Demanding accountability: The need for cyber liability

John Smith, Principal Solution Architect at Veracode

GCHQ director Robert Hannigan pulled no punches last month when he stated that the free market is failing cybersecurity. And with 90% of large organisations and 74% of small businesses reporting that they had suffered a breach in 2015, and high profile breaches constantly splashed across the headlines, his concern is well placed as he argued that cybersecurity standards are “not yet as high as they need to be”.

Key drivers for change in any market are regulation and incentivisation, whether by legal liability or insurance cover. But in the cybersecurity market these agents of change remain immature and we’re seeing unnecessary, grave breaches as a result.

Just recently both Talk Talk and VTech breached through a common application vulnerability. SQL Injection, as it is known, has been listed on the industry standard OWASP Top 10 – a ranking for critical web application vulnerabilities that should be remediated as a matter of priority – for more than a decade. With avoidable cases such as these, important questions are raised regarding accountability for the breach.

While it is evident that companies that suffer breaches do face negative consequences (the CEBR and Veracode report on the business and economic consequences of inadequate cybersecurity outlined how share prices decline on listed companies following an attack), it is still the consumers and clients who are left to deal with fraudulent payments and changing details. Cases have already been reported since the Talk Talk breach of social engineering attacks, where scammers armed with consumers’ personal details were able to trick them into handing over their banking details.

Just as, since the introduction of health and safety legislation fatal injuries to employees have fallen by 86% due in part to organisations fearing liability for such an event, so legal accountability regarding appropriate levels of corporate cybersecurity could be key to reducing the number of breaches.

Clarity is key

While one might expect the business community to be resistant to the introduction of more legislation that might land them in hot water or with hefty fines and compensation payments, recent research that Veracode carried out with the New York Stock Exchange indicated otherwise. In fact, nine out of 10 board directors who responded to the survey believe that regulators should hold businesses liable if they don’t make reasonable efforts to secure data. This may sound counter-intuitive, but it actually demonstrates how businesses are crying out for benchmarks and greater clarity regarding what a sufficient and responsible level of cybersecurity is.

The case of Wyndham Hotels in the US demonstrated why clarification is sorely needed regarding this benchmark. Earlier this year the Federal Trade Commission (FTC) successfully sued Wyndham Hotels for having “unreasonably and unnecessarily exposed consumers’ personal data to unauthorised access and theft”, following three breaches in just two years.

With the appeals court ruling affirming the FTC’s authority for requiring companies to securely store customer data and punishing them if they fail to do so, American companies are left with little information other than that they may be held liable following a breach. And this trend looks to be extending globally; the British government launched an inquiry into the Talk Talk breach and the Hong Kong Privacy Commissioner is initiating a compliance check to see if the company had sufficiently adhered to data privacy principles.

Insurance steering the trend

While legislation in this space may be a while off, cyber insurance will be a key driver in helping set the standards for responsible levels of cybersecurity. Many companies already have cybersecurity insurance, and this market is set to triple to about $7.5 billion in the next five years. Those companies paying into these insurance policies will want assurance that their cybersecurity processes meet the required level to receive a return after suffering a breach.

While the majority of companies are buying cyber insurance to mitigate financial losses brought forth by liability claims, it will ultimately play a far greater role in changing the business community’s approach to cybersecurity. Just as the evolution of fire insurance drove the creation and enforcement of minimum standards in the way buildings are constructed and protected, cyber liability insurance will begin to create a new baseline for cybersecurity best practices.

Cyber insurance policies and government regulations will never provide a fix-all solution to cybercrime. No network is impenetrable, and regulations certainly don’t prevent cyberattacks nor are they likely to even cover the full financial impact of a breach with regards to impact of brand damage and loss in shareholder value.

However, without clearly outlining what a reasonable level of cybersecurity is, we will continue to see organisations failing to addressing the basics and consequently suffering avoidable hacks. With the ongoing proliferation of cyberattacks, we can no longer assume that organisations are doing enough to ensure the privacy of customer data.

When teenagers are able to access millions of customers’ details using off-the-shelf cybercrime products, it is clear that due diligence has not been done. It is time for organisations to be held to account over preventable cyberattacks, in order to incentivise all industries to ensure their cyber security is up to scratch.