2020 tested the resilience of organisations in ways that were unprecedented and, with further restrictions on movement imposed at the start of the new year, continued disruption seems inevitable for the foreseeable future. For many, continued homeworking – and the challenges that brings – is likely to be an everyday feature of life for some time yet, putting IT resources under pressure and requiring users to deal with unfamiliar software and processes. This is fertile ground for criminal gangs keen to exploit disruption for financial or other gain.
While the pandemic has focused attention on cybercrime activity, it would be a mistake to see cyber risk purely in Covid-19 terms. All organisations are exposed to cyber risk, even in normal times, but that risk increases markedly as a result of disruption or events that cause or flow from change. Change has seen organisations becoming increasingly vulnerable to attack by cyber criminals as reliance on the internet grows, cloud-based services become more prevalent and devices, machinery and equipment used in business are increasingly internet enabled.
A growing threat
‘Cybercrime’ is the catch-all term for any criminal activity that targets human and security weaknesses in IT systems, websites, platforms, computers and other networked devices. Common forms include hacking, phishing and installing malicious software like ransomware through which criminals seek to hijack data, releasing it in return for a ransom.
And those behind the crime? Often highly sophisticated, with organised crime and rogue state actors devoting significant resources to devising constantly evolving technical capability and threat.
That threat is real – and growing. Between August 2019 and 2020, the UK’s National Cyber Security Centre handled 723 incidents; its highest number ever. But these figures only cover reported incidents; likely the tip of a very large iceberg. All organisations are at risk and should anticipate that, at some point, they will be targeted.
Key legal issues
The legal issues that cybercrime creates for targeted organisations depends on the nature of the attack and its consequences.
Where personal data is involved, data protection law requires controllers to notify the Information Commissioner’s Office (ICO) of most personal data breaches within 72 hours. There may also be a separate obligation to alert the individuals affected. Industry sector rules can also apply – for example, additional industry-specific notification requirements for ‘operators of essentials services’ in the energy, transport, health and digital infrastructure sectors (OESs), and certain ‘relevant digital service providers’ (RDSPs), under the Network and Information Systems Regulations 2018 (NIS Regulations), certain telecoms providers (under the Communications Act 2003 and Privacy and Electronic Communications (EC Directive) Regulations 2003) and trust service providers (Electronic Identification and Trust Services Regulation (EU) No 910/2014, or eIDAS).
Organisations that handle personal data are obliged under data protection law to process them in a manner that ensures appropriate security. Additional security obligations apply to OESs and RDSPs under the NIS Regulations.
Fines for non-compliance can be steep – under data protection law, up to the greater of £17.5m or 4% of annual global turnover. In October 2020, the ICO issued British Airways with a £20m penalty for a cyberattack that affected the payment information of 250,000 customers. Hotel operator Marriott also landed an £18.4m fine from the ICO in the same month for a cyberattack that compromised the personal data of 37 million EEA and UK citizens.
Claims raised by those affected by a cyberattack may range from damages for breach of contract or confidentiality obligations, to compensation for breach of data protection law. Having a strategy for handling the fallout is essential – particularly if it’s a high-profile case involving large numbers of claimants; a situation where class action litigation is increasingly prevalent. Fine judgement calls may be required – defending a claim will not only cost money, it can risk further reputational damage, and litigation risks damaging relationships further with claimants who may also be valuable customers for the business.
Knowing the terms of all relevant contracts – with customers as well as anyone in the supply chain who may be relevant to the circumstances resulting in a claim – is essential. It is worth conducting an audit to identify how contracts might respond to various cyberattack scenarios and where residual risks lie. Are they with the organisation or suppliers/subcontractors? Where does liability rest? Older contracts may not be fit for purpose and need renegotiating – if there is an opportunity to do so – and new contracts and templates need to be carefully scrutinised to make sure they appropriately address the risks. Remember, however, that blaming a supplier or subcontractor is unlikely to be viewed by regulators as a legitimate mitigating factor, so ensure that appropriate oversight is actually exercised over key suppliers/subcontractors to confirm they are performing as they should.
If cover is in place for a claim, it is essential to follow the requirements of the policy and that will invariably mean notifying insurers as soon as the circumstances giving rise to a claim are known. Insurance cover will often provide access to forensic experts and other professionals to help investigate and mitigate a cyber attack.
Cyber risk is a board level issue. In this context, the role of the in-house counsel is to support the organisation – particularly those with CISO and DPO responsibilities – in ensuring the board take the issue seriously and that appropriate cyber resilience measures are taken to limit legal risk. These will include:
- Know your data – what it is, where it is and who processes it.
- All data is important – don’t just concentrate on, say, financial data to the exclusion of other data. Take a holistic, risk-based approach.
- Understand where your organisation is most vulnerable. Different types of attacks will impact in different ways. Where weaknesses or vulnerabilities are identified, address them and don’t put them off.
- Check what insurance coverage you have in place and whether it will respond. Knowing specific policy requirements and exclusions is essential. As claims rise, expect insurers to introduce new policy requirements – make sure you can comply with these.
- Establish an incident management team with a practical response plan to mitigate damage and minimise business disruption.
- Speed of response is critical. Consider establishing a panel of external advisers in areas such as legal, IT forensics and reputation management so that they are on hand if needed.
- Test your disaster recovery and business continuity procedures and your incident management plan regularly, using different scenarios and learn from your tests.
- Humans are often the weak link in information security, so workers must be trained on their security obligations and the warning signs of cybercrime.
- Internal policies are essential but the organisation needs to make sure that they translate into process and procedures that are adhered to in practice.
- Interact with regulators; organisations may need to defend their position robustly, particularly if a significant fine is a possibility, but co-operate with regulators wherever possible to mitigate the consequences of an attack.