Download the PDF
Data trends 2024
Data trends 2024
Chapter 3: Preparing for the cyber risks of today, and tomorrow
By Richard Bird, Claudia Chan, Brock Dahl, Tochukwu Egenti, Beth George, Adam Gillert, Megan M. Kayo, Philip Kroner, David Mendel, Rhodri Thomas and Christoph Werkmeister
IN BRIEF
Companies confront an ever-evolving risk landscape when it comes to global cybersecurity threats. In this chapter, our cybersecurity specialists outline two major risks that businesses need to be increasingly aware of: firstly ransomware, which is an ever-growing global scourge; and secondly insider threats, which should be high on any company’s cyber risk awareness, but are often overlooked (until it is too late). We outline:
how regulators and governments around the world have placed new reporting obligations on companies;
the risks of paying ransoms;
actions companies can take that may make a huge difference to their ability to respond to an attack;
how companies can tackle those threats by establishing robust procedural controls; and
the latest information on the regulatory and claims risk faced by organisations that succumb to such threats.
Ransomware, a particularly pernicious threat, has grown unabated. Ransomware actors have continued to pursue private companies and individuals relentlessly.
(Source: Cybersecurity Ventures, CyberCrime Magazine)
In the US, regulators are taking a more aggressive approach to compulsory reporting. For example:
Unlike many other regulations, the SEC’s reporting rules require public reporting of a cybersecurity incident in the days following its discovery, rather than confidential reporting. This new requirement will force companies to think through reputational issues on a tight timeline and increase pressure to provide more detailed information sooner than most companies may be prepared to share.
Beth George
Partner
(Source: Wired Magazine)
When an attack occurs, several preparatory factors can make a crucial difference to the company’s ability to respond to an attack:
Independent of the operational facets of a ransomware attack, paying ransoms always carries certain legal risks for which companies must be prepared to establish procedural controls.
In particular, many jurisdictions have sanctions regimes that prohibit economic commerce with certain specified actors. In the US and UK, it is a strict liability criminal offence to make payments to sanctioned individuals. This means that the liability attaches regardless of whether a company actually knew the actor was sanctioned. EU sanctions may be similar in many regards to US and UK sanctions but can also be more or less extensive for individual groups or persons. Regulators are becoming more proactive with sanctions designations, so the risk of committing a sanctions offence is more than just theoretical. For example, in early 2023 individuals connected with Trickbot (a Russian ransomware group) received sanctions designations in both the UK and US.
Companies sometimes seek to mitigate sanctions risks associated with paying ransoms by performing sanctions checks through outside counsel for relevant jurisdictions, working with ransom negotiators offering thorough vetting and market intelligence on threat actors, and liaising with law enforcement and other authorities.
Rhodri Thomas
Partner
While organisations should always be wary of the threat of malicious hackers, it is important not to underestimate the risk of insider threats to personal data. In particular, we continue to see:
Once again, there are steps that can be taken to mitigate these risks. For example, organisations can:
Employee training is an essential component in helping to prevent cyber incidents. When it comes to disgruntled employees, the recent changes in whistle-blower rules and protections in the EU add a layer of complexity to how these incidents must be addressed.
David Mendel
Partner
The damage suffered by companies affected by a cybersecurity incident is not always immediate. Often, the looming damage goes beyond the incident. If employee, customer, or other sensitive data is lost, authorities regularly initiate proceedings for privacy violations, which may grow to full-scale audits—even onsite—of the entire organisation.
In the EU and UK, for example, these proceedings can result in substantial fines where there have been inadequate protective measures against cyber breaches. This reflects the fact that many regulators have developed their own cyber and data privacy expertise in recent years.
While the highest fines issued by EU regulators tend to concern data privacy violations that are not related to cyber attacks, many European data protection authorities are no less proactive (and in some cases, more proactive) than the UK’s ICO in pursuing enforcement action against organisations that suffer cyber attacks.
Once the security risk has been contained and systems have been secured, an organisation’s focus quickly turns to managing regulatory engagement and mitigating legal risks. In-house counsel invariably have a critical role to play here.
Brock Dahl
Partner
At the beginning of 2023, the UK ICO started publicising information regarding various complaints and concerns brought to its attention and reprimands it had issued, possibly providing more fuel for claimant law firms to find non-compliant organisations to target. As part of a new approach the ICO has also pledged to ‘do more’ to publicise cases so that there is wider learning.
In the US, litigation risk originates from multiple potential sources. The Federal Trade Commission (at the federal level) and state Attorneys General typically have authority to bring various categories of actions related to breaches. The SEC is also expected to increase its inquiries and potential actions in light of new cybersecurity rules that come into effect in December 2023. Finally, private litigants of various stripes have the ability to bring actions against a company, whether because their personal data is directly affected by the breach (under certain regimes), or as interested shareholders via securities class and derivative actions.
The cyber risk landscape will continue to evolve, particularly in light of emerging risks associated with AI and quantum computing. Regulatory frameworks that cover cybersecurity are also likely to develop in the coming years, though perhaps not at the same pace.
There is undoubtably a correlation between the extent to which an organisation prepares for cyber attacks and the harm (operational, financial, and legal) caused by an incident. The most effective preparation often involves co-ordination of internal stakeholders, refreshing incident response plans, testing crisis management processed with simulated attacks, and a good understanding (and mapping) of critical assets and data.