In its Cyber Crime Assessment 2016, the UK’s National Crime Agency (the “NCA”) says that a cyber attack which threatens the existence of one or more major UK businesses is a “realistic possibility”. Interestingly, the report says that the most advanced and serious cyber crime threat is the direct or indirect result of activity by only a few hundred international cyber criminals, typically operating in organised groups. These criminals have, according to the NCA, generally relatively low technical capability but their attacks are increasingly enabled by the growing online criminal marketplace which provides easy access to the right tools and capabilities.
Whilst the NCA acknowledges that law enforcement has its part to play in reducing the threat of cyber crime, the report highlights the importance of businesses protecting themselves. Indeed, it is the view of the NCA that “directors of businesses should challenge their business management teams to go beyond compliance with minimum cyber security standards to ensure that rapidly evolving cyber security and resilience challenges are addressed”. The report finds that it is not merely enough for the Board to see cyber crime as an IT issue and to get appropriate assurances that the right systems protections are in place. There are some more fundamental issues for the Board to consider.
Key questions that we recommend the Board asks of itself and of the business are:
- Is cyber crime risk on our risk management agenda?
- Is the Board aware of where the threats are for our business and how these are being mitigated?
- Is there an incident response plan which would guide us if data is compromised and staff and customers are put at risk?
- Has the risk of a cyber crime incident been factored into our business continuity plan and have these elements of the plan been tested?
- What do we know about the cyber crime controls in place at our suppliers and service providers which might impact on the integrity of the data they hold about us?
- Have we informed our customers how they should protect themselves and do we have relevant checks and balances in place around customer instructions?
- How likely are we to receive the proceeds of crime generated by those involved in cyber crime and has this been factored into our risk assessment strategies?
- If a cyber crime related incident occurred, how likely would it be that we would share that information with law enforcement to assist in their understanding of the risks being faced?
The NCA report contains several links to further resources for Boards to access and the report can be found here
DQ’s Regulatory & Compliance services team routinely advise clients on risk assessment and management frameworks and would be happy to discuss with you how cyber crime risk should be factored into your current risk management techniques. Please contact Sinead O’Connor or Adam Killip.