Partner Hermès Marangos examines the recent ransomware cyber attacks and outlines why the challenges faced are global as the relevant policy and legal frameworks vary by jurisdiction, in Commercial Dispute Resolution.
Hermès’ article was published in CDR, 29 August 2017, and can be found here.
Cybersecurity is a pivotal issue for business. In the wake of the recent ransomware cyber-attacks – WannaCry and Petya – which affected multiple organisations across the world, it has manifestly become more than just an IT problem. Cybersecurity challenges are global as the relevant policy and legal frameworks vary by jurisdiction.
Involving the compliance, audit, legal and risk functions of their companies, main board directors are belatedly acknowledging the scale of those challenges and starting to commit greater resources to combat the problem. Beyond the interruption and potential damage to their business, they realise that failure to act properly may also significantly increase the risk of regulatory fines, negligence, breach of privacy, and breach of contracts with consequent litigation (including in relation to consultancy obligations, supply contracts, business interruption, consequential losses and of course insurance). There are potential issues of financial institutions incurring costs due to the breaches of other entities, which will consider action resulting in directors and officers being exposed.
In March 2017, immediately prior to the attacks, the UK’s Institute of Directors (IoD) warned that a “worrying” number of UK businesses were without any plan to respond to a cyber attack, while only 56% of survey respondents confirmed that they had a formal cybersecurity strategy in place.
US companies affected by recent cyber-attacks prior to WannaCry and Petya include food provider Mondelez, pharmaceutical giant Merck, as well as advertising agency WPP. In each case, the viruses in question froze computers until a Bitcoin ransom was paid.
Worryingly, the latest quarterly report from Kaspersky Labs, published in August, concludes that “in the case of WannaCry, its rapid global spread and high profile put a spotlight on the attackers’ Bitcoin ransom account and made it hard for them to cash out. This suggests that the real aim of the WannaCry attack was data destruction.”
Given this trend toward disruption rather than monetary gain, the report also predicts that we should expect more hacks, and that while attacks of this nature can cause immense financial harm, damage at scale for its own sake may be even more destructive.
To manage the potential risk exposure, an informed strategy is essential requiring adequate resources for mandatory employee training and data security audits. Insufficiently skilled or inadequately trained staff have been identified by the Financial Conduct Authority (FCA) as posing the greatest cyber security risks in the UK.
Failure to spot an attack can have serious widespread consequences. So too can the actions of a rogue employee. Although cyber attacks are caused by outsiders, they are also a symptom of inadequate internal structures to protect information kept electronically.
A prominent example is private healthcare firm Bupa, which recently suffered a data breach as a result of an employee inappropriately copying and removing customer information.
Affecting around 108,000 international health insurance policies, the data taken included “names, dates of birth, nationalities, and some contact and administrative details including Bupa insurance membership numbers,” according to the company. However, medical data, healthcare histories and financial information were not compromised.
Such breaches of privacy are becoming increasingly common with many remaining unpublicised, and sometimes unknown to the targeted company. The US-headquartered Association of Corporate Counsel’s (ACC) State of Cybersecurity Report found that, among US companies, most data breaches were the result of employee error, rather than hacking.
UK legislation exists in the shape of the Data Protection Act to avoid destruction of data, which will be mirrored in the future by comparable European Union provision obligations. However, EU and US authorities differ on data privacy, following the successful challenge in the European courts to the Safe Harbour agreement regarding transatlantic data transfer, later replaced by the EU-US Privacy Shield agreement.
Nevertheless, Bupa-like failures are equally common on both sides of the Atlantic, and indifference to the problem in the UK is confirmed by the IoD report findings: most companies are still negligent when it comes to personal data.
This attitude, should it continue, may result in a spike of claims against directors and consultants with potential group actions being brought by customers of organisations which hold detailed information on consumers, such as banks, hospitals, insurers, or major retailers. This would be in addition to insurers and those providing performance guarantees for business interruption due to attacks, or loss of data.
The British Airways worldwide IT debacle is a different manifestation of the problem. Experts have cast doubt on the airline’s claim that the cause of its outage was not due to an IT shutdown or linked to outsourcing of IT jobs to India, but was instead due to an ‘uncontrolled return of power’.
Whatever the limitations on customer liability afforded to airlines by the Warsaw and Montreal conventions, a catastrophic IT systems failure cannot exonerate those responsible for other exposures – if in fact there is a fundamental breach of obligations to maintain the integrity of cyber and back-up systems. Insurers will not be impressed. More significantly, neither will any judge hearing defences of “extraordinary circumstances which could not be avoided” or similar explanations.
Although regulation is increasing, the principal focus for business is managing and mitigating risk at every level: having the right risk management and insurance to cover every relevant possibility. From an insurer’s viewpoint, however, cyber cover is not standard. Meanwhile ransom payments, a key feature of the WannaCry attack, are treated differently in different jurisdictions.
Insurance policy exclusions are widely drafted with cyber-attacks often falling within them. The relatively narrow scope of some cyber cover, which envisages that some losses should come under other more specific or specialist covers, is something which companies should be aware of.
That IT security is of paramount importance is self-evident. But when many businesses still fall short of acceptable standards, inadequate protection or failing to maintain sufficient protection by regularly updating systems can become apparent when there is a cyber attack.
If it can be demonstrated that a company has failed to meet its contractual obligations by not keeping systems up to date or having adequate security, a bigger problem may arise. Insurance companies may refuse to pay, and tribunals will be unforgiving of businesses without firewalls, sufficient password or software protection. In terms of liability, this can create significant problems for directors, in-house lawyers, officers and consultants.
More than anything, the ransomware attacks are a timely reminder that litigation can follow if proper protections are not put in place, or adequately maintained.
Hermès Marangos is a Partner at Signature Litigation LLP and has litigated and arbitrated on these commercial disputes in over 60 countries worldwide. He is also a vice president of the insurance institute and author and co-author of books on reinsurance and war risks and terrorism and associated wordings for the international market.
5 December 2022
5 December 2022