4/13/2014 IT failures and cyber attacks on Middle East companies highlight data risks of outsourcing | Norton Rose Fulbright

http://www.nortonrosefulbright.com/knowledge/publications/111836/it-failures-and-cyber-attacks-on-middle-east-companies-highlight-data-risks-of-outsour 1/2
Use of cookies by
Norton Rose Fulbright
We use cookies to deliver our online services. Details and instructions on how to disable those cookies are
set out here. By continuing to use this website you agree to our use of our cookies unless you have disabled
them.
IT failures and cyber attacks on Middle East companies highlight
data risks of outsourcing
Up-to-date contracts and cyber insurance policies can help protect businesses from significant liability
February 2014
Introduction
Cyber crime laws
Data privacy laws
Mitigation by contract
Mitigation by insurance
Introduction
The US Justice Department's indictment of eight defendants in New York and the arrest of two Dutch nationals in Germany in
connection with a sophisticated cyber fraud last year highlighted the far-reaching implications of data breaches for Middle East
organisations and the need for careful management of risk in outsourcing projects. The two Middle East banks - National Bank of
Ras Al-Khaimah (RAKBANK) and Bank Muscat of Oman - were both victims of an incident that reportedly stemmed from a data
security breach at an Indian outsourced service provider. Elsewhere, the UK financial regulator is carrying out an enforcement
investigation relating to IT failures at a leading UK bank in June and July 2012, while the same bank suffered a further IT failure on
Cyber Monday in December 2013. Another leading UK bank is also investigating similar problems that left its customers unable to
use cash machines and debit cards in January this year.
This article considers the potential implications of this type of breach under cyber crime and data privacy laws and solutions for
mitigating the risks through contract and insurance.
Cyber crime laws
Cyber crime laws exist to a varying degree in several Middle East jurisdictions. In late 2012, the UAE updated its existing cyber crime
law with a number of enhancements aimed at addressing loopholes and confirming that many "real world" offences would be criminal
acts if carried out electronically. As a result, the cyber crime legislation in the UAE is one of the most comprehensive in the region.
Of particular relevance to UAE-based companies is the new protection afforded to some personal information online. UAE law
criminalises the disclosure of certain electronically-stored information including credit card and bank account details and electronic
payment methods, but it remains to be seen how this law will be enforced in practice. Further, the criminalisation of such activities
means that offenders may face prosecution by the relevant authorities but an affected business would still have to bring a civil
action to recover any losses it had suffered.
Elsewhere in the GCC, Bahrain and Qatar have draft laws on computer crimes under consideration while Saudi Arabia and Oman
have cyber crimes legislation in place.
In the case of breach by an offshore service provider, the application of the bank's local law may be limited and consideration would
need to be given to pursuing the service provider in its own jurisdiction.
Data privacy laws
In common with most Middle East countries, the UAE and Oman do not currently have specific data privacy legislation in place at a
national or federal level. For those financial institutions operating in the Dubai International Financial Centre (DIFC) economic free
zone, the position is different as the organisation would be subject to the European-style DIFC Data Protection Law. Other
obligations on a DIFC regulated entity include specific risk management obligations in relation to outsourcing arrangements
contained within the Dubai Financial Services Authority (DFSA) Rulebook.
4/13/2014 IT failures and cyber attacks on Middle East companies highlight data risks of outsourcing | Norton Rose Fulbright
http://www.nortonrosefulbright.com/knowledge/publications/111836/it-failures-and-cyber-attacks-on-middle-east-companies-highlight-data-risks-of-outsour 2/2
Notwithstanding the formal regulatory position, it is good practice from a legal and reputational risk management perspective to treat
data security as a key risk area for any corporate entity. Companies often process a significant amount of highly confidential
information on a daily basis and that data is collected, used and stored on behalf of employees, clients and customers. Where a
third party service provider is involved in any aspect of the data handling process, appropriate measures must be taken to ensure
the security and integrity of that data. Failure to do so exposes the organisation to reputational and financial risks in addition to any
potential regulatory implications.
Mitigation by contract
It is vital for organisations seeking to outsource any business functions that the contract with the service provider specifies
appropriate standards, safeguards and, where necessary, the precise data handling procedures to be implemented by the service
provider. It is important that compliance with these contractual obligations is monitored and enforced to ensure that they remain
effective throughout the life of the arrangement. Applicable laws may change, businesses will develop and business practices may
evolve over time: in each case, the contract must be considered in light of any new data processing practices or requirements.
Compliance and monitoring may take the form of contractual reporting obligations or rights to carry out audits and/or gain access to
a vendors premises, staff or systems. A robust governance model and regular performance reviews can also be useful for helping
to ensure that standards are consistently maintained in line with current best practice.
The contract should include appropriate remedies for failure to comply with data privacy and security obligations.These remedies
might include service credits or other financial recompense. While monetary remedies may not necessarily mitigate the damage to
reputation that an institution could ultimately suffer from a data loss incident, they can be a helpful tool for encouraging a service
providers compliance with contractual procedures and obligations.
Mitigation by insurance
In essence, cyber insurance provides cover for losses and/or liabilities arising out of unauthorised access to, or use of, an
organisations electronic information or the destruction or loss of that information. As an insurance product, cyber cover has been
available for a number of years in various forms. It is a complex cover offering a number of different protections. For example, it can
include cover for data liability (including personal or corporate data and outsourcing security), business or network interruption
(covering losses arising out a material interruption to an organisations network following a denial of service attack or network
security breach), multimedia liability (covering damages and defence costs incurred in connection with a breach of third party
intellectual property or negligence in connection with electronic content) and cyber extortion (covering ransom payments to third
parties incurred in resolving a security threat).
Some elements of cyber cover may overlap with an organisations existing insurance coverage, for example, its Crime and
Professional Indemnity cover. However, any such overlap may be restricted and, in particular, it should be noted that business
interruption resulting from unauthorised access to, or loss of, data is likely to be excluded. Nevertheless, it is important, before
considering what specialist cyber cover is required, for an organisation to understand the nature of its existing cover to combat
cyber threats and to then conduct a review of its business requirements to ensure that the cyber cover obtained is the most
appropriate for its business.
Where outsourcing is undertaken by an organisation, it will be important to carry out due diligence on the extent of the cyber
insurance cover held by the outsourcing company, the number of previous notifications or claims made under the cover and to
monitor the extent of the cover (and the notifications and claims made under it) during regular audits. It may also be the case that
an organisations existing cover provides an element of cover for third party contractors, for example, in relation to data breaches,
and so the coverage position should be clarified at the outset before engaging the outsourcing company to ensure that there is no
duplication of cover.