Cyber-attacks are continuing to rise, yet we know finding cyber-criminals is no easy task. In fact, it’s rare they’re caught or held accountable for the damage they cause.
With increasing reliance on outsourcing IT services to third party providers, IT professionals are finding themselves at risk as individuals and organisations commence legal proceedings following a cyberattack.
So, what are the Duty of Care responsibilities for IT Professionals?
People and businesses of all shapes and sizes have a legal responsibility to take all reasonable measures necessary to prevent activities that could harm people and, or their property. The negligent or reckless behaviour of an individual or organisation may make them liable for any losses or harm due to that behaviour.
Reassuringly, many industries and professions have long-established codes of practice and standards that serve as a guide for legal decisions.
Believe it or not, there are no widely accepted industry standards that protect clients from cyber-attacks. As such, much debate remains on whether service providers should bear any liability for cyber-attacks.
So, therein lies the challenge. At what point does the Duty of Care responsibility begin or end for an IT service provider?
A common practice for IT service providers is the use of contract disclaimers or detailed service level agreements that exclude liability for cyber breaches. However, without clear industry guidelines, the disclaimer may not stand up to scrutiny in a court of law.
Thus, while IT Service providers can clearly define their terms, limitations and their actions to protect against cyber breaches, the contracts may not offer complete protection from liability.
However, there are steps IT professionals can take to manage their risk.
Here are 7 actions IT Professionals can implement today based on recommendations by Brooklyn Underwriting:
1. Check you have Cyber Insurance
General business or professional insurances often exclude cyber insurance. Talk to your insurance broker about your insurance program and risk exposure. They can advise on the most appropriate policies for your business needs and guide you through the options for mitigating or transferring risk to insurance.
2. Ensure your IT systems are secure
While you may not be able to make your IT Systems iron-clad, you must take all reasonable steps to ensure they are secure and cannot be accessed via client networks. Segregate your networks where possible. Alert clients to new threats and record any conversations or emails.
3. Implement an update schedule
Implement regular software and anti-virus updates to detect malware using an endpoint detection and response tool. Ensure you have a critical and non-critical patch management program, plus secure backups that you test annually.
4. Implement strict password management
Set multi-factor-authentication and a regular password change schedule for all access to your network and client networks. Additionally, schedule regular team training to ensure staff can identify and report phishing email scams or other potential cyber threats.
5. Clearly define your terms of engagement and responsibilities
Detail and agree your terms, terminology and responsibilities for cyber security in all contracts and service agreements. Where you have responsibility, invest in training to ensure your team possess the skills to meet your duty of care. Be diligent in reporting system issues to clients and agree the actions, costs and timeframes required to fix any issues. Be sure to respond promptly to any service complaints and keep a record of all events, conversations, and emails.
6. Mitigate cyber risk
With uncertainty on liability, it is critical to mitigate the risk of cybercrime. Therefore, take all the necessary steps to reduce the risk of a cyberattack for you and your clients. Afterall, it may reduce the impact on customers, suppliers and other affected parties and may reduce the likelihood of a claim against you or your client.
7. Prioritise training
No matter the appeal, if a new or existing client requests work that is beyond your expertise, it is advisable to consider whether to undertake the work.
Equally important is ensuring your team maintain and regularly upgrade their skills. Ensure your team stays up to date on regulatory requirements and how to tackle emerging cyber threats.
Transferring cyber risk to insurance
Clear Insurance helps businesses identify, understand, and manage business risks, including cyber security risks. Our risk and insurance review assesses your risk exposure and recommends the most appropriate ways to transfer risk to insurance.
Contact Clear Insurance today for advice.
This article is based on an original article titled ‘Where does it end? An IT professional’s duty of care responsibilities’ by Brooklyn Underwriting, a division of AXA XL.