Recent high-profile cyber incidents demonstrate how attacks on businesses can seriously disrupt operations and damage profitability and reputation. The government has recently written to all FTSE companies as well as a number of other leading UK firms with a call to action and advice to help ensure such businesses are best protected against the increasing level of cyber threats.
The below note sets out four steps suggested by government to protect businesses, which apply equally to all UK organisations irrespective as to size or sector and can help in reducing vulnerabilities and preventing the potentially catastrophic consequences of a cyber attack.
- Making cyber risk a senior-level priority using the Cyber Governance Code of Practice
Effective governance of cyber risk is fundamental to business resilience. It is recommended that all directors should prioritise this and ensure that such risks are considered in strategic decision-making. The Cyber Governance Code of Practice sets out critical actions directors should take to govern cyber risk effectively. Whilst it is acknowledged that not all cyber attacks can be prevented, it is good practice to consider how your business would respond to a major incident, including how to continue operations and rebuild following a destructive cyber attack.
- Sign up to the NCSC’s Early Warning service
Early Warning is a free and simple service from the government’s National Cyber Security Centre (NCSC) which informs organisations of potential cyber attacks on your network, which can give you invaluable time to detect and stop a cyber incident before it escalates. It is recommended that businesses and their suppliers register for this service.
- Require Cyber Essentials Certification in your supply chain
Supply chain cyber attacks are increasing, but it is estimated that only around 14% of UK businesses assess the cyber risks posed by their immediate suppliers. Cyber Essentials is a government-backed scheme which certifies that an organisation has a minimum level of cyber protection in place to prevent common cyber attacks. It is predicted that organisations with Cyber Essentials certification are 92% less likely to make a claim on their cyber insurance and so embedding these requirements within internal systems and also across the supply chain could have significant benefit in managing cyber risk.
- Cyber Assessment Framework
The forthcoming Cyber Security and Resilience Bill will increase protections for essential and digital services. Whether or not your business is in scope, the NCSC’s Cyber Assessment Framework (CAF) can be used to improve cyber resilience for the most critical services.
From a legal perspective it is important consider your contractual responsibilities and requirements within the supply chain. While specific obligations regarding contracts may be imposed or implied under applicable data protection legislation, businesses may also seek to address wider cybersecurity concerns in their supply arrangements by introducing an additional set of "cybersecurity" clauses to ensure that their suppliers protect the organisation’s data and systems in a manner which meets or exceeds its own practices, adhere to its policies and procedures and comply with applicable laws, regulations and industry standards.
For further information and advice on how to manage such risks please do get in touch.