Cyber risk is a major threat to all businesses, irrespective of size, brand or industry. Over recent years, and particularly during the Covid-19 pandemic, the threat of a cyber-attack has increased significantly. There is a growing prevalence of ransomware being deployed across all business types and sectors. With the increased regulation of data on a global basis, and a focus by industry regulators on protecting data, a cyber-attack can and does have a very significant impact on business, including: immediate operational impact, substantial management time being diverted to deal with the situation, loss of business, reputational damage, the risk of multiple regulatory investigations and fines. Further, an entitlement to compensation for data subjects affected by a breach of legislation has led to increased risk of litigation in this area.
As a result, it is imperative that organisations take appropriate steps to become ‘cyber-ready’, putting themselves in a better position to respond to an incident quickly, with an established internal procedure in place and rehearsed. As we explain in this article, the Information Commissioner’s Office (ICO) has an increased expectation that organisations should now anticipate and plan for cyber attacks.
Looking at the risks that arise under GDPR, a data controller is obliged to use ‘appropriate technical and organisational measures’ to secure the personal data held (Articles 5(1)(f) and 32). If the ICO investigates the measures in place and finds they were inadequate it can fine up to £17.5m or 4% of global turnover, whichever is the higher.
Data subjects are entitled to compensation where they suffer loss as a result of a breach of data protection legislation, including for distress and anxiety (Article 82). Accordingly, if a Court finds that the business did not use ‘appropriate technical and organisational measures’, and that this caused data subjects damage which is more than trivial, they will have a claim. This is a fast-developing area of law in the UK at present.
Impact of ransomware
We have observed a substantial increase in ransomware attacks in recent years. The European Union Agency for Cybersecurity, ENISA, in its 2021 report into the cyber threat landscape described the current climate as ‘the golden era of ransomware’.
Ransomware attacks are never far from the headlines. There have been a number of very high profile incidents in the last year, ranging from high-end jewellers, to oil and gas pipelines, to a country’s whole health system. It is clear that no organisation – no matter how big – is immune from this threat.
We have seen our clients be affected by a range of threat actor groups. Ironically, the well-known prolific cyber groups fall more into the ‘known-entity’ bucket, in terms of their likely modus operandi. Conversely, the proliferation of ‘ransomware-as-a-service’, whereby threat actors allow third parties to use their hacking practices for a fee, has led to a large number of new groups coming to light that are less well known and which therefore can be much more unpredictable.
With financial gain continuing to be the key motivation behind the majority of cyber attacks in the private sector, and the disruption to businesses caused by the Covid-19 pandemic providing an ideal attacking ground, we have seen ransomware attacks increase at a significant rate over the past year. Ransomware is now one of the top form of attacks experienced by our clients, with 31% of our cyber cases last year involving ransomware, a significant increase from previous years.
Attacks typically have a two-pronged approach, with attackers first gaining access to systems and exfiltrating (copying and removing) a significant amount of data, only then to encrypt the data on the systems and demand payment for the decryption key. Often attackers also threaten to publish the stolen data online or on the Dark Web, as a way of adding more pressure to make a payment.
Being as prepared as possible for a cyber attack is critical. Cyber insurance is becoming increasingly difficult to obtain – for certain sectors such as professional services, charity and education it is even more so – and we see this difficulty continuing with certain sectors excluded from cover altogether.
Therefore, it is even more important than ever that organisations are prepared and put in place the response model that would commonly be provided by cyber insurers. This comprises having well-rehearsed incident response and business recovery plans in place, and ensuring that IT security is taken seriously, with senior stakeholder involvement and accountability. The consequences for an unprepared organisation can be devastating.
The ICO has recently advised that organisations should establish incident response, disaster recovery and business continuity plans to address the heightened risk of ransomware attacks. The recommendation was made within a broader checklist of actions that businesses can take in anticipation of a ransomware attack on their organisation. That checklist is contained in new guidance the data protection authority has published in relation to ransomware.
The recent fine issued by the ICO against a firm of solicitors who suffered a ransomware attack demonstrates that the ICO’s attitude towards ransomware is shifting – leniency may have been shown in the past as businesses suffered with the impacts of the Covid-19 pandemic and with ransomware being relatively novel, but the recent fine shows a marked change with the ICO seemingly less sympathetic to organisations having been victims of criminal attacks. Ransomware has been around for a few years now, and therefore organisations should anticipate such attacks and be prepared. In that particular case the ICO was critical of what it described as ‘negligent security practices’. For example, the lack of multi-factor authentication, patch management, unencrypted archives, use of unsupported software, failure to comply with retention periods and the firm having failed the Cyber Essentials assessment in 2019 but not taking steps to resolve the security issues that had been highlighted.
A cyber readiness programme is of crucial importance. This is even more so if a business operates in multiple jurisdictions or processes data cross-border, and particularly so if cyber insurance is not available.
As part of a cyber readiness programme, organisations should look at the following:
- Identify the relevant jurisdictions in which they operate and the data held in each location. Data security incidents continue to be highly globalised affairs, particularly for those multinational organisations with offices all around the world. Nearly 30% of our instructions in the past year have involved at least two jurisdictions (as opposed to being only a ‘domestic’ incident).
- Identify and assess privacy and other industry regulations across jurisdictions. There are prescribed time periods for reporting a cyber incident to the data protection authorities and other relevant bodies. Knowing what you need to report and when in each jurisdiction is imperative. An organisation may have an obligation to report a cyber incident not only to the data protection authorities but to other regulators (for example, industry regulators such as Financial Conduct Authority, Charity Commission etc). An organisation may also have reporting obligations under other statutory regimes such as the NIS Regulations which affect businesses that provide critical national infrastructure.
- Consider and assess controller and processor roles for the data processed. There are different reporting obligations depending on the role.
- Identify confidentiality and data protection obligations under standard terms and contracts. A cyber incident may trigger contractual notifications. Contractual terms should be reviewed on a prioritised basis (eg, large customer contracts, contracts with government bodies, sensitive contracts) to check the terms for items relating to confidentiality and data protection.
- Identify the relevant individuals within the business and across jurisdictions that should form the crisis management team to respond to the incident. This includes individuals from: (i) legal; (ii) IT; (iii) HR; (iv) PR; and (v) the C-suite.
- Identify external providers and if possible agree engagement terms up front. This includes: (i) specialist IT forensics; (ii) crisis negotiators; (iii) external specialist cyber lawyers; (iv) external PR; and (v) credit monitoring businesses (where financial data has been compromised).
- Review policies and processes – incident response and business continuity plans. Are plans in place, have they been rehearsed and are they fit for purpose? Do you have a specific cyber response playbook? Is this easily located even if your IT systems are unavailable?
- Consider listing/market announcement requirements. Cyber attacks suffered by listed companies may give rise to market notification obligations.
- Assess engagement with a threat actor ahead of time in the event of a ransomware attack. In the event of a ransomware attack the organisation may wish to engage in discussions with the threat actor and may ultimately choose to make a ransom payment. The decision as to whether to engage with an attacker and/or make a ransom payment is often a complicated one, involving important commercial, ethical and reputational considerations, as well as complex legal and compliance issues. The choice to engage with the threat actor is a business decision. Should it be decided that a ransom should be paid, there are important compliance steps which will need to be put in place before any payment is made in order to ensure that the organisation does not fall foul of any anti-money laundering and/or terrorism funding offences, sanctions, and any other applicable laws. Failure to take the appropriate steps can expose the business and directors to criminal liability. These steps will include undertaking due diligence and making notifications to law enforcement. If there is any link to other jurisdictions, then compliance in those jurisdictions should also be considered. In particular, any links to the US (eg, payment in US dollars or US nationals involved in the decision to engage), means that US compliance must be achieved.
- Considering training requirements for employees. Often employees are the first line of defence. Do employees have adequate training in order to spot the signs of potential malicious activity?
- Consider preparing notification templates to have on the stocks. This may save valuable time in the event of a cyber incident when an organisation is up against the clock.
All of the matters above should feed into a playbook along with a rehearsed desktop exercise across jurisdictions.
How we can help
We are cyber-specialists, with market-leading expertise and a substantial dedicated cyber team. Our cyber lawyers are by pedigree media, technology and data disputes practitioners experienced in dealing with technically complex and high-profile matters.
Our international cyber practice with specialist lawyers operates across the UK, Ireland, France, Germany, Spain, the Netherlands, UAE, South Africa, Singapore, Hong Kong, and Australia. We do not operate globally by putting flags in the ground; we develop cyber offerings in markets we see as significant for the future of our chosen sectors, acquiring high-quality cyber expertise in our key jurisdictions.
We help clients ensure cyber-readiness by working with clients to:
- Prepare an incident playbook.
- Ensure appropriate governance processes.
- Map risks.
- Manage risk in the supply chain.
- Identify regulatory obligations across different jurisdictions.
We provide cyber simulation exercises with our clients in order to run through an evolving response to a security incident, in order to test and challenge business decision making and to emphasise to relevant stakeholders (including board level) the importance of preparation.
We have developed a proprietary cyber readiness product, Cyturion. We use Cyturion to assist clients to develop or augment their cyber response plans. Cyturion helps clients manage their response to a business critical event from the moment of detection. It helps clients triage the incident, mobilise the appropriate team, investigate and respond, and mitigate any negative impacts. It is a response plan in an easy-to-use format, accessed via a secure cloud platform (which is therefore always available, even if the organisation’s IT systems are down).
The Human Cyber Index – This is designed to provide clients with in-depth analysis of their employee’s information and cyber security behaviours to augment their efforts in mitigating cyber security risk and protecting their organisation. Understanding people’s relationship with their engagement and security controls is the key to unlocking the power of positive security behaviour. By understanding this, clients can design strategies to increase the positive impact of their security controls and engagement campaigns on their people’s behaviour with far more accuracy and effectiveness.