What are the biggest challenges facing GCs from a cyber risk perspective right now?
There are two primary risks. It’s quite clear from recent guidance from the Information Commissioner’s Office (ICO) and other organisations that ransomware is prevalent. Therefore, businesses should be preparing their playbook and their response process, so that they have them ready for when any attack might happen. Indications are that the ICO and other regulators are going to be tougher in relation to cyber incidents; whereas before they may have regarded the attacked organisation as a victim, now, because cybercrime is so prevalent, they’re saying that businesses need to be ready. Some recent ICO decisions have not been favourable to victim organisations, so it’s important for GCs to be ready.
Second is appreciating the risks of data subject claims. There is an entitlement to compensation by data subjects if they, individually, suffer damage as the result of an attack. So, we’re seeing a significant increase in the number of claims being brought following a cyber incident where the data subjects are alleging that they have suffered some loss which should then be compensated. That is a real risk.
What do you mean by cyber ready? How can businesses become cyber ready?
Having a plan, effectively. If you have the benefit of insurance, it brings two things; it brings the indemnity, so you get the cover financially; but you also get the benefit of the experts that are deployed in response. For example, you have the IT forensic team, the legal team and you have the PR and communications team to manage the reputational aspects. Also, you have the crisis negotiation team if you decide to engage with a threat actor to assess whether to pay a ransom. Plus, you have organisations that can help with sending out notifications, dealing with help desk queries, and for monitoring purposes. All of that is in place if you have cyber insurance. If you don’t have cyber cover, and want to be well prepared, then putting similar plans in place to cover the necessary response is important.
Has anything changed over the last year? If so, what?
Ransomware is becoming more prolific, especially with the pandemic over the last two years. The other thing is the Ukraine and Russia crisis. Many of the ransomware groups are based in Russia and act at a geopolitical level sometimes. While we have not noted a general increase of cyber attacks following the crisis, we are monitoring the position carefully.
How has the risk changed during and post-pandemic in relation to home and hybrid working?
Quite significantly because the whole IT estate of organisations is now devolved across thousands of home working areas. We have found that with working from home people are slightly more relaxed about IT security, for example, they don’t necessarily log off at the end of each night but keep their laptop on, meaning that they’re constantly connected to the internet. With that, there’s always an increased risk. If you shut down and re-start your laptop each morning any IT security updates will automatically be applied; not doing so creates vulnerabilities. Even though these may have been patched at a central level, the patches may not have been updated on particular end-user devices which leads to increased exposure.
How proactive (rather than defensive) do you think in-house teams should be when looking at cyber issues? Does it depend on the sector they are in?
Cyber is basically sector agnostic, although there are a few sectors slightly more at risk, such as financial services and critical national infrastructure – but often those businesses have the biggest budgets to pay for protection.
A couple of years ago cyber policies were led by the IT team. In our view they should now be led or heavily influenced by legal. Cyber is not an IT risk, it’s a business risk, with the possibility for things to escalate very quickly, such that suddenly the business finds itself making very significant decisions regarding notifications (to regulators and data subjects), reputation management strategies and, importantly, whether to engage with a threat actor in relation to a ransom payment. These are business decisions, requiring careful governance and decision-recording, and will necessarily be taken at senior levels. One thing that lawyers should consider is always having one eye on potential future litigation; they should always take steps immediately to protect privilege. For example, if you bring in IT forensic experts to undertake a review, they may produce a report which is harmful. It may indicate that the IT systems contained known vulnerabilities – that is potentially a very harmful document if you have to disclose it. Also, if you decide you want to engage with a threat actor, there are significant criminal compliance checks and obligations that you need to follow.
How are criminal compliance checks carried out for anonymous hackers?
It does sound a bit obtuse to say the least. You will, however, have some data points that can be used for the purposes of compliance checks. You will have an email address, or a dark web chatroom address for the attacker and your experts may be able to identify which threat actor group is responsible and there may be known intelligence on that particular attack group. You will also have the bitcoin wallet address into which the ransom payment is to be made. Then you have the police and the National Cyber Security Centre (NCSC) who can investigate and provide greater intelligence. All of these data points should be clashed against intelligence to identify any compliance red flags. It is important that this is undertaken (and attested) by a suitable organisation.
What do you think are the biggest mistakes GCs can make when looking at their cyber risk?
First, thinking that it is an IT or data protection officer (DPO) issue, which it is not. It is a much wider business issue. Also, organisations may make the mistake of having a policy that states that the business will not engage with any threat actor; whereas in our view any such policy should be more flexible. Further, they may not appreciate that it is important to have very strong legal governance across the whole response.
What are your top tips for in-house teams trying to grapple with cyber issues?
Know the specific obligations under UK GDPR; you must notify the ICO within 72 hours of becoming aware of a personal data breach except in some limited circumstances. You must notify individuals if you consider that they are at high risk, without undue delay. Know the thresholds for notification in all the affected jurisdictions (cyber incidents commonly affect data across jurisdictions) and for all the regulatory regimes that apply to the business, like the FCA or Ofgem. Know and appoint the internal response team and set out their roles, know the experts that you would want to bring in and recognise the implications of privilege. And rehearse how you would respond.
In a worst-case scenario, what happens?
The role of in-house lawyers is first to find good lawyers; it’s not the day job of in-house lawyers to deal with this kind of thing. The in-house lawyer will be managing matters internally and reporting up. We, the hired counsel, will be fact finding, and we would instruct IT experts so that we can get them to come in and investigate what’s happened. Investigations would include: How did the attacker get in? What was his footprint when he was in the systems? Is he still in? Did he take anything? Has he copied and removed data (exfiltration)? Has he applied malware? So, we’re doing that fact finding and then finding out whether the ICO or data subjects need to be informed and what other regulatory action is required. We’re also seeking to manage the reputational impact of the incident. It’s important to note that the implications of an incident can continue long after the initial containment, dealing with regulatory investigations and claims.
Talk me through the different scenarios that can happen when dealing with the ICO?
In the event of a personal data breach, it is highly likely that you will be obliged to notify the ICO. If you don’t do so, and the ICO finds out, you are likely to be reprimanded for that and further action may follow. They may take issue if they feel that you haven’t made appropriate notifications to data subjects and, ultimately, if they investigate the matter, they will be assessing whether the business took ‘appropriate technical and organisational measures’ to secure personal data (in line with UK GDPR Article 32). If they find that you didn’t, then they can levy a fine and that fine can be up to £17.5m or 4% of global turnover (although we are not seeing fines anything like this).
If they really think that you shouldn’t be processing data because you’re not meeting the obligations of UK GDPR, they can force you to take steps or force you to stop processing data. Or, in a worst-case scenario, they could do a dawn raid and seek to prosecute you. That’s doomsday.
Have there been any regulatory changes over the last year or are there any big ones coming up? What’s important about them and what do companies need to do to prepare?
No, we had Brexit, we have UK GDPR and EU GDPR, but they are the same for now. There are a lot of items being considered – new guidance for dealing with cyber-attacks, new Networks and Information Systems Regulation proposals and an international task force looking at whether more needs to be done to prevent the payment of ransoms and whether it should be made unlawful. The US is tightening up significantly on ransom payments as is the Netherlands. There is the potential for regulation to be brought in to try and prevent ransom payments altogether.
We have seen some big cyber breaches in recent years on high-profile targets like the colonial pipeline in the US and the NHS in the UK. What lessons should GCs take away from these?
Cyber can be an existential issue for a company – it’s not just an IT issue and it requires a cross-discipline response and senior business leader input. If there is an encryption attack, then the whole business may not be able to work. For example, the WannaCry attack which impacted the NHS took down many NHS Trusts’ IT systems for several days. Similarly, the NotPetchya attack also affected a large number of global businesses. The impact on Maersk, in particular, was very well publicised. For three weeks they didn’t have any IT systems. Imagine that? It’s a huge impact on a company’s ability to do business and it has massive reputational implications as well as significant financial implications.
What else can help GCs in the fight against cybercrime?
Pinsent Masons has launched Cyturion (pinsentmasons.com/solutions/cyturion), a tool that enables businesses to build, host and rehearse a cyber incident response plan.