Improving risk management is imperative to countering cybercrime, according to the Fraud Advisory Panel, Cybercrime Working Group of the ICAEW. In the past, companies have failed to deal with cybercrime, either due to lack of awareness or because of the stigma associated with being seen as a victim of fraud or another cybercrime of this nature. There have also been few requirements that companies do take proactive steps to prevent this type of fraud. This approach is no longer acceptable and businesses must now act to ensure that they are adequately protected from, and prepared to take action in respect of, cybercrime. Taking adequate steps to improve an organisation’s risk management in this area is no longer simply desirable, it is imperative.

Turnbull Guidelines Whilst the provisions of the Turnbull Guidelines are only requirements for publicly listed companies, they are increasingly being viewed as the benchmark on good corporate governance for all companies listed in the UK and as the standard by which they may be judged. Provision D.2 of the Turnbull Guidelines states that: ‘The board should maintain a sound system of internal control to safeguard shareholders’ investment and the company’s assets.’ Provision D.2.1 states that: ‘The directors should, at least annually, conduct a review of the effectiveness of the group’s system of internal control and should report to all shareholders that they have done so. The review should cover all controls including financial, operational and compliance controls and risk management.’ Provision D.2.2 states that: ‘Companies which do not have an internal audit function should periodically review the need for one.’

Data protection Anyone who stores information about another person, be it for a commercial or other purpose, has a duty to maintain that data in accordance with the principles of data protection. This means that, as well as the requirement that the data stored is accurate and not stored for a period of time longer than necessary, the data must be kept secure. This will require businesses to take steps to ensure that their computer systems and operational functions comply. The DTI provides a business standard benchmark called BS 7799 (now adopted as ISO 17799) for businesses and organisations attempting to comply with the Data Protection Act (1998) and other IT security issues. This is a common sense security standard that every business should benchmark themselves against (even if they do not go for full accreditation).

Human rights The rights to privacy and family life are enshrined under the Human Rights Act 1998. Whenever a company or organisation stores information it must do so with these principles in mind, and it must take adequate steps to ensure that the organisation implements the correct controls and processes to ensure that the data is kept as secure as possible, so that in the event a company does suffer a cybercrime attack, the Human Rights principles are infringed to the least extent possible.

Liability of directors Directors may, under the Turnbull Guidelines, find themselves in breach of duty to the company and, consequently, the shareholders for failing to carry out the correct risk management procedures and controls in respect of cybercrime. Directors owe the company a number of fiduciary duties due to the position they hold within the company, including a duty of good faith and a duty to act with due diligence. They also owe duties of professional competence depending upon the terms of their service contract. If a director breaches the duties owed to the company he/she may face personal liability as against the company. In the event that a company loses a substantial amount of money to a cyber-criminal it may not be possible, or not commercially viable, for that company to pursue the fraudster

. In that case a company may be obliged to look to the director responsible for the implementation of risk management for redress. If the director has failed to act with due care in respect of a foreseeable risk, this may result in the company seeking to establish that the director was liable for breach of a duty of care and to recover damages from that director.

Liability of accessories It is important to appreciate that the person who has committed the fraud may not be the only person against whom a remedy can be obtained. There may be other people involved in committing the crime and therefore equally accountable. For example, in the case of cyber-laundering, a firm may become liable by virtue of the principle of constructive trusteeship depending on whether they were at any point in receipt of laundered funds. It is as a result of the principle of liability of accessories that banks and others used as a conduit by money launderers may find themselves in the difficult situation of trying to avoid becoming secondary victims. Many countries and, notably, the European Union (EU) are looking to the registration authorities to verify the identity of e-traders by issuing digital certificates. There therefore may be scope for a claim against a particular registration authority (RA) that issues a certificate to a launderer. Lawyers and accountants who have been involved in setting up any scheme may also be legitimate compensation targets. Therefore, depending on the particular nature of your business, there are a multitude of different ways in which a business can incur liability for the cybercrimes of a fraudster. The key to avoiding liability for money laundering is to ‘know your customer’. Firms should take action in support of anti-money laundering measures in order to:  comply with legal requirements;  protect their corporate reputation. Evidence of identity and beneficial ownership should be sought, and a higher level of due diligence undertaken, where there are:  numbered or alternative accounts;  high-risk countries involved;  offshore jurisdictions;  high-risk activities;  public officials involved.

Reviewing policy and procedure Many firms will carry out financial controls, audits and assessments. The Turnbull Report places greater emphasis on the need for assessment of risk and operational controls. This means that senior management are required to review the procedures applied to risk management and control on an annual basis and decide which areas are lacking in such controls. Essentially they will have to start carrying out an internal audit of operational risk. The business benefit of this is that it can be stated on your annual accounts and could lead to greater trust by your customers and therefore increased business or market share. In order to effectively review policy and procedure in terms of operational risk management, companies should be reviewing their Internet strategy and the related risk management issues at board level. In particular it is advisable that companies and organisations appoint one director to oversee the area where business strategy warrants this level of supervision, attaching responsibility for operational risk in relation to cybercrime to this individual or their department. This has the advantage of reducing the risk of criminal and civil prosecution of directors or the company for failure to comply with current standards and regulations, and it may well reduce long-term fraud losses. It may also reduce the chance that the company is rendered liable for receiving laundered or fraudulently obtained funds under the doctrine of constructive liability. However, the fight against cybercrime must be fought on all company levels. It is necessary to establish policy and procedure that apply to everybody in the business.