Should cyber security standards be imposed by regulation or left to discretion?
Late last year London's largest financial institutions stress-tested their cyber security resilience with a series of 'war games' co-ordinated by financial regulators and Government officials. Bank staff had to respond to several simulated cyber incident scenarios, which included challenges such as the availability of cash from ATMs and coping with a liquidity freeze in the wholesale market. Dubbed 'Operation Waking Shark II', the simulation – one of the largest ever conducted – emphasises the potential severity of cyber attacks affecting the financial markets. Along with a similar exercise carried out in New York – and plans for 200 US banks to participate in what amounts to a competition over which is best prepared to handle an attack – it signifies a growing awareness of cyber risk among Government, regulators and corporations.
January 29, 2014 at 06:28 AM
6 minute read
With sensitive information increasingly vulnerable, companies should start to ramp up their cyber security
Late last year London's largest financial institutions stress-tested their cyber security resilience with a series of 'war games' co-ordinated by financial regulators and Government officials. Bank staff had to respond to several simulated cyber incident scenarios, which included challenges such as the availability of cash from ATMs and coping with a liquidity freeze in the wholesale market.
Dubbed 'Operation Waking Shark II', the simulation – one of the largest ever conducted – emphasises the potential severity of cyber attacks affecting the financial markets. Along with a similar exercise carried out in New York – and plans for 200 US banks to participate in what amounts to a competition over which is best prepared to handle an attack – it signifies a growing awareness of cyber risk among Government, regulators and corporations.
Evolving risk
In recent years the world's largest companies have been targeted by increasingly sophisticated hackers. Hacking is now widespread, with the attackers ranging from the intellectually curious to the politically motivated and more advanced organs of various nation states. The targets range from safety-critical processing systems in the energy sector to price-sensitive deal data in any sector.
Of course law firms are particularly attractive targets, because of the confidential and sensitive information they hold. With business now routinely carried out in the cloud and via mobile devices, all commercial organisations are increasingly finding themselves on the cyber frontline.
Despite the ever-evolving threats, when we looked at the impact of cyber incidents over the past three years on share prices globally, we discovered that the market is relatively forgiving of companies targeted by hackers. Our research revealed that, in nine out of 10 cases, cyber attacks had a relatively minor impact on share prices. After one week, businesses hit by a cyber attack saw an average dip in share price values of just 0.26%. The majority of companies saw shares restored to pre-crisis levels after four weeks.
Last year Bloomberg uncovered similar findings when it analysed US company filings with the Securities and Exchange Commission. The 27 largest US corporations reporting cyber attacks stated that they suffered no major financial losses, which exposes a disconnect with federal officials who emphasise the theft of billions of dollars in corporate secrets.
In the UK PwC research revealed that more than half of the finance directors at the country's top companies say they do not have enough information to stave off cyber attacks effectively. Furthermore, according to a recent survey undertaken by the Department for Business, Innovation and Skills (BIS), few of the UK's largest listed businesses regularly consider the threat posed by a cyber attack.
These findings suggest either that national governments are overstating the damage from cyber attacks, or that companies and investors are understating their impact.
Corporate complacency?
For many, cyber security is just another aspect of data protection and privacy and information management. Online data breaches are certainly nothing new – they have been around since the creation of the first networks. It may be that the recurring tales of misplaced laptops, briefcases left on trains and lost personal and confidential data, which rarely make headlines for more than a day or two, have led investors to take information breaches in their stride.
As prime targets for hackers, it is not surprising that the financial sector takes cyber security seriously. But while banks are tuning in, some corporations are still struggling to understand how these risks apply to their own businesses, what their vulnerabilities are and what their economic exposure really is. Companies may be tempted to overlook cyber security until they fall prey to an attack. And there is also the risk that cyber security is seen as simply an IT problem rather than a board-level issue to be managed proactively. As the recent BIS survey highlighted, many FTSE 350 companies do not actively manage cyber risk at board level.
The legislation
Meanwhile, cyber security remains a voluntary exercise for most companies in the US and Europe. The UK Government has indicated that it is not keen to legislate for cyber security – instead preferring to work directly with industry and professional services firms to raise awareness and share best practice.
However, the regulatory environment is showing signs of toughening. The EU is moving to force companies in certain sectors to report all cyber breaches and take specific risk management measures to protect systems and data. The US is also ramping up its focus as American businesses and Government institutions experience more attacks. As cyber security moves up the political agenda, corporates across all sectors may in turn start to take the threat more seriously.
Despite investors treating cyber attacks with relative sympathy and the somewhat patchy legislative framework, high standards on cyber security across all sectors of UK business are vital if we are to remain competitive. Indeed, there are strong arguments that the risk here is serious enough that basic requirements and standards should be imposed by regulation and not left to an organisation's discretion.
Cyber attacks are a very serious threat to businesses as they can go right to the heart of a company's value. In many sectors – from high technology to pharma and automotive – information is part of an organisation's DNA.
Effective cyber security requires dedicating resources and board-level preparation, including planning responses to a cyber incident. Companies should seize the opportunity to assess their vulnerabilities now and what and where their most valuable information is held. Through that assessment, they can then prioritise money and resources to mitigate the risk of being affected disproportionately by a cyber attack.
Clearly, many organisations are yet to wake up to cyber risk and there is far more they need to do to protect themselves. Ultimately, cyber security will continue to evolve, so the faster the business community acknowledges the threat the safer it will be.
Jane Jenkins and Chris Forsyth are partners and Anupreet Amole is an associate at Freshfields Bruckhaus Deringer.
Legal Week's Strategic Technology Forum is the annual meeting place for legal technology leaders and chief operating officers – click here for more information.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'Almost Impossible'?: Squire Challenge to Sanctions Spotlights Difficulty of Getting Off Administration's List
4 minute read'Never Been More Dynamic': US Law Firm Leaders Reflect on 2024 and Expectations Next Year
7 minute readTrending Stories
- 1Trailblazing Broward Judge Retires; Legacy Includes Bush v. Gore
- 2Federal Judge Named in Lawsuit Over Underage Drinking Party at His California Home
- 3'Almost an Arms Race': California Law Firms Scooped Up Lateral Talent by the Handful in 2024
- 4Pittsburgh Judge Rules Loan Company's Online Arbitration Agreement Unenforceable
- 5As a New Year Dawns, the Value of Florida’s Revised Mediation Laws Comes Into Greater Focus
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250