Back in October 2015 the TalkTalk website was hacked with 157,000 customers’ details accessed and 16,000 bank account and sort-codes stolen. News of the attack led to a fall of one third in the TalkTalk share price, and ultimately lost them 100,000 customers and cost an estimated £42million.
TalkTalk were inadequately prepared, a just published report of the Culture, Media and Sport Committee of the House of Commons says “Although TalkTalk had run various business continuity exercises, including potential risks like cyber-breaches, they had not exercised and planned on how to handle a cyber-attack on this scale”.
The CMSC Report calls for corporate fines where companies fail to disclose publicly that they have been attacked and also for instances where the hack could reasonably have been avoided if a company had complied with their responsibilities to prevent one. The TalkTalk hack was a simple one, a 15 year-old affair using the most basic of hacks – an “SQL injection” that inputs malicious instructions into a database to either gain access or to get a dump of information. It should have been avoidable.
But why talk of escalating fines and a system that will clearly be disputed leading to long protracted legal processes in which the only winners will be the lawyers. I would also question the motivations of singling out cyber-attacks from all of the risks that impact upon business continuity and resilience.
Are systems more important than people? Is the Committee assuming that business continuity/resilience plans are in place, understood, disseminated, tested and led by the Directors who recognise their joint and several responsibilities? If so, they are not of the world from which my experience comes. Too often business continuity is regarded as a cost on the bottom line, delegated to middle management, under-funded and ignored until something goes badly wrong.
The alternative to a fine would be a requirement for PLC’s to include in their Annual Accounts an audited statement from the Chairman/CEO making clear the actions that have been taken in the year to ensure that the company has an active, and relevant, business continuity plan in place. A transparent statement that is available to the business world, employees, shareholders, suppliers and regulators. The insurance implications are clear.
Those who fail to plan, plan to fail.
Richard Barnes