Ami tells brokers to treat cyber risk like regulation

Robert Sinclair, chief executive of Ami, said even firms that have developed solutions should check their plans against the sources on the factsheet.

“The global spread of the WannaCry ransomware should be a wake-up call for businesses to review their cyber security infrastructure, as no sector or type of firm is immune from attacks.  

"This is particularly relevant considering the implementation of the General Data Protection Regulation next May which requires firms to understand how they hold and process their data, with significant fines for any breaches.”

The new data protection regulations, known as GDPR, are more onerous than those that presently apply. 

It will apply to firms that process data about individuals in the context of selling goods or services within the European Union.

Here, in the UK, the Information Commissioner’s Office (ICO) is the lead supervisory organisation tasked with the responsibility of implementing GDPR.

The new rules increase the obligations of businesses that hold customer data and the penalties for falling foul of the regulation can be severe. The ICO can impose fines of up to 4 per cent of total global turnover.

Mr Sinclair said cyber risk should be treated in the same way as regulatory risk, in that staff at all levels should have a basic understanding.  

Cyber risks should also be addressed in firms’ overall disaster recovery plans, which should map the steps that need to be taken in the event of an attack or breach and allocate responsibilities, he added.  

How a breach is communicated to staff, to the data subjects who might be compromised, and how to deal with regulators and the press should also be covered, Mr Sinclair said.  

The WannaCry cyber attack last month affected an estimated more than 230,000 computers in over 150 countries within one day, hitting the NHS, Spain’s Telefonica as well as FedEx and Deutsche Bahn.

rosie.murray-west@ft.com