Cyber security is an ever-evolving area of concern. Organisations must maintain robust defences against potential cyber-attacks that could aim to disrupt projects, commit financial crimes, or steal sensitive data.
To ensure that they are taking all required steps to mitigate against breaches of their networks and systems, organisations must carry out cyber security risk assessments. That is especially true when there are obligations imposed by data protection legislation or because an organisation is operating in high-risk sectors.
This article looks at the legal requirements to carry out cyber security risk assessments, the potential consequences for failing to do so, and the steps that organisations can take to ensure that they are carrying out effective cyber security risk assessments.
Cyber security risk assessment
Cyber security risk assessment should be an ongoing process. Risk profiles can change based on internal factors, such as process changes within an organisation, or external issues like the increasingly sophisticated methods used by hackers to infiltrate networks and systems.
Most organisations will carry out cyber security risk assessments in order to evaluate any threats to IT systems and data, and to avoid data breaches and the potential financial and reputational fallout that cyber-attacks can cause.
However, it is important to understand that there are also a number of UK laws that require or imply an obligation to undertake cyber security risk assessments.
Network and Information System Regulations 2018
Organisations considered to be Operators of Essential Services or Relevant Digital Service Providers under the Network and Information System Regulations 2018 (NIS Regulations) each have duties, under Regulations 10 and 12 respectively, to take appropriate and proportionate technical and organisational measures to manage their exposure to cyber security risks.
These operators and service providers work in sensitive areas where a data breach could result in damage to key infrastructure or even loss of life. They must periodically refresh their cyber security risk assessment to understand the risks and put reasonable mitigation measures in place.
UK GDPR
The EU’s General Data Protection Regulation was retained and amended by the UK following Brexit to create the UK General Data Protection Regulation (UK GDPR). This legislation now applies to organisations handling relevant data in the UK.
The data protection principles within UK GDPR provide that “personal data must be processed in a manner that ensures appropriate security”. Firms or organisations controlling and processing personal data must take a risk-based approach to the security of the data that they hold by assessing the balance of their cyber security risk.
They must weigh up the following factors in order to ensure compliance:
- what the most up-to-date cyber security tools are and the costs of implementing these;
- the nature, scope, context, and purpose of the data that is being processed; and
- the risk of damage and the severity of that damage to any data subject’s rights and freedoms as a result of a cyber security breach.
UK GDPR imposes a key requirement to undertake a data protection impact assessment (DPIA) where data-processing could result in a high risk to the rights and freedoms of individuals. The Information Commissioner’s Office (ICO) recommends that DPIAs be carried out in the interests of good practice and not just when required by law.
Consequences of a failure to assess cyber security risks
Failing to properly assess cyber security risks could lead to a breach of the security measures in place.
Where it is found that a breach has occurred as a result of a failure to act in accordance with the law, regulators can investigate and consequently take enforcement action.
Penalties under UK GDPR, depending on the specific breach, can be up to £17.5 million or up to 4% of the total worldwide annual turnover of a firm, whichever is higher. British Airways were fined £20 million by the ICO in 2020 for failing to adequately implement sufficient cyber security measures. Their failings led to the personal financial data of more than 400,000 customers falling into the hands of hackers.
Fines issued under the NIS Regulations can be between £1 million and £17 million, with the costs of any preceding investigation also recoverable from the organisation in breach of their obligations.
Effective cyber security risk assessments
There are a number of steps that should be followed by organisations to ensure that they are carrying out effective cyber security risk assessments. Before assessing the risks, any organisation should be asking itself – what is the purpose of the risk assessment?
The risk assessment should prioritise improvements to existing processes and allow for informed decision making around how to best deploy resources to mitigate against security risks. The process should then loosely follow the below.
- At the outset of a cyber security risk assessment, as much relevant information as possible about the organisation’s information assets and data should be gathered.
- The organisation must then review this information to define potential threats and scenarios, and identify security vulnerabilities.
- The issues found should be assessed as to the likelihood and severity of the threat, and reported.
- It is then important to ensure that there is an understanding of the risks identified and to implement solutions to the appropriate security control standards.
- Cyber security risk is not set and forget. Risk assessments should be subject to continual monitoring and review.
Conclusion
When it comes to preserving the integrity of organisation information and data, there is no one size fits all approach and the costs of getting it wrong can be considerable.
If you need assistance in this area, please contact our regulatory risk and compliance team. They can assist by advising on the best steps to take to ensure that your organisation remains compliant with the law and carries out robust cyber security risk assessments.