Cyber-Risks and their Management

November 1, 2002

Broadly speaking, Internet risks – or risks arising from using Internet technologies – can be divided into three clearly identifiable types: technological, legal and operational. Colloquially, they are referred to as ‘cyber-risks’

Technological risks

Technological risks arise primarily in the context of communication and information security. Examples of the risks in this category are interference with communications or damage to information security from viruses or ‘hackers. In extreme cases, there may even be an incident that prevents business continuity.

Legal risks

Legal risks arise from failure to comply with obligations and requirements of the law that in some way govern the use of Internet technologies. An example of this in the traditional world might be the posting of dated information on a Web site, which may amount to negligence. In the ‘electronic’ world, an example might be failure to comply with the Electronic Commerce (EC Directive) Regulations 2002 (SI 2002 No. 2013).

Operational risk

In many ways, the most difficult of the three categories of risk to manage are operational risks. These are the types of risk that arise from inadequate management and supervision of the use of Internet technologies by personnel both within and outside an organisation. A typical example of such a situation became known as the ‘Busty Blonde’ case – where, allegedly, an internal e-mail suggested replacement of a leaving member of staff by a ‘busty blonde’.

There are numerous examples of this type of risk, including: employees visiting inappropriate sites, and downloading and distributing unsuitable material in business hours or losing valuable time browsing Web sites and making private online purchases. They are all the more difficult to manage because they arise from human behaviour, which is unpredictable and difficult to control. In most cases it is failure to manage operational risks that damages an organisation

Before risks can be managed, they have to be assessed – so there needs to be some process or procedure in place to undertake a risk assessment. This tries to identify and anticipate possible events and provides an organisation with the opportunity to take greater control. Instead of reacting to events, the organisation can plan its strategies with less risk of unforeseen events.

Risk assessment involves certain processes:

· identifying the risks associated with a particular activity or strategy

· assessing and evaluating the likely impact of a particular risk

· implementing appropriate steps to eliminate or reduce the risk to an acceptable level – risk management

Lawyers perform risk assessments instinctively when acting on clients’ instructions, often in terms of strategies for the avoidance of professional errors and omissions. Cyber-risks, though, are inherently uncertain and sometimes the strategy must be limited to reducing risk so that the consequences are manageable. This is especially so in respect of Internet technologies

Risk concepts

A risk is anything that might jeopardise a business’s accomplishment of its objectives.

There are different types of risk. Strategic risks are those concerning the overall direction of the practice. Operational risks concern the proper functioning of the firm. If a Web site is deployed, thought must be given to appropriate content – management of content is an operational issue, but a decision as to the nature of the content may be strategic.

Cyber-risks introduce a confusing mixture of strategic and operational risks. Collecting data through the Web for the purposes of marketing is a strategic decision because it is concerned with gaining competitive advantage in the marketplace. The proper handling of any data is an operational issue involving the internal functions of the practice

Risk is not always obvious and can emerge quite unexpectedly and does not necessarily appear as an identifiable threat. This is especially true of external risk where every organisation is dependent upon an environment wholly outside its control. It is helpful to ask certain questions:

· What is the worst that could happen?

· How likely is it to happen?

· Are the right procedures in place to stop it happening?

Risk Assessment

The first step in assessing risk is to identify any risks that might arise from a particular strategy as accurately as possible. The same principles can be applied in the case of cyber-risks. Every firm will identify different risks because every firm is different.

Once a risk is identified, its impact will need to be assessed. Management will need to identify business assets; recognise the threats; assess the level of business impact and vulnerabilities, then decide where time and money should be spent.

In terms of cyber-risks, ‘business assets’ are the firm’s reputation and goodwill. ‘Threats’ are adverse consequences that impact on the ‘business assets’, for instance, the interception of confidential e-mail that was not sent securely. The ‘level of business impact’ is the loss, including any action taken by the client. ‘Vulnerability’ is the absence of any technology for securing confidential e-mail or, perhaps, the absence of appropriately skilled staff to implement the technology required.

The aim of risk assessment is to balance the potential benefits against the potential risks of a course of action. A risk strategy accepts risk, and manages it in a way that is acceptable to the organisation.

Collecting information

Effective risk assessment requires sufficient information to be available to enable an informed assessment to be made. There are three useful approaches:

· interview key personnel to identify the particular issues that might arise

· circulate questionnaires directed to key personnel

· workshops or focus groups for key personnel.

It is important to ensure that information is obtained from appropriate sources.

Consideration should also be given to the quality of information collected. It is important to obtain a full perspective of the risk when seeking information. Some individuals’ perspectives will be more valuable than others.

The Risk Control Plan

A logical approach to recording the findings of a risk assessment is to develop what has been termed a Risk Control Plan. Information identifying the risk and the circumstances of its incidence will have been obtained and can be recorded

The next step is to ‘rate’ the importance of the risk. This will involve profiling each risk and its inter-relationship with any other functions of organisation. The final step is to determine the firm’s response to the risk. This requires addressing the question – how can the risk be controlled, reduced or eliminated?

Typical issues to be considered are: a description of the risk; the source of the risk; the severity of the risk; the controls to be applied to the risk; who ‘owns’ each risk; what is recommended to reduce the risk exposure and in what time frame; and what was actually done. This can easily be documented in the form of a simple spreadsheet.

The Risk Register

An alternative approach to recording the findings of a risk assessment has been referred to as a Risk Register. This would contain information as to the company, location, department, type of risk and even a number allocated to the risk. There should be a description of the risk, its root causes, its status, the likelihood of a particular eventuality and its consequence.

The British Standards Institution offers software that helps organisations perform a risk assessment in respect of information security risks with a view to implementing the ISO:IEC:17799:2000, the current Information Security Standard. The software leads the user through actions necessary for the application of the standard and checks the security of the organisation against the Standard. It supports the risk assessment process and calculates risks and suggests action to reduce them.

Risk Management strategies

The importance of risk management in the commercial sector was recognised in the Turnbull Report produced by the Institute of Chartered Accountants (www.icaew.co.uk), the recommendations of which became mandatory in December 2000.

The Solicitors Indemnity Fund published a Self-Assessment Risk Audit for solicitors. One key conclusion was that risk management strategies must be ‘owned’ at a senior level within an organisation. In terms of a small to medium-sized law firm, the appropriate level is likely to be partnership level. For the larger firms, there may be a chief executive, or perhaps a chief information officer, who might assume day-to-day responsibility.

The ultimate objective of any management strategy is to improve performance and to develop opportunities. For example, the application of encryption technology may present business opportunities and enhance the firm’s reputation. Risk management offers different benefits at different levels in the delivery of electronic legal services. Careful supervision and management of information on its Web site benefits a law firm’s strategy of developing a one-to-one relationship with a commercial client.

The Risk Manager

A critical factor for managing risk is the appointment of an individual to take responsibility for management of the risk management strategy (the risk manager). The risk manager has two functions – first to advise the firm about the risks involved in any particular strategy and second to take or assume ownership of the risks

It may not be realistic to expect one person to have sufficient knowledge and capability for such a role in an organisation with many employees and which may pursue a variety of Internet strategies. Much depends on the size of the organisation and the character and management structure of the practice.

The risk manager must be able to take an overview, identifying strategies and objectives across areas in which cyber-risks arise and selecting the most suitable options. The risk manager is the focal point for identifying and managing risks as they arise.

Cyber-Risk Management Team

Managing cyber-risks calls for skill and capability in a variety of specialist areas. Typical examples include: risk management, information security, legal and regulatory issues, personnel management and administrative skills – otherwise known as operational issues. The most appropriate leader of the team will almost certainly be the risk manager.

The team should document its own risk control plan, identifying the particular cyber-risks and the solutions or controls to be adopted, with specific assignment of responsibility for particular functions – technology risks, legal compliance risks, and operational risks. In addition, there should be a partnership representative, if not already included. From time to time, the team may wish to co-opt specific members for particular projects.

The team will need to define closely the nature of the risk, the type of hazard that is presented to the firm, and consider its likely duration, frequency, and whether it is an internal risk (for example, the behaviour of employees) or an external risk (for example, the risk of virus infiltration).

The risk might be tolerated if it is not cost-effective to manage it. Alternatively, steps can be taken to eliminate the risk or steps can be taken to transfer the risk. Probably the most likely example of the latter course is to arrange insurance cover. Insurance cover is not a substitute for efficient management strategies, but is an essential support when all possible steps have been exhausted in addressing a specific risk.

The team will make recommendations to the partnership for the adoption of policies and procedures to manage a particular risk. The most obvious examples are the adoption of e-mail use or Internet access policies.

ISO/IEC 17799-2000.

ISO/IEC 17799-2000 is a set of standards for an organisation to have in place to support its information technology operations. Part 1 of the Standard – Information Technology – Code of Practice for Information Security Management is the Code of Practice guiding those charged with the management of information security.

The Code of Practice and the Specification comprise ten separate elements. In order to understand the context and the framework of the Standard, it is helpful to consider these key features.

· The Information Security Policy

· The Organisational Security Structure

· The Clarification and Control of Assets

· Personnel Security

· Physical and Environmental Security

· The Management of Communications and Operations

· The Control of Access to Information

· The Development and Maintenance of Systems.

· Business Continuity Management

· Legal Compliance.

As e-commerce develops, there is likely to be increasing pressure upon organisations to achieve compliance with the Standard. This will apply to organisations that hold large amounts of confidential data or communicate information which has a high degree of confidentiality. Law firms fall into both categories.

The cyber-risk team model is an appropriate vehicle for achieving the Standard. The cyber-risk team could easily assume responsibility for the accreditation process within a law firm. The requirement for appropriate security measures may well become a pre-condition of insurance with the new raft of professional indemnity insurers, and compliance with the Standard might soon be the benchmark on which insurers consider underwriting cyber-risk business.