Not only are organisations inadequately protecting themselves against cyber breaches, but their insurance programmes are failing to cover them properly too, according to DLA Philips Fox partner John Hannan.
The Auckland lawyer, who is experienced in the employment, litigation and IP, information technology and telecommunications arenas, says organisations outside of the IT sector are still failing to fully understand their cyber risk exposure, which could have potentially catastrophic results.
“Cyber risk is well understood by most major and IT-specialist businesses and organisations in New Zealand, but many organisations outside those categories accept whatever off-the-shelf solution is offered by their IT supplier and don’t think through their exposures should things go wrong,” he said.
”If things do go wrong, you don’t just face the costs of the immediate IT response to close loopholes, recover data and the like. Organisations may also face claims from clients or others whose data they hold and who suffer economic loss or privacy breaches as a result of a cyber-attack against an inadequately protected system.”
As well as fraud, other losses could include claims for costs due to loss of service, costs to rebuild data, and damages claims for breach of privacy, Hannan said.
“The recent incidents relating to celebrity photographs hacked from cloud-based storage systems demonstrates the risk.”
Hannan’s remarks came on the back of a Network Security & Privacy (NSP) Symposium in Australia last week, organised by sister firm DLA Piper in partnership with Aon Australia.
According to US-based Kevin Kalinich, Aon’s global practice leader – cyber & network security risks, executives who consider NSP as just an IT or technical issue are taking ‘a mistaken view that’s long had its day’.
“Loss of corporate data, including intellectual property, commercially sensitive client data and proprietary information, or the event of such material landing in the hands of a competitor or extortionist can pose potentially catastrophic risks to entire businesses,” Kalinich said.
Henri Eliot, CEO of Kiwi corporate governance consultancy firm Board Dynamics, says many firms have suffered from cybercrime unknowingly through higher costs stemming from operational issues, brand erosion and lower quality products.
“Moreover,” he said, “we should consider the lost benefit from products that have never even made it to the market as a result of Intellectual Property theft. This is a growing trend.”
Indeed, Anton Blijlevens, partner at AJ Park, intellectual property service providers, recently blogged on this topic.
In his piece called ‘Keep what is yours, yours: protecting your IP from opportunists’
Blijlevens cited security industry body Mandiant’s findings where they estimated that last year 90% of firms penetrated by hackers had their trade secrets stolen digitally and weren’t even aware of the fact.
“Industrial espionage nowadays doesn’t take a ‘safe breaker’ to get hold of the next big thing that a competitor may be launching,” said Blijlevens.
Eliot says it is up to the Boards of Directors to up their role in ensuring senior management protects and maximizes the value of their digital assets both within and outside the company.
“They also need to position the organisation for the opportunities and disruptions that may arise through digital technology,” he said.
However, John Hannan says insurance cover is woefully lagging.
“Standard insurance programmes don’t provide adequate protection for non-physical damage and computer network risks, so there are cyber and data coverage gaps. Insurance is anyway only a partial solution – risk management is the key.”
The Australian symposium offered these top five tips to reduce the risk of cyber-attack or data breaches and mitigate potential liability:
- Understand your unique exposure (and what and where your "Crown Jewels" are)
- Understand your potential legal liabilities
- Make it a Board, Management and company-wide issue
- Have a trained response team and Board approved strategies in place before a data breach/cyber-attack
- Constantly review and update your risk management policies to ensure they are comprehensive and tailored for your organisation