The Professional Indemnity Insurance for Law Firms team continue their discussions on cyber threats to law firms and the knock on implications they can create.
In our recent article, 'Cyber security breaches: examining cyber security risks in a turbulent landscape' we provided a breakdown of the Department for Science Innovation and Technology (DSIT) annual report and its findings with regards to cyber attacks.
This article serves as a follow on from our first publication to help make the DSIT Report's findings into tangible suggestions and food for thought for your organisation.
74%
of UK businesses surveyed said that cyber security was a high
priority for their senior management
What we understand from the DSIT Report is that senior management continues to take cyber security risk seriously and the risk is a board room agenda item1. Three-quarters (74%) of UK businesses surveyed said that cyber security was a high priority for their senior management with the amount of investment into cyber security over the last 12 months either increasing or staying the same.
There is evidence to suggest that effort is being made by senior management to prioritise cyber security risks and prevent future incidents in their organisations. However, some recurring reasons behind the lack of senior management engagement was due to a limited understanding or interest in cyber security and the topic can get taken off the agenda to make way for day-to-day business operations, Interestingly some organisations considered that they were not particularly high risk from the threat of falling victim a cyber attacks.
Costs involved in managing cyber security risks
In the last twelve months, it is estimated that the average total cost that organisations have faced from their single most disruptive breach are as follows2:-
- £1,205 all businesses regardless of size
- £780 small/micro businesses
- £10,830 medium to large businesses
<50%
of businesses surveyed purchase cyber insurance
Less than 50% of businesses surveyed purchase cyber insurance, although the figure has increased to 43% from 37% the previous year. It was found that more medium sized businesses (62%) were investing in cyber insurance rather than larger businesses (54%). It would be interesting to understand the reasons behind this. Is it a lack of understanding about what cyber insurance covers or is it seen as a luxury item in a challenging economic climate?
Frequency of cyber security breaches
The DSIT Report identified that 32% of businesses surveyed experienced a cyber security breach or attack within the previous 12 months3. Of those 32%, four in 10 businesses reported incidents occurring monthly or more often and a fifth reporting that they had experienced breaches or attacks at least weekly. Of those businesses experiencing monthly or weekly breaches 61% were large businesses and 60% were medium sized businesses.
There has been a decline in the frequency of cyber security incidents since 2022. Could it be argued that the reduction is as a consequence of businesses implementing robust cyber security risk measures to prevent breaches, greater awareness and being more resilient to cyber incidents. However, caution is needed as it was understood that due to the increased sophistication of cyber attacks some breaches are going undetected.
The reporting of legal sector cyber security incidents
The findings in the DSIT Report are reflective of the data security incidents reported to the Information Commissioner's Office (ICO) by organisations after they have suffered an incident. Examining the latest data breach statistics for the legal sector published by the ICO for the final quarter of 2023 (1 January 2024 to 15 April 2024)4 the number of data security incidents reported by the legal sector was 247 (an increase from 197 the previous quarter)5.
...covering the period of 1 January 2024 to 15 April 2024 show that the number of data security incidents reported by the legal sector was 247
The ICO categorises the data breaches into 'non cyber security incidents' and 'cyber security incidents'.
- Non cyber security incidents: Occur as a result of human error and can include data being emailed, posted or faxed to the wrong recipient, failure to redact and the loss or theft of paperwork or data left in an insecure location. The most common causes of non cyber security incidents reported by the legal sector to the ICO during 1 January 2024 to 15 April 2024 were as a result of data being emailed or posted to the incorrect recipient and equated to half of the overall reported non cyber breaches. Breaches of this nature occur as a result of human error often due to individuals working under extreme pressure either from clients or tight timescales and internal pressure and can arise owing to a lack of attention to detail.
- Cyber security incidents: Occur as a result of
a cyber attack and includes ransomware, phishing, malware attacks
and unauthorised access.
The number of cyber security incidents reported to the ICO for the same period identified a sharp increase from the previous reporting quarter, with almost 50% of those incidents resulting from phishing attacks with the largest increase arising from ransomware attacks which increased by 400%.
The DSIT Report suggests that the reporting of breaches still remains an uncommon practice with 34% of businesses reporting breaches externally. When breaches are reported it is banks, building societies and credit card companies who are the first to be notified, followed by the police and the business' website and network service providers.
Notifiable breaches must be reported to the ICO without undue delay and no later than 72 hours of organisations becoming aware them. Not all breaches need to be reported to the ICO however, each case would need to be assessed on its own merits and the potential level of risk/negative consequences on the individual data subject and how sensitive the data is that has been breached must be considered. This would include a risk to an individual's rights and freedoms which may result in emotional or physical distress, or any other emotional or social disadvantages, reputational damage and financial loss.
Notifiable breaches must be reported to the ICO without undue delay and no later than 72 hours of organisations becoming aware them.
The best practice advice from the ICO is if organisations are unsure about whether the impact of an incident is significant or not, it is safer to report the breach as the ICO can impose financial penalties on organisations who violate data protection laws.
Not all breaches need to be reported to the ICO however, each case would need to be assessed on its own merits and the potential level of risk/negative consequences on the individual data subject and how sensitive the data is that has been breached. This would include a risk to an individual's rights and freedoms which may result in emotional or physical distress, or any other emotional or social disadvantages, reputational damage, and financial loss.
The best practice advice from the ICO is if organisations are unsure about whether the impact of an incident is significant or not, it is safer to report the breach as the ICO can impose financial penalties on organisations who violate data protection laws.
...it is safer to report the breach as the ICO can impose financial penalties on organisations who violate data protection laws.
The ICO has issued new data protection fining guidance on how the Commissioner decides to issue penalties and calculate fines for data infringements6. The Commissioner will assess the seriousness of the infringement, taking into account:-
- the nature, gravity and duration
- whether it was intentional or negligent
- the categories of personal data affected by the infringement
- any action taken by the controller or processor to mitigate any damage suffered by data subjects
- the degree of responsibility of the controller or processor and whether there are any relevant previous infringements by that controller or processor
- adherence to approved codes of conduct or certification mechanisms
- the degree of cooperation with the ICO, in order to remedy and mitigate any adverse effects of the infringement
- how the ICO was notified about the infringement
- any other aggravating or mitigating factors
In determined whether it is appropriate to issue a penalty notice the Commissioner will consider the seriousness of the infringement or infringements; any relevant aggravating or mitigating factors; and whether imposing a fine would be:
- effective
- proportionate; and
- dissuasive
The level of fine the Commissioner can impose for a data protection violation is subject to the statutory maximum, depending on the statutory provision that has been breached. Two levels of maximum fine can be imposed:
- the 'standard maximum amount': £8.7 million or, in the case of an undertaking, the higher of either £8.7 million or 2% of the undertaking's total worldwide annual turnover in the preceding financial year or,
- the 'higher maximum amount': £17.5 million or, in the case of an undertaking, the higher of either £17.5 million or 4% of the undertaking's total worldwide annual turnover in the preceding financial year
The applicable statutory maximum amount is calculated by reference to a percentage of turnover where an undertaking's total worldwide annual turnover exceeds:
- £435 million in relation to the standard maximum amount (the 2% percentage figure applies); or
- £437.5 million in relation to the higher maximum amount (the 4% percentage figure applies).
The Commissioner will determine the severity of the infringement and categorise the infringement according to its degree of seriousness as follows:-
- High degree of seriousness: the starting point will be between 20–100%
- Medium degree of seriousness: the starting point will be between 10–20%, and
- Low degree of seriousness: the starting point will be between 0–10%
Emerging technologies
Artificial intelligence (AI) is featuring heavily in our daily lives and as such organisations should be assessing the risks and opportunities such technological advancements can pose. It is crucial that cyber security underpins the use of AI. The DSIT Report does not cover emerging technologies, yet it is anticipated that AI will feature in future studies, particularly as the DSIT has issued a call for evidence seeking views on new measures for software vendors and AI cyber security risks7. The call for evidence may result in two new codes of conduct as part of a new global standard and forms part of the UK Government's £2.6 billion National Cyber Strategy aimed at protecting and promoting the UK's interests in cyber space and ensuring that AI is used safely, ethically, and sustainably.
There is also a concern that AI is being used to create deepfake video calls and voice cloning, taking CEO emails to the next level.
The ICO has recently published a report setting out its strategic approach to AI regulation (ICO Report8. The ICO Report touches on the use of AI and that criminals are taking advantage of new technologies and using generative AI to create phishing campaigns faster and more effectively with a wider reach, eliminating the typographical errors and poorly drafted requests that we are familiar with, making it increasingly difficult to decipher genuine emails and those from malicious threat actors. There is also a concern that AI is being used to create deepfake video calls and voice cloning, taking CEO emails to the next level.
The ICO Report recognises the benefits AI can bring to enhancing cyber security risk and the advice from the ICO is that organisations should assess the risks and opportunities that emerging technologies create, ensuring proportionate and layered controls are implemented to minimise exposure to any such risks.
Summary
What is clear from the DSIT Report and the ICO Report is that cyber security breaches continue to threaten organisations and as we increasingly rely on and adopt new technologies, cyber security breaches will remain. Organisations should understand the volume and types of data that they hold in order to consider how to remedy or mitigate potential threats and be proactive in minimising their risk of exposure to a cyber security incident. It is acknowledged that such risks cannot be abolished but they can be managed effectively.
Footnotes
1. Department for Science, Innovation & Technology (2024). Cyber Security Breaches Survey 2024.
2. Department for Science, Innovation & Technology (2024). Cyber Security Breaches Survey 2024.
3. Department for Science, Innovation & Technology (2024). Cyber Security Breaches Survey 2024.
4. Information Commissioner's Office (n.d). Action we've taken. Data Security Trends.
5. Information Commissioner's Office (n.d). Action we've taken. Data Security Trends.
6. The Information Commissioner's Office. (2024). Data Protection Fining Guidance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.