skip to main content

What are obligations of a firm that has experienced a cyber security attack?

A cyber attack can cause major damage to a business, often resulting in a substantial financial loss.

Cyber attacks can also damage a firm's reputation and erode trust with customers and clients, and data protection laws require firms to manage the security of all personal data that a firm holds.

But how prepared are businesses for a cyber security breach and what are their obligations in the event of a cyber attack.

The Institute of Directors carried out a study of business leaders which showed that 41% of businesses had experienced a cyber attack.

"A quarter of those occurred in the last six months," said Caroline Spillane, Chief Executive of IoD, "So it's not surprising that the majority of the respondents said that they're either very or extremely concerned about the impact of a cyber threat to their business continuity."

A cyber security attack can be a phishing scam, malware, ransomware and even weak passwords can be a threat to the operation of a business.

Ms Spillane said more firms are prepared to manage and minimise the risk of an attack.

"The positive thing is that about two thirds said the issue is on the board agenda at least quarterly and a good proportion said they had a board-approved IT cyber security strategy in place so that's the preventative action," she said.

"And a good majority as well, about 81%, said they had an incident response plan in place which is very positive because really you need to be able to react to these things as quickly as possible."

It is vital that directors know to ask the right questions of managers when it comes to cyber security preparedness, and 67% said they have undertaken cyber security training in the last 12 months.

If a business does experience a cyber security breach, what are their obligations?

The Institute of Directors CEO said there are widespread obligations under GDPR for organisations that have a data breach where there is a breach and it presents a risk to affected individuals.

She said there is Central Bank guidance for regulated entities and there is a whole range of EU-wide legislation on cyber securities such as the Network Information Security Directive.

"A very good resource is the National Centre for Cybersecurity. It has information for businesses on the website, so I would recommend that businesses would look at that resource to understand exactly what they are required to do and also to understand their reporting obligations," she added.