Improve your readiness for a high impact cyber incident
15 November 2022
Every business is vulnerable to a cyber breach, and the way companies prepare and respond is critical. Small lapses in security can result in large data incidents. John Macpherson, Ashurst Risk Advisory's head of cyber advisory and international security expert; Rhiannon Webster, Ashurst's UK head of data protection and cyber security; Jon Gale, a dispute resolution partner with experience of handling major cyber-attacks and data breaches and related litigation, and Will Chalk, a partner specialising in corporate governance, share their 5 recommendations all executive teams and boards should take to maximise their chances of rapid recovery in the event of a worst case scenario.
You need to understand what data you have and why you have it. Webster comments: "In companies subject to the GDPR, the data storage limitation principle obliges businesses processing personal data to justify how long data is being kept and to delete it when it is no longer necessary." Many of the recent public breaches have exposed companies for having historic data with no justifiable need. Macpherson adds: "Doing an exercise now so that you really understand how data moves through your systems and whether you are holding onto data that you don’t need, can save you days or even weeks of investigations in the event of a cyberattack."
Chalk advises: "Leadership teams and boards need to simulate a variety of crisis scenarios. Decisions will need to be made in a highly stressed environment where the difference in delaying by 30 minutes could have huge consequences." MacPherson adds: "often these are decisions which are made without the luxury of adequate time to investigate and assess the situation so you're operating in an information vacuum. Building muscle memory for dealing with these high impact events and decisions can prove invaluable."
Businesses often consider in advance whether they would pay a ransom if they were subject to a ransomware attack.
Gale adds: "We are often asked whether it is illegal to pay a ransom in the UK. The short answer is no. It is legal to pay a ransom in the UK provided that the payment does not amount to either a breach of sanctions or terrorist financing and appropriate due diligence is therefore critical. The legal position is however only one consideration in making the decision to pay a ransom, you will also need to consider the ethical, reputational and commercial consequences of making a decision to pay". MacPherson shares his experience that: "hackers are very good at encrypting your data but they are not so good at unencrypting it".
Being compliant doesn’t mean you are secure, advises Macpherson: "Companies need to take a risk based approach and consider their own risk profile when making decisions such as the amount to invest in cybersecurity and whether to purchase cyber insurance. Cyber insurance costs are on the increase and obtaining insurance now means handing over a lot of details about your systems and processes. This in itself presents a risk as insurance companies themselves are increasingly being targeted by criminals."
Whether it is with customers, shareholders, regulators, or the market, there are various stakeholders and third parties with whom you are either obliged or will need to communicate with during a data breach. Webster comments "that you are often juggling legal obligations and ticking regulatory timelines whilst still undertaking investigations to establish what data has been impacted". Macpherson advises: "One of the abiding lessons from the latest breaches is that companies need to get comfortable with communicating uncertainty with more clarity. You may need to manage customer expectations: they may think companies will be able to tell them exactly what has happened very quickly with high levels of confidence, but in reality, it can often take weeks to get any degree of certainty".
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.