Cyber security is driving legal risk
Governments are treating cyber security as a high priority issue and emphasise that the risks include espionage.
Companies are worried. The loss or theft of data exposes them to the risk of action by regulators. When attacks disrupt operations, companies may fail to meet obligations to customers, resulting in class action suits from consumers and even shareholders.
Knowledge of a cyber attack may be regarded as inside information that meets the ‘reasonable investor’ test (ie information likely to inform investment decisions). The Securities and Exchange Commission (SEC) is concerned. It has issued guidance on when a company should disclose an incident, and have threatened enforcement action for failures to report.
Most recently, the SEC announced a programme of inspections regarding the cyber security measures at various regulated firms. For companies in the broadly-defined critical infrastructure sector, the US government issued a set of measures, known as the NIST framework.
In the UK, the government is encouraging public/private and sector-based information-sharing. It has also launched schemes to encourage companies to improve their cyber security.
Although voluntary, businesses are likely to follow such guidelines to show they have acceptable protocols in place.
At the same time, specific legislation is on the horizon in Europe. While the EU continues to debate its draft directive on network and information security, the German government is finalising its own IT Security Act.