ICAS ICAS logo

Quicklinks

  1. About Us

    Find out about who we are and what we do here at ICAS.

  2. Find a CA

    Search our directory of individual CAs and Member organisations by name, location and professional criteria.

  3. CA Magazine

    View the latest issues of the dedicated magazine for ICAS Chartered Accountants.

  4. Contact Us

    Get in touch with ICAS by phone, email or post, with dedicated contacts for Members, Students and firms.

Login
  • Annual renewal
  • About us
  • Contact us
  • Find a CA
  1. About us
    1. Governance
  2. Members
    1. Become a member
    2. Newly qualified
    3. Manage my membership
    4. Benefits of membership
    5. Careers support
    6. Mentoring
    7. CA Wellbeing
    8. More for Members
    9. Area networks
    10. International communities
    11. Get involved
    12. Top Young CAs
    13. Career breaks
    14. ICAS podcast
    15. Newly admitted members 2022
    16. Newly admitted members 2023
  3. CA Students
    1. Student information
    2. Student resources
    3. Learning requirements
    4. Learning updates
    5. Learning blog
    6. Totum Pro | Student discount card
    7. CA Student wellbeing
  4. Become a CA
    1. How to become a CA
    2. Routes to becoming a CA
    3. CA Stories
    4. Find a training agreement
    5. Why become a CA
    6. Qualification information
    7. University exemptions
  5. Employers
    1. Become an Authorised Training Office
    2. Resources for Authorised Training Offices
    3. Professional entry
    4. Apprenticeships
  6. Find a CA
  7. ICAS events
    1. CA Summit
  8. CA magazine
  9. Insight
    1. Finance + Trust
    2. Finance + Technology
    3. Finance + EDI
    4. Finance + Mental Fitness
    5. Finance + Leadership
    6. Finance + Sustainability
  10. Professional resources
    1. Anti-money laundering
    2. Audit and assurance
    3. Brexit
    4. Charities
    5. Coronavirus
    6. Corporate and financial reporting
    7. Business and governance
    8. Ethics
    9. Insolvency
    10. ICAS Research
    11. Pensions
    12. Practice
    13. Public sector
    14. Sustainability
    15. Tax
  11. CPD - professional development
    1. CPD courses and qualifications
    2. CPD news and updates
    3. CPD support and advice
  12. Regulation
    1. Complaints and sanctions
    2. Regulatory authorisations
    3. Guidance and help sheets
    4. Regulatory monitoring
  13. CA jobs
    1. CA jobs partner: Rutherford Cross
    2. Resources for your job search
    3. Advertise with CA jobs
    4. Hays | A Trusted ICAS CA Jobs Partner
    5. Azets | What's your ambition?
  14. Work at ICAS
    1. Business centres
    2. Meet our team
    3. Benefits
    4. Vacancies
    5. Imagine your career at ICAS
  15. Contact us
    1. Technical and regulation queries
    2. ICAS logo request

Cyber and data security – 5 legal obligations you should not ignore

  • LinkedIn (opens new window)
  • Twitter (opens new window)
By Lindsay Hill, Chief Executive Officer at Mitigo Cybersecurity

1 August 2022

The ICO’s recent finding of negligent security practices and resulting £98,000 fine of Tuckers Solicitors should alert all businesses to the consequences of failing to comply with their legal obligations for the security of personal data. Read this article to understand your cyber and data security obligations.

Here is a reminder of some basic legal obligations.

1. Do a risk assessment

The business must undertake a cybersecurity risk assessment – that is, an assessment/analysis of the security risks involved in the holding and use of any personal data. It must cover many elements – the security of your technology, the way it is accessed, where data is held and how it moves around the business, the nature and sensitivity of the data concerned, the people using it, the third parties who you allow to access/process it, the security policies in place (or not), and much more.

Doing this will of course include technical assessments. But it also needs to identify all vulnerabilities, not just technical ones and give you visibility of your risks. And because of point 5 below, your risk assessment should be documented. It is an independent specialist job – and different to IT support.

In respect of the technical side, the ICO says: “This is a complex technical area that is constantly evolving, with new threats and vulnerabilities emerging.”  Which is why, to understand where the risks are, the risk assessment needs to be undertaken by someone with genuine cyber risk management experience, who is up to speed on the current methods of attack and knows how to defend against them.

2. Put security measures in place

After you have done this (and only after you have done this), you must put in place appropriate technical and organisational measures properly to protect the personal data and the security of its use and the systems themselves. Unless you have first taken step 1, you cannot judge what are the appropriate measures to put in place to control the risks identified. The ICO are clear on that point.

The measures must include 3 key areas.

Technology

Here technology is being used in reference to controlling the technical risks and vulnerabilities identified. Examples include encryption of data, multi factor authentication, access controls, configuration of your email systems, configuration of firewalls, configuration of backups, security of individual devices (including BYOD), remote access arrangements to networks and cloud platforms, ensuring the right alerts are switched on, software is up to date, and a whole raft of other things.

It should be noted that the ICO describes Cyber Essentials (and therefore CE Plus which is just an audited version of CE) as a “base” set of controls, and in the Tuckers case, stated that given the nature of the personal data involved, the security should have “surpassed” those basic requirements. This should be a warning for all professional service firms handling confidential data who mistakenly believe that CE certification provides adequate protection.

People

This includes training staff, and building what the ICO calls “a culture of security awareness within your organisation”. And because of point 3 below, you must test/assess the effectiveness of your training. One way of doing this is to undertake simulated phishing attacks.

Governance

Your risk assessment will help to determine exactly what policies you must have, together with the procedures for staff and others to follow, and the systems/arrangements you need to have in place to check your organisational controls/measures are and continue to be, effective (which includes regularly assessing risks). Some of this will be for all staff. Some will be for individuals within the organisation with responsibility for security. This can include all sorts of things from password management to incident response arrangements.

3. Test and evaluate

You must have a process for regularly testing, assessing and evaluating the effectiveness of the measures you put in place. Which is why compliance with the law is not a one-off test. In this context, the ICO refers to vulnerability scanning as a way to “stress test” technology. Your processes for assurance should be independent of your IT support team.

4. Reporting obligations

UK GDPR creates a robust reporting and enforcement regime. This requires, depending on the precise circumstances, for incident reporting to the ICO and also to clients/customers whose data may have been compromised. The ICO can impose very significant fines (and publish the details) on businesses which have failed to comply with obligations (and fines are not recoverable under insurance policies). In deciding the fine, they will look to see what technical and organisational security measures the business had actually put in place. In the Tuckers case, the ICO said that the starting point for their negligent security breach was 3.25% of annual turnover. Bear in mind that in addition to this, individuals affected by a breach are entitled to compensation.

Of course, the greatest cost and damage following a breach is usually in disruption (the average down time in Q1 of 2022 was 26 days but is frequently more); ransom payments (the average ransom payment in 2021 was £628,000 but is frequently more); and the destruction of reputation and client relationships.

5. Document everything

All businesses must be able demonstrate compliance with all of the above legal obligations, which is why they must have a way of documenting what they have done.

Professional regulatory requirements

All regulators of professional service businesses expect compliance with the law, as well as adherence to separate regulatory responsibilities including the duty to report breaches. Those obligations are not limited to personal data.

In Tuckers, the ICO highlighted certain provisions of the Solicitors Regulation Authority’s Code of Conduct including paragraph 2.1a (the need for effective governance structures, arrangements, systems and controls for compliance with regulation and law); para 2.5 (identify, monitor and manage all material risks to your business); para 3.1 (keep up to date with and follow law and regulation); para 5.2 (safeguard money and assets [including documents] entrusted to you by clients and others); as well as referring to other relevant guidance issued by the SRA. The failure to meet those standards of the Code was regarded as an aggravating factor.

This has implications for other regulated professions. In the context of a breach relating to ICAS members, one can expect the ICO to scrutinise (for example) ICAS Code of Ethics, including 110.1 A1 Fundamental Principle (c) (Professional Competence and Due Care) and related R113 (competent professional service based on current standards and relevant legislation, and maintaining awareness of technology developments); Fundamental Principle (d) (Confidentiality) and related R114 (to take all reasonable steps to preserve confidentiality, and being alert to the possibility of disclosure); Fundamental Principle (e) (Professional Behaviour to comply with relevant laws and regulations and in accordance with professional responsibility) and related R115; ICAS Investigation Regulations 3.1 (duty to report); industry standards of good practice, and all other guidance issued from time to time, including that issued by ICAS, the ICO and NCSC.

There are good reasons for the security obligations imposed under UK GDPR and by professional service regulators. And there are good security reasons to comply with them beyond mere compliance. Leaders who ignore them are lagging behind and are putting their partners’ and colleagues’ business and financial interests at risk. Because a serious cyber breach can have devastating consequences.


About Mitigo:

We have partnered with Mitigo to offer cybersecurity risk management services with exclusive discounts for our Evolve members.

Find out more about Mitigo’s cybersecurity services.

For more information contact them on 0131 564 3131 or email icas@mitigogroup.com


This blog is one of a series of articles from our commercial partners. The views expressed are those of the author and not necessarily those of ICAS.

Mitigo Technology

Mitigo | The ICAS trusted cybersecurity partner

7.5% discount for all Evolve members

Would you like to know if you are resilient to a ransomware attack?

By David Fleming, Chief Technology Officer, Mitigo Cybersecurity

16 June 2022

2022-01-xero 2022-01-xero
ICAS logo

Footer links

  • Contact us
  • Terms and conditions
  • Modern slavery statement
  • Privacy notice
  • CA magazine

Connect with ICAS

  • Facebook (opens new window) Facebook Icon
  • Twitter (opens new window) Twitter Icon
  • LinkedIn (opens new window) LinkedIn Icon
  • Instagram (opens new window) Instagram Icon

ICAS is a member of the following bodies

  • Consultative Committee of Accountancy Bodies (opens new window) Consultative Committee of Accountancy Bodies logo
  • Chartered Accountants Worldwide (opens new window) Chartered Accountants Worldwide logo
  • Global Accounting Alliance (opens new window) Global Accounting Alliance
  • International Federation of Accountants (opens new window) IFAC
  • Access Accountancy (opens new window) Access Acountancy

Charities

  • ICAS Foundation (opens new window) ICAS Foundation
  • SCABA (opens new window) scaba

Accreditations

  • ISO 9001 - RGB (opens new window)
© ICAS 2022

The mark and designation “CA” is a registered trade mark of The Institute of Chartered Accountants of Scotland (ICAS), and is available for use in the UK and EU only to members of ICAS. If you are not a member of ICAS, you should not use the “CA” mark and designation in the UK or EU in relation to accountancy, tax or insolvency services. The mark and designation “Chartered Accountant” is a registered trade mark of ICAS, the Institute of Chartered Accountants of England and Wales and Chartered Accountants Ireland. If you are not a member of one of these organisations, you should not use the “Chartered Accountant” mark and designation in the UK or EU in relation to these services. Further restrictions on the use of these marks also apply where you are a member.

ICAS logo

Our cookie policy

ICAS.com uses cookies which are essential for our website to work. We would also like to use analytical cookies to help us improve our website and your user experience. Any data collected is anonymised. Please have a look at the further information in our cookie policy and confirm if you are happy for us to use analytical cookies: