The security breach at TalkTalk last October that saw the loss of data from a reported 157,000 customers to cyber criminals formed the basis of discussions by Culture, Media and Sport accounts committee to generate ideas to prevent future incidents.
Although companies can already be fined by the Information Commissioner's Office (ICO) for data breaches, the MPs and peers on the committee have suggested bigger fines and greater accountability.
The biggest cost of a serious hack / data breach in today’s digitalised business environment is of course likely to be the company itself. TalkTalk’s losses from the October 2015 data breach are estimated to be £60 million, 95,000 lost customers plus long lasting damage to the company’s reputation. This however should not detract from the fact that companies have a legal obligation to protect customer data and the recent discussions with MPs have been focused on suggesting ways in which that message can be reinforced among the business community.
Other suggestions from the MPs have included generally increased powers for the ICO in these matters, having some means to make companies report problems as soon as possible, and the putting aside of money to fund educational programmes to encourage better security by users.
Firms could also set up their own ‘kitty’ style fund so that they are able to fund compensation payouts.
The committee of MPs also suggested that agencies such as the Citizens Advice Bureau, ICO and police victim support units could provide advice to consumers who are seeking compensation through the small claims process. The committee were keen to force CEOs to take proactive and preventative cyber security more seriously by recommending that a portion of CEO compensation e.g. their bonuses and salary incentives, could be held back if they fail to act before a cyber security crisis occurs.
The idea of holding back CEO compensation is likely to have been aggravated by the news that TalkTalk chief Dido Harding was reported to still have been paid £2.8 million by the budget telco in the past year, even though the breach happened on her watch in that period. Dido Harding has however reportedly offered to donate her £220,000 annual bonus to charity.
What Does This Mean For Your Business?
The culture, media and sport chair Jesse Norman has described cyber attacks “a constant, evolving threat”. The fact that the government recognises this and is now looking for ways to effectively force company bosses to take more responsibility for cyber security and impose stiff penalties on those bosses and companies that don’t act is a warning shot across the bows for business.
If businesses have not done so already now is the time to prioritise the issue and make sure that basic cyber security steps are taken at the very least - see https://www.cyberstreetwise.com/cyberessentials/
Now may also be a good time therefore for businesses to seek other professional advice about measures that could be taken to ensure cyber resilience such as cyber security training for staff, health checks, risk assessments / audits, cyber security policies, Business Continuity and Disaster Recovery Plans.