Irish firms neglect cyber security legal requirements

Cyber risk study conducted by Red C for A&L Goodbody find most firms not fulfilling basic requirements

Irish businesses are leaving themselves open to possible litigation and fines by not fulfilling basic legal requirements, a cyber risk study has found.

The study, conducted by Red C for A&L Goodbody, found a significant majority of companies are not fulfilling basic legal requirements when it comes to cyber security.

Some 65 per cent of survey respondents had no written cyber security policies in place, and 59 per cent had provided no training to employees on what to do in the event of a cyber attack.

Cyber attack

The survey found that one in four company boards had not been briefed on their businesses’ legal obligations and the mechanisms that were in place, if any, to deal with a cyber attack, while 28 per cent of company boards had not considered the possibility of a cyber-security attack.


Half of companies surveyed said their data is stored by a third party off-site, and within this group, 44 per cent said they didn’t know their supplier’s cyber security attack policy.

Less than a third (27 per cent) of companies surveyed said they were fully prepared to deal with an attack and, when prompted, 63 per cent cited a lack of awareness of their company’s legal obligations as their biggest challenge.

John Whelan, head of A&L Goodbody's international technology practice, said boards and senior management must have policies in place to protect their business should a cyber incident occur. "As cyber risk becomes more sophisticated, and more prevalent, businesses are exposed to increasing risk to their reputation and their bottom line," he said.


Mr Whelan said the survey shows that while many businesses are aware of their exposure they are not fully prepared for it. “Twelve months ago there was a lack of awareness among companies [on the subject of internet security]. Now there is a lack of preparedness. The law isn’t clear to people.”

He said companies are getting technically ready for cyber attacks, but not legally ready.

“There is no stigma about being the subject of a cyber attack. It’s all how you respond to it. The companies that come out the best, have handled it the best.”

Meanwhile, the Central Bank of Ireland is said to be reviewing the cyber security policies and procedures of asset managers, amid fears the investment industry has been slow to tackle the threat of cyber crime. Teams from the bank have begun to carry out on-site inspections at a number of fund managers, investment firms and stockbrokers.