Skip to main content

Data trends 2024

Chapter 3: Preparing for the cyber risks of today, and tomorrow

By Richard Bird, Claudia Chan, Brock Dahl, Tochukwu Egenti, Beth George, Adam Gillert, Megan M. Kayo, Philip Kroner, David Mendel, Rhodri Thomas and Christoph Werkmeister

IN BRIEF

Companies confront an ever-evolving risk landscape when it comes to global cybersecurity threats. In this chapter, our cybersecurity specialists outline two major risks that businesses need to be increasingly aware of: firstly ransomware, which is an ever-growing global scourge; and secondly insider threats, which should be high on any company’s cyber risk awareness, but are often overlooked (until it is too late). We outline:

  • how regulators and governments around the world have placed new reporting obligations on companies;

  • the risks of paying ransoms;

  • actions companies can take that may make a huge difference to their ability to respond to an attack;

  • how companies can tackle those threats by establishing robust procedural controls; and

  • the latest information on the regulatory and claims risk faced by organisations that succumb to such threats.

Increase in ransomware attacks and developing regulatory response

Ransomware, a particularly pernicious threat, has grown unabated. Ransomware actors have continued to pursue private companies and individuals relentlessly.

INFOGRAPHIC By some estimates, there has been a 30% growth in ransomware related damages year over year for the past decade. 750 px.png

(Source: Cybersecurity Ventures, CyberCrime Magazine)

In the US, regulators are taking a more aggressive approach to compulsory reporting. For example:

  • In the summer of 2023, the Securities and Exchange Commission (SEC) released rules that require registrants, including foreign private issuers under certain circumstances, to report cybersecurity incidents within four days of making a determination that such incidents are material under US securities law.
  • Similarly, the US Department of Homeland Security will be releasing regulations in 2024 requiring covered critical infrastructure entities to report covered incidents within 72 hours of their occurrence (whether or not they are deemed material).
  • In the EU and UK, companies must report personal data breaches without undue delay, and usually within 72 hours, to the relevant data protection authority.
  • In the EU and UK, operators of essential services and relevant digital service providers must notify the applicable competent authority of a relevant cyber incident without undue delay, and within 72 hours. Similar reporting obligations exist for other regulated companies (eg, those in the financial sector). Both the EU and UK are implementing reforms which will soon expand the scope of businesses caught by such requirements (such as to managed IT service providers).

Unlike many other regulations, the SEC’s reporting rules require public reporting of a cybersecurity incident in the days following its discovery, rather than confidential reporting.  This new requirement will force companies to think through reputational issues on a tight timeline and increase pressure to provide more detailed information sooner than most companies may be prepared to share.

Beth George
Partner

Preparation is key

INFOGRAPHIC Ransomware payments during the first six months of 2023 have reportedly already almost equalled the whole of 2022. 750.png

(Source: Wired Magazine)

When an attack occurs, several preparatory factors can make a crucial difference to the company’s ability to respond to an attack:

  • Backup and recovery capabilities. Sufficient data backups can ensure that offline copies are readily available to restore company operations to sufficient operating capacity notwithstanding the loss of access.
  • Data and system mapping. Companies that have mapped data and system infrastructure are in a strong position to assess the potential implications of an attack and understand what their options may be given those implications.
  • Sufficient logging and monitoring. Once an attack occurs, visibility into the systems can make a crucial difference as to confidence levels about impacted information. Logging and monitoring provides visibility to experts to help assess implications and options.

Whether to pay ransoms

Independent of the operational facets of a ransomware attack, paying ransoms always carries certain legal risks for which companies must be prepared to establish procedural controls.

In particular, many jurisdictions have sanctions regimes that prohibit economic commerce with certain specified actors. In the US and UK, it is a strict liability criminal offence to make payments to sanctioned individuals. This means that the liability attaches regardless of whether a company actually knew the actor was sanctioned. EU sanctions may be similar in many regards to US and UK sanctions but can also be more or less extensive for individual groups or persons. Regulators are becoming more proactive with sanctions designations, so the risk of committing a sanctions offence is more than just theoretical. For example, in early 2023 individuals connected with Trickbot (a Russian ransomware group) received sanctions designations in both the UK and US.

Companies sometimes seek to mitigate sanctions risks associated with paying ransoms by performing sanctions checks through outside counsel for relevant jurisdictions, working with ransom negotiators offering thorough vetting and market intelligence on threat actors, and liaising with law enforcement and other authorities.

Rhodri Thomas
Partner

Insider threats

While organisations should always be wary of the threat of malicious hackers, it is important not to underestimate the risk of insider threats to personal data. In particular, we continue to see:

  • Disgruntled employees, who consider themselves whistle-blowers, leak information about their employers to third parties.
  • Individuals who make it their moral duty to alert the public of how allegedly unsecure their organisation’s systems are, and inadvertently cause a personal data breach in the process.
  • Simple human error (eg, clicking on phishing links or attaching the wrong documents in emails to external contacts).

Once again, there are steps that can be taken to mitigate these risks. For example, organisations can:

  • Monitor for any surge or irregular patterns that might indicate employees exfiltrating data via email or otherwise.
  • Restrict access to the most sensitive data.
  • Place limits on how much data individuals can send externally without relevant approvals.
  • Implement regular training on privacy and cybersecurity obligations. While this might not stop insiders that are determined to exfiltrate personal data, it might reduce the occurrence of human error and assist with manual detection.

Employee training is an essential component in helping to prevent cyber incidents. When it comes to disgruntled employees, the recent changes in whistle-blower rules and protections in the EU add a layer of complexity to how these incidents must be addressed.

David Mendel
Partner

Development in fine sizes and increased litigation risk

The damage suffered by companies affected by a cybersecurity incident is not always immediate. Often, the looming damage goes beyond the incident. If employee, customer, or other sensitive data is lost, authorities regularly initiate proceedings for privacy violations, which may grow to full-scale audits—even onsite—of the entire organisation.

In the EU and UK, for example, these proceedings can result in substantial fines where there have been inadequate protective measures against cyber breaches. This reflects the fact that many regulators have developed their own cyber and data privacy expertise in recent years.

INFOGRAPHIC In the UK four of the top seven largest GDPR fines 750.png

While the highest fines issued by EU regulators tend to concern data privacy violations that are not related to cyber attacks, many European data protection authorities are no less proactive (and in some cases, more proactive) than the UK’s ICO in pursuing enforcement action against organisations that suffer cyber attacks.

Once the security risk has been contained and systems have been secured, an organisation’s focus quickly turns to managing regulatory engagement and mitigating legal risks. In-house counsel invariably have a critical role to play here.

Brock Dahl
Partner

At the beginning of 2023, the UK ICO started publicising information regarding various complaints and concerns brought to its attention and reprimands it had issued, possibly providing more fuel for claimant law firms to find non-compliant organisations to target. As part of a new approach the ICO has also pledged to ‘do more’ to publicise cases so that there is wider learning.

In the US, litigation risk originates from multiple potential sources. The Federal Trade Commission (at the federal level) and state Attorneys General typically have authority to bring various categories of actions related to breaches. The SEC is also expected to increase its inquiries and potential actions in light of new cybersecurity rules that come into effect in December 2023. Finally, private litigants of various stripes have the ability to bring actions against a company, whether because their personal data is directly affected by the breach (under certain regimes), or as interested shareholders via securities class and derivative actions.

Looking ahead

The cyber risk landscape will continue to evolve, particularly in light of emerging risks associated with AI and quantum computing. Regulatory frameworks that cover cybersecurity are also likely to develop in the coming years, though perhaps not at the same pace. 

There is undoubtably a correlation between the extent to which an organisation prepares for cyber attacks and the harm (operational, financial, and legal) caused by an incident. The most effective preparation often involves co-ordination of internal stakeholders, refreshing incident response plans, testing crisis management processed with simulated attacks, and a good understanding (and mapping) of critical assets and data.

Back to top.