We come into contact with clients’ cyber and data protection issues every day and understand the profound effect they have on businesses, reputations and livelihoods.

We frequently advise clients about data breaches and cyber incidents, and know that cyber security is not ‘just an IT issue’; it’s a business critical issue. The media attention it has been getting in the recent years has helped make senior management alive to the challenges and the risks, but there is still more to be done, by the Government, the cyber security tech sector, legal and other professional advisors, and ultimately by businesses themselves.

In preparing this report, a lack of awareness, particularly in the SME market, was a recurring theme. Our contributors referred to an overall lack of knowledge about data protection regulations and what organisations need to do to comply with them. There is also a reluctance to engage with data protection on an ongoing basis, make changes, keep policies up to date, or make reports when things go wrong.

For an SME, it is all too easy to dismiss cyber incidents and data breaches. Too often, these are seen as issues that only affect much larger entities or organisations that hold certain types of special category data. “It’s not going to affect us” is a very dangerous mindset. In this day and age, a data breach is a question of when, not if.

It is equally dangerous to equate cyber security with IT. The responsibility for data protection and cyber security compliance lies with everyone in the business; these days, data protection processes and cyber security protections need to be built into an organisation’s culture; everyone must play their part. People are just as, if not more, important than systems in the data protection and cyber security space.

The key takeaway? Cyber insurance and data protection is a multi-layered challenge with a multitude of common misconceptions. We hope that in sharing this report with you, we raise awareness, challenge perceptions, and start an urgent conversation about what you need to know and how you need to act to protect your business.

Data breaches, cyber incidents… these words are deceptively neutral. They do not necessarily fully reflect the seriousness of the situation.

A ‘data breach’ can cover all manner of ‘breaches’. The Information Commissioner’s Office (ICO) defines a breach as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.

A ‘cyber incident’ is defined by the National Cyber Security Centre as a “a breach of a system’s security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems”. So cyber incidents can cover:

1. attempts to gain unauthorised access to a system and/or to data;
2. unauthorised use of systems for the processing or storing of data;
3. changes to a system’s firmware, software or hardware without the system owner’s consent; and/or
4. malicious disruption and/or denial of service.

Typically, a cyber incident will involve malicious actors, but they need not be unknown parties. It could arise from your own staff or a disgruntled ex-employee.

In the context of data protection, a ‘data breach’ is even wider. A cyber incident is likely to be a data breach if it involves personal data, but it is much broader in scope. All of the following are examples of a ‘data breach’:

• failing to provide data subjects with transparent information about the personal data the controller is collecting, how it will be processed and the lawful basis for processing it;
• technology failures that mean that you cannot access personal data or personal data is made available to third parties who should not be able to access it;
• sending personal data to a third party in error (most likely sending an email to the wrong person);
• sending an email to a group without hiding the identities of the other recipients (for instance by using CC instead of BCC);
• not having a (compliant) cookies pop-up on your website when you use cookies to collect user data;
• using a customer’s personal data to market to them about products or services which are not relevant to the original collection of data without their fully informed consent (i.e. the use of automated opt-ins for all of an organisations services when they only contacted you to enquire about one distinct service);
• loss of a briefcase of papers / electronic data on an unencrypted device containing personal data of customers;
• providing personal data of your customers to the police unless the police require it to fulfil its law enforcement purposes. For example, the police should say why they need the personal data and if determined that it can be disclosed, it should be limited to what is reasonably necessary;
• not having a privacy policy in place;
• discussing or sharing details of a candidate for a job with staff that are not involved in management or recruitment;
• using CCTV at your business premises which captures people in public places without having a lawful basis for it, without ever deleting the footage and without putting up signs;
• failing to put in place appropriate technical and organisational measures to protect personal data (for instance, failing to encrypt a device on which personal data is processed); and
• failure to redact personal data relating to other data subjects when sending information to a third party or responding to a subject access request.

An example which comes to mind from recent press is the MOVEit vulnerability which has impacted multiple organisations, including Ofcom, Transport for London, the BBC, Boots and British Airways. MOVEit is a popular file transfer and encryption software. The list of affected organisations continues to grow, and details of employees and customers have been compromised. The consequences of the incident are far-reaching.

If your organisation is impacted by an attack on one of your suppliers or data processors, as a data controller, you remain liable under data protection legislation and will need to take swift action in response to mitigate the impact of the attack. You are not off the hook just because it did not start with you.

We are now working in the age of a hybrid and mobile workforce. Working from home means staff are not as heavily monitored as they were previously. This can lead to bad habits such as employees using their own devices or writing things down and not disposing of notes securely. People also change roles and companies, and there is a risk they try to take your data with them. Even though the business is the ‘victim’ in these scenarios, it is still a data breach and action must follow.

Donald Macdonald, eDiscovery Consultant at Consilio explains: “What we see most commonly is data exfiltration of some degree. In more extreme situations, data has been taken out of where it’s hosted or its source environment, and then deployed either for things like ransomware or published in ways which would compromise and embarrass the people who are responsible for that data. To put it simply, it’s data breaches or intrusions into secure systems, and the consequences in terms of direct financial sanctions, reputational risks, and follow-on concerns arising from that data going to people who shouldn’t have it, or ending up in the public domain”.

“Cyber incidents can be caused by the full range of cases. It can be everything from disgruntled employees, or vulnerabilities in technical infrastructure. It can come through both malicious actors, misconfigured systems or inadvertent mistakes. I’d say either human error or malicious human activity is probably a more frequent cause than the technical causes.”

Mathew Cowey, Corporate and Cyber Team Lead at CYFOR Secure, echoes Donald’s words: “From the preventative and the reactive side of our business, we have an agreed list of the biggest concerns at the moment. Top of that tree would be the social engineering, which leads into phishing campaigns and email impersonation.

“However, the biggest ‘bad wolf’ out there will always be ransomware. It’s the ultimate scary thing that can happen to a business. It damages businesses’ reputations, it damages the purse, it basically kills some organisations off. And it lines the pockets of cyber criminals.”

“Ransomware” is an easy go-to term, but what is the cause of the ransom actually taking place? Not always, but commonly, a ransomware attack is rooted in users’ actions. That’s why the user education piece is so pivotal. Who is it that needs to be educated in your business? It’s not just those that work in IT, but your whole workforce

Cyber crime: all size and sectors welcome

Is the risk of cyber attacks higher for any particular sector, or size of organisation? Not according to our experts; however, there may be nuances when it comes to the types of incidents most commonly seen, and the precise nature of the risk. Cyber criminals do not discriminate.

Matthew Clark, Cyber Director at Partners&, comments: “We work with a broad range of different sectors: everything from science and technology to contracting, healthcare, logistics, warehousing, automotive, food and drink. The one common thread that joins them all up is cyber risk, and in particular the struggle that organisations have fending off ransomware attacks. Most of my time is spent helping customers deal with / prepare for and risk manage their business against business email compromise, social engineering attacks, phishing attacks or malware attacks.”

Donald Macdonald of Consilio elaborates: “There are some famous, or rather infamous, incidents out there, such as the recent Hafnium hack, Log4j or the recent MOVEit supply chain attacks . However, that’s not generally what we see day-to-day. What we tend to see is much more the mid market and public sector and charitable organisations, who do not have the controls in place to prevent attacks. So, we see ‘regular’ businesses like housing associations, health care organisations, car dealerships etc. breached. The impact in these organisations is often relatively more impactful than within large, multinationals.”.

Darren McGuff, Cyber Network Security Consultant at CYFOR Secure, echoes this point: “When it comes to third party breaches especially, it is SMEs that are the easy targets to be breached and then used to compromise someone further up the food chain, like a larger corporate.”

What makes SMEs easy targets? “Mainly it’s budgets. Larger corporates have the budget, the resources and the facilities to be able to put up a strong cyber security profile and defence. In the SME market, particularly when organisations try to cut their budgets and tighten their belts, the first budget that often goes is security in IT”, says Darren.

Different sectors may have different risk profiles. In the financial services sector, for example, cash transfer scams are more common. Darren elaborates: “However, those types of attacks tend to get followed up with the ransomware attacks. As long as you spot it early enough and have the appropriate controls in place, it can just stay as an invoice threat; but we tend to find those are precursors to something larger happening later down the line”.

Insider threats, from exiting or disgruntled employees, is another common cause of data breaches and cyber incidents. Darren explains: “In manufacturing particularly, we see more insider threats rather than external threats. That’s purely down to the nature of work; due to use of proprietary designs, insider threats are more common in the engineering world”.

Have you heard of PEBKAC?

All of our contributors raised the issue of the human factor in cyber attacks and data breaches.

Jeremy Scott-Joynt, Barrister at Outer Temple Chambers, explains: “There’s this old IT adage: PEBKAC. It stands for ‘Problem Exists Between Keyboard And Chair’, and the fact that it is old and commonly acknowledged doesn’t make it any less true. This isn’t because people are bad, it’s because people are always the weak spot; you can change tech, but you can’t change people. And smart crooks are great at socially engineering people”.

Darren McGuff of CYFOR Secure agrees: “People tend to think of cyber security in terms of technology and infrastructure, but the tech and the infrastructure are really the second part because it doesn’t matter what infrastructure and what technology you have in place; none of them can stop the user clicking a button. User awareness is right at the top of the cyber security prevention tree”.

Human errors are a key cause of data breaches too, whether it is sending emails to the wrong address by accident, or failing to keep policies and procedures up to date so they reflect the current way in which a business processes personal data.

Working from home, cloud and cyber security

It would be easy to assume that working from home has a negative effect on an organisation’s data protection and cyber security profile, while moving to cloud-based systems is a positive step. However, it is not as simple as that.

Donald Macdonald of Consilio explains: “Obviously work patterns changed in the pandemic. Some companies had to do things in very short timeframes that would normally take months to plan. Some proved to be better set up for this type of working and may have had some form of remote working already in place, while others had none of that. When you experience and introduce so much change in such a short timeframe, it’s going to create vulnerabilities. Also, other, more traditional, forms of criminal activity were less available during lockdowns, and therefore criminals had to think about other ways in which they can raise money.”

On this point, Matthew Clark of Partners& adds: “The reality is, sadly, that a lot of cyber criminals took advantage of the chaos that was around at that time in late 2019, early 2020 and were able to take advantage of weakened systems to launch penetrative attacks”.

Donald concludes: “The increase in cyber crime since the pandemic has been reflective of a general trend anyway, in that data is one of the most valuable commodities out there. The fundamental dynamics, in a sense, haven’t changed: data is an extremely important asset, and it should be protected accordingly”. After all, out of the top 10 most valuable companies in the world, seven derive a very significant proportion of their revenue from either processing personal data itself or providing tools to process it (Apple, Microsoft, Alphabet (Google), Amazon (its retail business relies heavily on processing personal data, whilst Amazon Web Services now make up a significant chunk of its revenue), Nvidia (the largest GPU manufacturer in the world, used extensively in machine learning and AI), Meta (Facebook) and TSMC (chip manufacturer).

Darren McGuff of CYFOR Secure agrees: “When the move to WFH happened early on in the Covid pandemic, lots of people did it incorrectly. It had to be done fast, and organisations didn’t necessarily think about the security implementations, which of course led to a lot more breaches”. So does Matthew Clark of Partners&: “The claims or the insured cyber losses that have kicked off in the last few years have been largely as a result of people dropping their guards a little bit around the pandemic and how they’ve structured their cyber security.”

However, things have moved on since. Darren McGuff focuses on the post-pandemic developments: “After the pandemic and everything that has gone on in the world since, the reduced accessibility of physical hardware has facilitated a lot of movement to the Cloud. As a result, the cyber risk has evolved, it hasn’t gone away. There’s still an environment that needs to be breached, whether it be a Cloud resource or a local resource. It’s more of change of risk than a reduction or removal of risk”.

Mathew Cowey of CYFOR Secure adds: “The education and the awareness piece from the IT professionals within the organisation or the managed service provider remain. Organisations still need to ensure that the appropriate security measures are implemented. Whether it’s a hybrid environment, on-premise, or Cloud-based, it doesn’t matter. There still has to be the appropriate time, personnel and budget requirements implemented across the board”.

“What continues to drive the conversation here is the rate at which businesses have digitised as a result of Covid. A lot of formally traditional sectors have really taken up technology and digitised their operations at quite a rate in the last two or three years. Naturally, as soon as you start to rely more upon technology and networks and data, you become more attractive to cyber criminals who can monetise that data and those networks. So the pandemic-related problems have been replaced by the constant drive to digitise and that will continue as organisations realise the benefits of Cloud services and virtualised systems which are convenient but create a new threat landscape”.

Jeremy Scott-Joynt, Barrister at Outer Temple Chambers, says: “I tend to think that the technology, the ‘kit’, is probably the more straightforward thing. That’s not to say that it is easy: it can be very difficult, but rather it’s the simple thing. The more complex thing is the cultural questions, the management questions and the leadership questions. Those define the environment in which everything happens. And they’re not amenable to quick fixes”.

The ‘kit’

Our contributors agree that, particularly in the case of SMEs, a proactive approach to cyber security is more often than not triggered by some form of data breach. Up-to-date infrastructure is crucial; yet, for a variety of reasons, businesses are often reluctant when it comes to large upgrades.

Darren McGuff, Cyber Network Security Consultant at CYFOR Secure, says: “Sometimes the bigger the company and the more complex the environment, the harder and more difficult it is to upgrade infrastructure. The physical infrastructure is one of my predominant aims because it’s the one of the last things that ever gets touched. We do get a lot of resistance and pushback when it comes to upgrades, and sometimes have to step clients in incremental phases through different products or services”.

For SMEs, the costs of infrastructure updates will undoubtedly have an impact on the bottom line. However, these costs are likely to be the fraction of the cost of dealing with a data breach or cyber event. To highlight a few potential costs a business could suffer, they could incur:

• payment of a ransom;
• paying a fine issued by the ICO or dealing with the data breach, i.e. management time away from the business;
• dealing with other regulators (i.e. the Financial Conduct Authority or Care Quality Commission);
• instructing legal representatives to deal with and paying damages in connection with Court claims bought by individual data subjects. Claims management firms now make these claims very accessible to your average consumer, and an industry has built up around making such claims, particularly in the current economic climate. There are usually no legal fees to pay if they don’t “win” or get a settlement, so firms are heavily motivated to get organisations to pay;
• rebuilding and restoring your systems, to include payments to external professionals, and for hardware and/or software;
• loss of business and downtime; and
• damage to your reputation in the longer term, leading to increased lost business, in particular a lack of trust amongst customers.

The lack of a properly configured firewall and adequate security system is like leaving the door to your premises open for criminals, a risk that no business would take, so why is it acceptable to leave your IT systems exposed?

The insurance industry also has a vested interest in businesses – its clients – maintaining a good level of technical data breach and cyber attack prevention measures. Matthew Clark of Partners& explains: “Insurers have, in particular, become very fond of multi-factorial authentication, or MFA, in relation to email accounts and other critical software accounts. There are other things as well, and of course we tend to treat each client individually. If it is, for instance, a complex advanced manufacturing business, we might require them to have a good story to tell us about endpoint detection and response solutions, security operations centre (SOC) to manage real time response to cyber threats, and very robust data backup including air-gapped data backup solutions.”.

“It can get very complicated very quickly, but the idea is to take often very simple and yet important steps. I often recommend to smaller businesses taking themselves through the Cyber Essentials accreditation course that the National Cyber Security Centre offers in conjunction with IASME. It’s a very simple self-help tool that can help a small business make themselves highly-resilient. There are two layers to Cyber Essentials now: Cyber Essentials and Cyber Essentials Plus, the latter being an externally audited version.”

Donald Macdonald of Consilio adds: “While it’s not the pure tech that we at Consilio most engage in, there are obviously some basic rules. Common advice is: keep your systems up to date. Make sure that you have intrusion detection systems in place. Make sure that the scale and the sophistication of the systems that you use is appropriate for the sensitivity of the data that you manage. If you do, as a matter of routine, hold highly sensitive information, ensure you have secured, encrypted and tested backups is an important step”.

Data mapping is the exercise of recording the personal data a business collects, identifying how it processes it and the lawful basis on which it is being processed. The resulting data map is a useful tool to understand the risk associated with your business. However, in the SME market, it is still a small minority of organisations that actually do data mapping.

We often speak to organisations that have not undertaken a data mapping exercise which means their policies inevitably do not reflect how they are controlling and processing personal data. Failure to carry out this first step is a breach of data protection legislation that is often overlooked. It may not be picked up until there is a data breach, in which case, failure to have done it will compound the issues and increase the level of scrutiny businesses will face from the ICO.

Business owners looking to exit is another touch point, where a lack of data mapping will be uncovered as part of the due diligence process that is a standard part of a sale of the business. By then it is often too late to do anything to solve the problem. It may affect the willingness of a buyer to proceed or result in buyers ask for a price reduction to reflect the risk, or seeking much greater protection from the sellers (increasing the risk to them in the future).

It only takes one individual to make a subject access request and recognise the inconsistency between what documents say about their data and what happens with it in practice. This is likely to give rise to a complaint and/or claim which you would need to address; a potential complaint to the ICO, and the breach could start to get more attention from others.

Donald Macdonald at Consilio says: “Often the companies that have data maps might also have the more sophisticated internal teams that can deal with it themselves, and less need for experts. And the fact is the smaller organisations generally don’t. And it’s regrettable, because it is a relatively affordable mitigation that you can do in order to make breach response and remediation processes less impactful. If you don’t have the budget for the most sophisticated software in the world, then at least make an effort to know where your data is held, and manage it appropriately”.

Access control also comes into play, “Once you’ve done the data mapping, identity and access management is key. If you can deal with and address how data is managed with each individual system, then you might be able to mitigate a risk that multiple systems are infected and contain it to areas within the network. There is a range of technical solutions and internal policies and processes which you can consider. It’s a question of fitting what your capability and your budget is to the type of data that you hold. But, crucially, do think about the people.”.

The human factor

Jeremy Scott-Joynt, Barrister at Outer Temple Chambers, puts it perfectly: “One of the biggest mistakes in prepping for mitigating cyber security, info security and data protection risks is forgetting that ultimately all of it revolves around the human beings who are doing the job. Human beings are the weak spot. Not because they’re bad, or difficult, or foolish, or malicious – although on occasion they’re all of those things – but because they’re human beings.

“An organisation can have fantastic systems, a generous budget, sophisticated data protection and infosec tools at its disposal – then as part of that it sometimes expects its human beings to jump through ludicrous, ridiculous hoops in order to keep everything safe.”.

SMEs will want to balance security against smooth day-to-day operation, without disproportionate steps being required to undertake normal tasks, and impractical hurdles. Data protection legislation requires measures to be appropriate for your organisation.

Jeremy goes on to say: “The simple test is: look at your procedures and imagine an eight-person team of whom two people are off sick, three are on holiday, and the remaining three are therefore trying to get the job done at about a third of the team strength. If the only way they can get their job done with the pressure of deadlines, targets and unhappy customers at their heels is by rooting round your wonderful procedure and basically trying to find a way of subverting or ignoring it, any procedure is worthless.

“The classic apocryphal story is: you might have someone in a hospital thinking, ‘medical data is really sensitive, special category data under the UK GDPR, we’ve got to keep it very secure. So whenever anyone wants to access this data, let’s make sure that they have to use a complicated personal password, and a fob, and also biometrics’. Put that in an A&E, and what you will find without a doubt is a post-it note with the password written on it stuck to the screen and the fob hanging from a hook alongside it, because you’ve just made it impossible for people to do their jobs.

“The systems have to work with people; so security systems that promote security without taking into account how people work are inherently insecure”.

The same is true of the way cyber security and data protection training is designed. Jeremy Scott-Joynt continues: “The cyber security culture is not something you can just patch in. You have to build it into your way of working, the way you incentivise people, and the way you train them.”.

“My advice to employers is: think about little things like encouraging small amounts of learning that people can take in and that won’t feel like a box-ticking exercise. When there’s an incident, don’t point to somebody who got it wrong; instead, find the person who did something smart and sensible about it, and celebrate them publicly. That’s what I mean by incentives. Work with the grain of how human beings tick.

“Crucially, encourage people to see data protection as not an imposition on them, but as a part of their job. By looking after your clients, you are in a relationship with them. So cyber security and data protection is about looking after your clients, it’s about saving them money, it’s about making sure we are not putting their clients’ data at risk. It’s about how we look after the people we care about, our clients and our employees alike, and making sure we do everything we can to prevent their data from being misused. Because, bluntly, privacy is a right”.

Where does the responsibility for data protection and cyber security reside?

It’s a dated misconception that “IT – whether it’s an internal function or an outsourced IT provider – will handle cyber issues”. As this report illustrates, the responsibility resides with the whole organisation, starting from the top.

Mathew Cowey of CYFOR Secure says: “It has to be a board issue. The board needs to be aware; they have to take advice from the subject matter experts who are in the room, whether it’s internal or external. The door has to be open, and the ears have to be listening to the advice that’s coming to them”.

Company boards’ attitudes when it comes to cyber security are also a significant factor when it comes to cyber insurance. Matthew Clark of Partners& explains: “One of the most commonly recurring themes that we see in cyber security is having a good attitude to risk management. As insurance brokers, we want to see that the organisations understand the risk, have their arms around it at a senior level, and have board-level buy-in into good cyber security and good data security. Secondly, a good attitude towards that is reflected in good internal processes and procedures around a data security and management of the data they hold, and the extent to which the organisation trains its staff in cyber security awareness”.

“A lot of insurers see staff training as being pretty integral to insurance and that’s because the vast majority of cyber attacks are successful because of human error. Research indicates that over 80% of cyber attacks are successful because someone clicks on something they shouldn’t, or gives up sensitive information in a phone call. If you can turn your staff from your main layer of weakness into your first line of defence, you’re doing yourself a huge favour in mitigating your exposure”.

Cyber Essentials is an effective, Government-backed scheme that will help you to protect your organisation against a whole range of the most common cyber attacks. Darren McGuff at CYFOR Secure, who is a Cyber Essentials assessor, comments: “I know first-hand the measures that the Government has been trying to put in place. The education piece around cyber security, prevention and protection is a slow burner, however, it is gaining traction. People are looking for Cyber Essentials more, but it is still only a fraction of the number of SMEs in the UK”.

It is a question of when, not if. Or, as Mathew Cowey of CYFOR Secure says: “To deal with an attack, you need to be prepared be attacked”.

The first wave of response

That appropriate personnel – your data breach and cyber response team (or wherever those in this role reside) – will need to span a variety of specialisms. There’s a lot to consider and a lot of decisions to be made based on the nature of the attack, in a short period.

On the legal side of things, the ICO states that businesses have to report a personal data breach to the ICO without undue delay (if it meets the threshold for reporting) and, in any event, within 72 hours. The clock starts from when you discovered the breach, not when it actually happened. However, it can take a lot longer than that to ascertain what exactly has happened and take steps to contain the breach. When a notification is made to the ICO, organisations should be mindful of the fact that a report (and some brief details about it) will be included in a publicly available list on the ICO’s website.

The threshold for reporting to data subjects is higher and is concerned with the risk of harm to the individuals.

As trouble-shooters and crisis managers for our clients, we know that, in a well-managed response, reporting and reputation damage control will kick off early, concurrently with the investigation and the damage limitation side of things. It’s a mistake to think that your ‘tech guys’, whether it’s IT or your managed service provider, can handle that. They will definitely have a part to play, but it is important to realise that data protection, IT and cyber security are three different disciplines. Moreover, your incident investigation and your post-incident rebuild are likely to be handled by different people depending on the nature of the breach.

Matthew Clark of Partners& comments: “To use an analogy that I heard one of our cyber insurers using, it’s like having a brain surgeon and a knee surgeon. You wouldn’t want the knee surgeon to be operating on your brain. So relying upon your IT provider to do everything for you is often ill advised. Having some sort of external advice on cyber security is a very good idea as distinct from your own IT guy who, if he does the cyber security, is marking his own homework anyway”.

The tech experts handling the first sort of wave incident response will be informed and driven by a much wider team. There are immediate parameters of the incident to ascertain. Donald Macdonald of Consilio elaborates: “What’s the nature of the compromise? Is it still ongoing? What data sets are impacted? There will have to be the lawyers on the scene to advise on reporting obligations and potential consequences. There’ll be other specialists involved, like DFIR consultants, PR consultants or even ransom negotiators”. There is a common misconception that paying a ransom is illegal. Generally, it is not; however, there is a list of criminals to whom the Government prohibits payment.

“With the technical work, at some point, it’s a question of what is a reasonable approach to take, given the gravity of the situation. [As tech specialists], we will be guided to a significant degree by what the lawyers say. There will be the nature of the affected organisation and data sets to consider. If it is, for instance, a health or and social care organisation, that there may be very large amounts of highly sensitive personal data relating to data subjects involved, which may perhaps warrant a more thorough analysis than other forms of personal data.

“We may also, be guided by insurers and their claims teams. They don’t necessarily get the last say, but cyber incident mitigation is increasingly paid out of insurance, and there is therefore a desire to keep the work to what insurance will cover. This decision on the extent of tech work that the business can afford is one that would need to be made early on. Some organisations may well be prepared to go beyond the level of insurance they have and dig into their pockets. Others, for instance, charities, might just not have any deep pockets to dip into.”

Whilst the ICO would not want to give anybody a free pass, anecdotally it is true to say that they would probably look a bit more sympathetically towards a low budget charity than they would in case of a sophisticated business that should be expected to do better. An example is the decision made by the ICO against the Mermaids charity.

Experts on speed dial

The above decisions are very hard to make without a certain level of preparedness within the organisation. To be able to respond to a real or suspected data breach, organisations should have a designated person to co-ordinate people and the response (and a deputy), appropriate policies, playbooks and plans in place in order to have the appropriate response.

Jeremy Scott-Joynt comments: “The problem with cyber security incidents is they’re incredibly quick. Things go bad very quickly. In a ransomware incident, the clock is quite literally ticking.

“The biggest advice I could give is: don’t panic. Treat a cyber attack like the business problem it is. Which means you go back to first principles, and you decide on the outcome you’re seeking, and you work backwards from that outcome. In working backwards from the destination, that’s where having the experts on speed dial is crucial, because what they can do is help really quickly on the basis of bitter, hard-won and quite painful experience. You don’t have that ‘muscle memory’ level of experience. They do. Rely on it

“Having several species of expert – legal, technology, PR, sometimes people as well – whom you know you can call when everything goes awfully wrong, that’s job one. And then listening to them. That’s job two.”

Incident response plan

How can a business make sure it does not panic when a data breach or cyber breach occurs? The principle here is the same as in any other life situation. Prepare; have your Incident Response Plan (IRP) ready.

Matthew Clark of Partners& comments: “Not planning is the most common mistake we see in organisations responding to a cyber attack. Companies often have really good business continuity plans for a fire or a flood. However, the statistics sadly show us that they’re far more likely to need a cyber insurance policy than they are to need their fire insurance policy. The UK Government’s Cyber Security Breaches Survey 2022 shows that 39% of UK businesses have suffered at least one cyber attack in the past 12 months. If I’d said that 39% of UK businesses had suffered a fire in the last 12 months, everybody would be panicking and reaching for their fire insurance policies. But very few people buy cyber insurance, which is concerning. Incident response planning, identifying the risk and being prepared to deal with it is critical.”

Mathew Cowey of CYFOR Secure echoes the same point: “In practice, 60-70% of organisations we deal with at CYFOR Secure do not have written or up-to-date cyber incident response plans. Up-to-date is an important point here; when a plan is five years out of date, it fails on points such as major infrastructure changes, whole new structures and mergers that significantly change the company’s data landscape.”

Our observations match this assessment: lots of organisations that instruct us have not reviewed their data protection documents or re-trained their staff since 2018.. PEBKAC makes the latter a concern because employees do not know how to recognise a data breach has occurred, or how to report or otherwise deal with it.

Mathew concludes: “IRPs do work. They work even better when they are tried and tested. A good IRP is a tried and tested one, that tells you the right personnel to be bringing in, when to bring them in, when to be calling the board, and so on”.

Another misconception is that if someone steals your data, for example an ex-employee taking it to another employer, that it is not your fault and you do not need to report it or respond to the breach. You have all the usual legal obligations under data protection law, including a duty to employ measures to prevent this from happening, and to resolve it.

The need for speed

Speed is absolutely critical when a data breach is discovered: speed of communication internally, speed of engaging with external resources, and also speed of visibility of the required data sources. The same goes for a data breach involving a misaddressed email. The overall benefit of sending a prompt deletion request to the recipient should not be underestimated.

Mathew Cowey of CYFOR Secure explains: “Again, it comes come down to the preparedness of the organisation. If you’re prepared, you know how swiftly you can respond and give sight of the appropriate data to be investigated”.

In terms of timeframes, not having a plan can cost crucial hours. Darren McGuff of CYFOR Secure says: “If we have to engage a new client, speak to the board, get finances approved, get contracts raised, it can easily be 48 hours between an initial phone call and us landing boots on the ground. Sometimes it can be up to a week until we can start investigating, and at that point you’ve lost a week’s worth of data. With experts on retainer and software in place, an incident could be being investigated within ten minutes”.

Does outsourcing IT affect how organisations deal with data breaches and cyber attacks?

The simple legal truth is that it doesn’t matter if you’re outsourcing your data management to a third party. You still have direct responsibility to the data subject. If a breach happens elsewhere, you cannot simply say ‘it wasn’t me’.

If you have had a data breach or cyber incident, you cannot simply pass your obligations onto a third party provider. You may be able to take action against them later if, for example, an IT supplier has left your system vulnerable to the attack, or otherwise been responsible for the circumstances that gave rise to the breach, contrary to your contract with them. It is however wise to take advice on such contracts before entering into them to understand the scope of the supplier’s duties and the extent of or limits on their liability.

Suppliers will often seek to limit their liability to relatively small amounts (say 100% of the contract value) which is unlikely to provide a meaningful remedy in the event of a data breach. Increasingly, bigger businesses are requiring data processors to provide much greater levels of protection, and there is no reason SMEs should not ask for the same level of protection.

Being unable to access personal data relating to your clients, customers, staff or other contacts is in itself by a data breach. It is a data breach if you cannot access information held in a Cloud-based service, either because a cyber incident means it cannot be accessed, or users have been inadvertently locked out. Maintaining a backup is only one part of the puzzle; if you cannot restore the data so it is usable, it is of little practical use.

Reputation management

Data breaches and cyber attacks have been cropping up in the news for a number of years. Laura Toogood, digital and social media expert and media commentator, comments: “I think the trigger point has been obviously the explosion in the information age and the amount of information and data that is out there, as well as the types of networks people are using to communicate. Whether that’s social media networks or private messaging apps or emails, technology has developed at a very rapid rate. As a result, there’s a huge amount of information that’s out there in the world, and that of course carries risks and threats. Awareness is also on the rise. Different procedures have come into play with regards to circumstances where you have to report data breaches, so it’s very much become a topical talking point”.

Businesses are understandably worried about how the fact that they’ve been breached, or had a data leak, is going to affect the perception of their brand, how it will impact customer trust; what consumers are going to think about it, what their key stakeholders or investors are going to think. Laura continues, “The digital footprint is very important and managing and having some control over that space and awareness is crucial. Taking a proactive position and making sure that you’re on the front foot through monitoring and managing your online profile and having good protocols in place with regards to your internal teams and how they’re using social media and communicating with people outside of the business, and having the appropriate mechanisms in place are things that help.

“You can’t always stop a crisis from happening. But you have the ability to try and be as prepared as possible. It’s all about managing it in the right way. I am a huge believer in bringing in the right experts at the right time. There’s not one person that is the right person to deal with an issue like this. In my role as a reputation management expert, when it comes to data breaches and cyber security issues, I am fully expecting to advise alongside a cyber security expert and a legal expert. There also needs to be media relations and communications lead, and of course my role, the online reputation side of things and the technical areas behind the digital footprint and monitoring and managing the search and the social media fallout”.

In the UK Government’s Cyber Security Breaches Survey 2022, many businesses admitted that they would not report a data breach because they felt covering it up would be better for them from a PR perspective and from a legal perspective. The ICO’s publication of its list of reports adds to this concern. Jeremy Scott-Joynt disagrees: “The old journalistic adage is that the cover-up is worse than a cock-up. The odds of an unreported cyber breach coming out are increasing. People are more aware that it’s ‘a thing’, and there are any number of ways people can find out that something’s gone wrong. So how confident are you that if you brush it under the carpet it stays there? Because if it comes out other than by you announcing it, (a) you’ve lost control of the timing, (b) you’ve lost a good chunk of whatever defence you were going to be able to run.”

Cyber criminals may be looking to extort a ransom from their victims, but they will also sell personal data to other criminals on the dark web. They might well do this even if the ransom is paid – you are ultimately negotiating with criminals with the skills to avoid detection. If personal data ends up on the dark web, it is a ticking time bomb waiting for someone to notice. The need for transparency is key and failing to report a breach (and potentially tell data subjects about it, if necessary) will lead to higher sanction from the ICO when it comes out later, in addition to more claims and damages, and all of the above reputational concerns.

Laura Toogood adds: “I would certainly suggest that you follow the guidelines for reporting a breach. You shouldn’t stick your head in the sand if there is potentially a major issue that is unravelling. It needs to be addressed immediately and you have to pull in the right experts so that you’re not criticised for behaving in the wrong way. Actually, behaving in the wrong way reputationally can be much more harmful than taking the correct proactive measures in the first instance”.

You should also understand the terms of your commercial contracts. Failing to “behave in the right way” may mean you are in breach of your contracts. For instance, if you do not comply with your insurance policy terms, you may not be able to rely on it later. Matthew Clark of Partners& comments: “There are contractual obligations to notify organisations you work with beyond those set up by the regulator. You might have an obligation to tell your counterparty about data leak with regards to, say, a project you are working on together. The way you tell them what’s happened, and the way you tell them what you’re doing to try to recover from the loss and respond to it, is super important. You are not just managing your reputation. You are managing the chances of that counterparty bringing in a liability action against you, or alleging breach of contract”.

Each situation will be unique, but the advice on the reputation side echoes that on the legal and tech side, as Laura says: “Be proactive in your approach. Take advice on the particular scenario you’re dealing with. Listen to experts. It’s better for you to be in control of the narrative rather than lose control and worry that it’s going to come out in a different way”.

“The insurance no longer just limits itself to protecting against liability, privacy breach, data breach, but also protects against what we call ‘first party cyber losses’, which is the organisation’s own costs and losses in dealing with a cyber breach. Those may be, for example, the costs the organisation has in dealing with the regulator, the Information Commissioner and other regulators that might be relevant, such as the Financial Conduct Authority and Care Quality Commission. It could be the costs of notifying customers that there’s been a breach. There’s a whole raft of different downstream costs and expenses that arise on the organisation that have to be borne by the investigation beyond just the threat of being sued for breaching people’s data.”

Is cyber insurance more important or more common in some sectors as compared to others?

Matthew Clark responds: “Many of our clients who are in spaces like life sciences and technology tend to be consumers of this type of insurance from day one, almost as soon as they set up. That is likely because they’re often venture capital or private equity backed, and their investors want to know their investment is properly secured. Also, tech and science companies tend to be more sophisticated in the way that they consume financial services even at an early stage.

“Traditional sectors is where it’s more challenging. Taking construction, real estate, retail, logistics or wholesale as example, all those are traditional sectors where there’s a real need for urgent client education around cyber risk and what it can do to their businesses. We’ve spent a lot of time building lots of data-driven insights, tools, facilities and content to help get the message about how real and how potentially damaging cyber risk is.

“This awareness piece is a constant challenge, and one that’s reflected in the take up numbers. Across the industry as a whole for SMEs in the UK, we believe the take up for standalone specialist cyber insurance is less than 15% of UK SMEs, and I suspect it’s probably closer to 10%.”

In terms of actual businesses with the correct insurance and the correct advice, the industry still has a lot of work to do. On the flip side, there is a great opportunity there for insurance brokers to get in front of their clients, talk to them about the role that cyber insurance has to play, not just in insuring their businesses but in helping them to become more resilient.

Why is the take up of cyber insurance products so low?

Matthew Clark believes that the lack of awareness is the root of the problem. “My industry, the insurance brokers, have not done enough in recent years to highlight the cyber risk as being very, very relevant to our clients. Much, much more needs to be done in that respect.”

“It’s all about taking clients on a journey through this. It’s not an instant fix. We can’t just say ‘fill in this form and we’ll get you a quote’. There’s much more to it, and insurers need to invest a lot of time and understanding, and not least to educate their own staff as well on how to articulate cyber risk to their clients and get conversations started. In the current climate, these are not easy conversations to have.

“That is why we tend to focus on the preventive side of things and making our clients more resilient by improving their cyber security and their risk management. Our message is: leave insurance until last. Focus on self-help and improving your defences first, and then you’ll find the insurance more affordable and easier to obtain”.

It is accepted in the insurance industry that cyber insurance premiums have now stabilised. The emphasis has shifted to cyber security. Insurers are underwriting very cautiously and wish to have a good, reliable picture of the steps the clients are taking to secure their data and networks before they’ll consider insuring them.

Why do businesses take up insurance?

As you would expect, fear is a significant factor for businesses buying cyber insurance. Often businesses will seek it when they have been subject to a cyber attack, or know of someone in their industry who has.

That is not, however, the only common trigger. Matthew Clark comments: “Another reason that we find in people buying cyber insurance is, increasingly, the fact that it’s becoming a contractual obligation. Particularly in a b2b setting, and commonly where a small client is dealing with a much bigger company. At Partners&, we have a lot of science clients and small bio techs that are always trying to do business with much larger pharmaceutical businesses. When they deal with the pharmaceutical giants, the lengthy contracts often prescribe a certain level of cyber data and privacy insurance. This counterparty demand for cyber insurance is definitely on the rise, even in the more traditional sectors”.

Partners&’s experience is entirely consistent with what our clients are experiencing. Counterparties to contracts, large businesses in particular, are focussing on their supply chain, considering them the ‘weak link’ in their own cyber protections. Increasingly, large businesses are looking to impose detailed and onerous clauses on suppliers, with significant consequences for the supplier if they fail to meet the required standards. SME suppliers to large businesses will have to up their game to be able to compete for business in the future.

The message of collaboration

Normally, when you’ve made a claim, your premium goes up. Is this the same in the cyber insurance world?

Matthew Clark explains: “Actually, not necessarily. Obviously, insurers will want to explore what happened, but they tend to be realistic about it. The policyholder can only do the best they can. So overall, insurers don’t mind paying out for valid claims where they arise like this, and won’t punish the client by doubling the premium or refusing to insure.

“What they’ll want to do is to see a client who is going to embed the learnings from that situation and try to work with the insurer to try to stop that kind of event happening again or minimise the chance of it happening again. We tend to see policyholders wanting to learn by their mistakes or understand where their gaps in protection are, and plug them with the insurer’s knowledge. The message here is one of collaboration: you can work together with your insurer to deal with the risks, to mutual advantage.”

Insurance: only part of the answer

Although cyber insurance is an important layer of protection businesses should put in place to mitigate the risk associated with cyber attacks, it will not help with all data breaches.

The clue is in the name: cyber insurance covers most of the risks associated with a cyber incident, but does not typically cover all potential data breaches. Payment of a ransom is unlikely to be covered by insurance. As highlighted in Chapter 1 of this report, there are a number of other scenarios that will give rise to data breaches, for instance:

• failing tell data subjects how a business is processing personal data;
• processing more personal data than is necessary to achieve your aims;
• failure to properly assess the risk associated with data transfers outside of the UK (or EEA where EU GDPR applies); or
• deliberate disclosure or theft of personal data by a disgruntled employee.

Increasingly, the ICO and other regulators are looking at data breaches other than cyber incidents. The Irish Data Protection Commission’s €1,200,000,000 fine in May 2023 for Meta arising from its failure to put in place an appropriate transfer mechanism when transferring personal data to the US, is a case in point.

Cyber insurance will help with cyber resilience, requiring businesses to up their cyber security game in order to get appropriate cover, which may well be its biggest single benefit. However, it will not necessarily help you with other potential data breaches and is only part of the solution for any business looking to reduce their data breach risk.

When we embarked on this report, we wanted to platform cyber security experts’ perspectives and bring out more dimensions of the cyber security and data breach ‘story’ that we see as legal advisors. There are many multi-layered issues and intricacies, and whilst no report can cover all of them, we believe we have managed to demonstrate the depth and breadth of the challenge, as well as touch upon the pace of developments in the prevention, protection, reaction, mitigation, reputation management, insurance and other data protection areas.

These issues do not come as a major surprise, but they bring home the message of needing to be aware. In this day and age, no business of any size can afford to ignore the challenges and risks around data protection. We hope that by compiling this report, we have, with our contributors’ invaluable help, managed to dispel some myths, address some questions, and provide advice that will make you sit up, take notice and take action.

If this report resonates with you, we are glad that we have been able to contribute to the education of our audience on cyber security and data protection issues. That’s not to say that our job is done; we will of course continue monitoring new developments, legal and beyond.

Watch this space for podcasts, webinars and updates to follow in autumn 2023. This conversation is business critical and it needs to continue so that you can be prepared and minimise the impact of a data breach or cyber incident… when it happens.