When we think about Enterprise Resilience we generally think about the things that can go wrong and which might harm an organization’s viability or even make it fail completely. In my last blog I made the point that resilience was much more than a compliance issue. Although all organizations have some compliance requirements to deal with from auditors, insurers and sometimes bankers, it is only in the fully regulated sectors that compliance has had a very large role to play. For example, the financial sector faces potentially very large penalties for not meeting their regulatory requirements, up to and including withdrawal of their licence to operate at all. Generally, however, penalties tend to be imposed on global institutions and are easily manageable. They certainly are not sufficient to put the enterprise at risk.
If, however, that were to change and the scale of the penalties imposed were punitive it is certainly feasible that they could make a difference between survival and collapse for a less well funded business.
This might soon well happen. Suddenly all types of business are at risk as a landmark ruling from the UK information security regulator the ICO (Information Commissioners Office) to fine British Airways £183m for last year’s breach of its security systems has caused shock-waves across the global business community. Users of British Airways’ website were diverted to a fraudulent site and details of around half a million 500,000 individuals were collected by the hackers. According to the company, the information included names, email addresses, and credit card information but not the 3 digit security code.
The ICO agreed that the company had followed correct procedures in reporting the breach as required by law. They also confirmed that the company had fully co-operated with its investigation and made improvements to its security arrangements. However it believed that the airline was negligent in that it had at the time of the event “poor and inadequate security arrangements in place”. This is challenged by British Airways who claim that they were victims of a sophisticated cyber attack, which had also been successfully perpetrated on other companies. It later emerged that the airline had been attacked by a group who called themselves “Magecart” and who had in the past gained similar access to Ticketmaster’s website. Although the attack techniques differed, both attacks used vulnerabilities in 3rd party software used by each company.
It was also widely accepted that although customers were inconvenienced, no-one to date has had any financial loss and BA had immediately stated once the breach was known that they would cover any such losses. So did the magnitude of the loss really justify a fine of £183m which is 1.5% of its world-wide turnover?
Opinions differ but the ICO seems eager to rigorously pursue any business that it finds is non-compliant with the General Data Protection Regulation (GDPR). They demonstrated this almost immediately by announcing a fine of £99.2m on the US owned Marriott Group. This was for data breaches from 2014 but only reported in 2018. Even more to the chagrin of Marriott’s management was the fact that the breaches were actually at the Starwood Hotel Group before being purchased by Marriott. The Information Commissioner said “Marriott had failed to properly review Starwood’s data practices and should have done more to secure its systems. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
So now we know, at least as far as the ICO is concerned there are no mitigating circumstances. Timely reporting of an event, cooperating with authorities, making changes immediately, ensuring no-one suffers any financial loss, not having control of the business when the incident occurred, not involving your own software but a 3rd party product, being the victims of sophisticated cyber terrorism do not help you. If you have any data breach you will be fined. Of course the two companies discussed here might not ever pay, they have a right to appeal and will no doubt do so with an army of corporate lawyers. However, for a smaller organization operating with relatively tight margins a fine of 1.5% of turnover (which could be up to 4%) might be catastrophic. If we then consider related impacts such as loss of customer confidence and reputational damage it surely would be terminal.
This might start as a compliance issue but could easily become a vital enterprise resilience priority.Recommend0 recommendationsPublished in