standards like these may also be used in the determination of negligence; losses that could have been prevented by the adoption of the Cyber Essentials may turn out to be uninsured and may be more easily shown to be the responsibility of the organization that failed to prevent them. Cyber Essentials could also play a role as a benchmark for compliance with general data protection requirements on information security, which is becoming an ever bigger issue, with fines of up to 5% of annual worldwide turnover being proposed under the EU Data Protection Regulation.
Most businesses are likely to focus on the “10 Steps to Cyber Security” launched by the UK Government in 2012 and certification under the new Cyber Essentials. As part of the recent focus on cyber risk, lawyers and risk managers will need to consider liability and how to address it, and the extent to which contracts with suppliers should contain provisions governing cyber and information security. There is likely to be a call for suppliers to show Cyber Essentials certification, and for buyers to rely on and refer to that certification.
Alongside the work of any business in reducing exposure to cyber risk, cyber insurance is a critical consideration. Risk managers and IT specialists should be reviewing the kinds of insurance cover their business has; what cyber risks are excluded and what insurance cover best meets their needs and addresses perceived threats?
Insurers are working to exclude cyber risks from standard insurance policies and many are providing separate cover for them. It is too soon to know how insurers will react to a Cyber Essentials certification; it may become a prerequisite for buying cyber insurance; certainly it could affect premiums. Insurers are already in dialogue with the Department of Business, Innovation and Skills about how Cyber Essentials will work and to what extent they will support and recognize it.
For those businesses that have not already done so, carrying out a cyber risk assessment and due diligence of potentially vulnerable business activities and their contractual position should be a priority. An audit and review of the terms on which third party services are provided should focus on areas of the business where information technology underpins critical business activity and review IT services agreements, cloud computing, remote data processing, as well as communications services agreements and the associated insurance cover.
Companies should consider setting up a cyber Risk Register linked to their corporate governance risk systems and a centralized register of the contracts that seek to address such risks. This way it is possible to monitor, manage and insure the risks which they carry and understand which vendors exclude liability. Legal and financial advisers, risk managers, IT functions and data protection officers will need to work together to understand how exposure and risks arise, assess liability, quantify it, and determine whether and how contractual mitigation may be formulated. From a management point of view, it may be important to be able to show shareholders, customers and suppliers that there is a governance program in place which regularly evaluates the cyber risks that could affect the business and deals with data protection.
If you have any questions regarding this update, please contact:
We have developed tool kits and methodologies to address cyber issues in different sectors and situations, ranging from due diligence for M&A and investors, through regulatory investigations to governance and board level advice.
Our work encompasses:
- Scoping cyber exposure under contract and applicable regulation.
- Board-level governance implications of cyber risk and planning.
- Legal risk audits and reports on cyber issues, including data protection for insurers and other businesses.
- Contract terms for IT, telecoms and cloud vendors.
- Organizing the creation and maintenance of a cyber contract risk register.
- Supporting General Counsel, using legal privilege where appropriate, to review and address cyber issues.
- Management of the legal aspects of system migration, cloud computing and data protection management.
Sidley Insurance and Financial Services Practice
Sidley is one of only a few internationally recognized law firms to have a substantial, multidisciplinary practice devoted to the insurance and financial services industry. We have approximately 85 lawyers devoted exclusively to providing both transactional and dispute resolution services to the industry, throughout the world. Our Insurance and Financial Services Group has an intimate knowledge of and appreciation for the industry and its unique issues and challenges. Regular clients include many of the largest insurance and reinsurance companies, brokers, banks, investment banking firms and regulatory agencies, for which we provide regulatory, corporate, securities, mergers and acquisitions, securitization, derivatives, tax, reinsurance dispute, class action defense and other transactional and litigation services.
Sidley Privacy, Data Security & Information Law Practice
We offer clients an inter-disciplinary, international group of lawyers focusing on the complex national and international issues of data protection and cyber law. The group includes lawyers experienced in regulatory compliance, litigation, financial institutions, healthcare, EU regulation, IT licensing, marketing counsel, intellectual property and criminal issues. Sidley provides services in the following areas:
- Privacy and Consumer Protection Litigation, Enforcement and Regulatory Compliance
- Data Breach, Incident Response and Cybersecurity Advice, Response and Litigation
- Global Data Protection, International Data Transfer Solutions and Cross-Border Issues
- Corporate Data Protection, Compliance Programs and Information Governance Assessments
- FTC and State Attorney General Investigations of Unfair or Deceptive Acts and Practices
- Cloud Computing, Social Media, Online Advertising, Internet of Things, E-Commerce and Internet Issues
- EU, China, Japan, Singapore, Hong Kong and other International Data Protection and Compliance Counseling
- Gramm-Leach-Bliley and Financial Privacy
- HIPAA and Healthcare Privacy
- Communications Law and Data Protection
- Workplace Privacy and Employee Monitoring
- Website Policies, Online Trademarks and Domain Name Protection
- Records Retention, Electronic Discovery and Defensible Deletion
- Governmental Access and National Security
To receive future copies of this and other Sidley updates via email, please click here.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.