Punish companies for cyber security failures, directors say.
ompanies should face severe financial penalties if they fail to keep customers’ data safe, a majority of directors believe, amid a spate of cyber attacks on big businesses.
Seven in 10 board members have demanded stricter punishment for those who fail to meet basic cyber-security requirements, according to research group ComRes.
The figures, due to be presented at the Institute of Directors Annual Convention on Tuesday by the FTSE 250 security company NCC Group, come in the wake of Yahoo revealing the biggest-ever cyber attack on a major company.
Yahoo said last week that passwords, names and phone numbers from more than 500m accounts had been stolen by state-sponsored hackers in 2014, but had only recently been discovered. The attack affects 8m British internet users, including some with Sky and BT email accounts.
At present, security failings are punishable with a fine of up to £500,000 from the Information Commissioner’s Office (ICO). EU data protection rules due to come into force in 2018 will create penalties of up to 4pc of global revenues or up to €20m (£17m), but it will be up to national regulators to enforce the rules.
It is unclear whether Britain will have to apply the legislation when it leaves the EU, or whether it might try to encourage companies to move to the UK by introducing a less-strict regime, as some have suggested.
The research, which surveyed 200 directors from companies with more than 500 employees, found that 71pc believe companies should be penalised for failing to meet basic cyber security requirements. A greater number – 77pc – believe that regulators should be tougher on companies that have inadequate defences.
Rob Cotton, NCC’s chief executive, said big companies were often the most complacent about cybersecurity, with directors themselves refusing to take responsibility for safety.
“For years it hasn’t been taken seriously enough in boardrooms across the country and while these results don’t prove that it’s now being managed appropriately, they do show that directors are realising that greater scrutiny and oversight from regulators and government will stimulate the necessary action and help drive-up standards,” he said.
It comes after a string of attacks on big businesses in the last year, including TalkTalk, British Gas and LinkedIn. TalkTalk was fined £1,000 by the ICO earlier this year for failing to notify the regulator earlier.
Originally published on The Telegraph.