Out-Law Analysis 5 min. read
25 Jan 2023, 4:29 pm
Being able to show that appropriate cybersecurity measures have been put in place, and having a plan to deal with cyber incidents, can help organisations minimise the impact of incidents when they happen and meet the increasing expectations of regulators.
Amidst an evolving threat landscape, where ransomware risk is particularly prevalent, there is growing recognition in the board room that cybersecurity is a business risk. We are seeing a rise in the number of businesses seeking legal advice on cyber-readiness as a result, with the need to be prepared especially important in an environment where there is a hardening of the cyber insurance market.
Many businesses seeking specialist legal advice on cyber-readiness are from heavily regulated sectors such as financial services, pharmaceuticals and healthcare, energy and critical national infrastructure. Many of these organisations have global operations, offering products and services across multiple jurisdictions, and need, therefore, to consider privacy laws and other specific industry regulation governed by a differed regulator in each jurisdiction of operation. However, cyber-readiness is an issue which all businesses should be considering.
In many cases, businesses are seeking advice on criminal compliance regulation, so that they understand the different considerations should the business decide to engage with cyber criminals with a view to making a payment to regain access to systems and data.
Understanding different regulatory regimes and what compliance steps would be necessary in each jurisdiction is crucial so that a business can make timely notifications, should the need arise. Mapping different requirements for each jurisdiction which might have a link to the payment, as well as the different risk tolerances that exist with different law enforcement agencies – for example, in relation to money-laundering, terrorist financing and payments to sanctioned entities offences – is important for multinational businesses.
Many organisations would benefit from scenario planning and testing exercises to assess which events would make it more or less likely that engagement with cyber criminals would take place, and to understand what time impact that would have.
We are also seeing a considerable increase in the number of businesses seeking proactive discussions with their bank to understand the bank’s tolerance to transferring monies for the purposes of ransom payment, the compliance checks that would be required, and the likely timeframes for making the payment. Many crisis-negotiation service providers require funds to be deposited with them before a ransom payment is made to speed the process.
A tailored cyber response plan and playbook can help organisations understand not just what to do in the event of an incident, but to show regulators that they had taken appropriate steps to adopt a cyber readiness process. As part of a cyber readiness programme, organisations should consider the following recommendations, feed them into a bespoke cyber response playbook, and conduct a rehearsed desktop exercise across jurisdictions to ensure the plans are fit for purpose.
The criticality of business information assets will differ according to sector, industry, and an organisation’s position in the supply chain, among other factors.
For some businesses, for example those in the pharmaceuticals sector, intellectual property (IP) will be critical, with competitive advantage potentially being at risk if IP is compromised and exploited. For others, customer data, particularly those in the financial services and retail sectors, is of principal importance. In manufacturing and critical national infrastructure industries, ensuring that operational systems remain secure will be paramount.
All businesses will want to ensure their confidential business operations information remains protected – such as plans for acquisition or divestment, and information relating to litigation or regulatory investigations.
Data security incidents continue to be highly globalised affairs, particularly for those multinational organisations with offices around the world. Nearly 30% of the matters Pinsent Masons’ cyber risk team worked on in 2022 involved at least two jurisdictions.
There are prescribed time periods for reporting personal data breaches to data protection authorities and for notifying other types of cyber incident too to other relevant bodies, such as industry regulators – like, for financial services firms in the UK, the Financial Conduct Authority (FCA). An organisation may also have reporting obligations under other statutory regimes, such as the NIS Regulations which affect businesses that provide critical national infrastructure.
Knowing what you need to report and when in each jurisdiction is imperative.
There are different reporting obligations on organisations depending on whether they are considered controllers or processors of personal data under data protection law.
A cyber incident may trigger contractual notifications. Contractual terms should be reviewed on a prioritised basis – large customer contracts, contracts with government bodies, and sensitive contracts should be reviewed first, for example – to check the terms for items relating to confidentiality and data protection.
Identify the relevant individuals within the business and across jurisdictions that should form an internal crisis management team to lead the organisation’s response to cyber incidents. Individuals from across functions including legal, IT, HR, PR and the board should be included in the team.
Specialist IT forensics firms, crisis negotiators, external specialist cyber lawyers, external PR agencies, and credit monitoring businesses – where financial data has been compromised – can all help businesses manage cyber incidents effectively.
Businesses should have incident response and business continuity plans in place that anticipate cyber incidents impacting their operations. These plans should be rehearsed regularly to ensure they are fit for purpose. A specific cyber response playbook should be developed and be easily accessible to the crisis management team even if IT systems are unavailable.
Companies publicly listed on the financial markets may have obligations to notify cyber attacks they experience.
In the event of a ransomware attack, the organisation may wish to engage in discussions with those behind the incidents and may ultimately choose to make a ransom payment. The decision as to whether to engage with an attacker and/or make a ransom payment is often a complicated one, involving important commercial, ethical and reputational considerations, as well as complex legal and compliance issues. The choice to engage is a business decision.
Should an organisation decide to pay a ransom, there are important compliance steps which will need to be put in place before any payment is made. This will ensure that the organisation does not fall foul of any anti-money laundering and/or terrorism funding offences, sanctions, and any other applicable laws. Failure to take the appropriate steps can expose the business and directors to criminal and civil liability.
Steps will include undertaking due diligence and making notifications to law enforcement. If there is any link to other jurisdictions, then compliance in those jurisdictions should also be considered – in particular, any links to the US, such as that the payment is to be made in US dollars or US nationals are involved in the decision to engage, will require that US compliance is achieved.
Often, employees are the first line of defence. Thought should be given as to whether employees have adequate training to spot the signs of potential malicious activity.
Having ready access to notification templates could save organisations valuable time in the event of a cyber incident when strict notification deadlines apply.