The incoming General Data Protection Regulation (GDPR) has driven media headlines for months. With just over 12 months to go until businesses are required to comply, it's now a top priority agenda item in many boardroom discussions. And it would seem as though the regulation is coming at the right time following a spate of high profile breaches – just recently the National Crime Agency (NCA) urged UK businesses to be more aware of the value of their data, how that data is likely to be attacked, and how to defend against specific threats.
With the prospect of hefty fines and mandatory breach notifications looming, the GDPR will no doubt achieve its goal of prompting many businesses to better protect customer data by upgrading their cyber-security practices. However, there may also be some unintended consequences. As businesses increase their security, hackers will adapt quickly and it's likely that we'll see other, more sophisticated forms of cyber-crime develop as a result.
The rise of targeted extortion
Ransomware was the cyber-crime buzzword of 2016; the malicious software is designed to block access to a computer system until, typically, a sum of money is paid by the victim. This type of cyber-threat accounted for just under a fifth of CFC's claims last year (16 percent).
However, we are now seeing a rise in targeted extortion. An evolution of ransomware, this more personalised form of crime targets a smaller number of high-level execs with a higher ransom demand, rather than more businesses for a smaller sum. With this type of targeting, criminals are fishing with a rod, rather than with a net.
Once GDPR is introduced, businesses will face higher fines if they experience a breach, and importantly, will have to notify customers. They will have just 72 hours to assess the potential damage before going public. Arguably, this “legislates the ethics” of what businesses, as good corporate citizens, should be doing today.
However, the current lack of guidance on what exactly must be reported to customers, and how, could also result in a rise in targeted extortion as businesses elect to pay off criminals to avoid punitive fines and reputational harm. In turn, criminals would likely leverage this fear with inflated ransom demands.
There is also the potential risk of “over notification”. We saw the impact of this with the 2016 TalkTalk breach. Despite the partial disclosure of payment details, no financial loss was incurred by customers. However, many were left dissatisfied with how communications were handled, and there was an associated rise in phishing scams, as fraudsters posed as TalkTalk to take advantage of concerned customers keen to reset passwords and protect sensitive information. It is possible that notifications required by GDPR – if not correctly handled – could prompt a similar wave of phishing.
The importance of a cyber strategy
Businesses should avoid backing themselves into a position whereby they must choose between a hefty fine and reputational damage, and paying an extortion demand. Advice on how to react to such an incident is vital at this point, even more so for SMEs who have smaller teams and limited resources. 90 percent of our claims by volume in 2016 were from businesses with less than £50 million in revenue, showing that small businesses are by no means immune to cyber-threats.
As the economics and business models change, the nature of cyber-crime will continue to evolve. As well as implementing strong cyber-security software systems, having cyber-insurance in place can help to cover the immediate financial fallout and the costs associated with bringing in specialist providers to help manage the incident. Hiring forensic investigators, a PR team, IT specialists and legal experts can be a costly affair. Cyber-insurance exists not only to pay for some of these necessary costs, but most importantly, to help businesses handle and resolve incidents quickly and effectively to minimise their impact.
However, there are still low adoption rates in the UK compared to the US – less than 10 percent of UK businesses purchase a standalone cyber-policy, compared to more than a quarter of businesses in the US. With the cost of fines set to increase, and the obligation to notify soon to become a reality, UK businesses need to think seriously about their cyber-defence strategy – particularly if GDPR could signal an unintended wave of cyber-threat.
Contributed by Graeme Newman, chief innovation officer, CFC Underwriting
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.