News

Partner Simon Fawell comments on cyber security concerns for businesses and best practices for mitigating successful breaches, in the International Bar Association’s In-House Perspective Magazine.

Simon’s comments were published in the International Bar Association’s In-House Perspective Magazine, 5 December 2022, and can be found here. 

How important from a business sense is cybersecurity?

“In short, it’s huge. It has been well publicised that cyber-attacks are on the increase as are data protection authority fines and third party claims for loss. The other aspect that is often overlooked is the reputational impact of a breach. A cyber breach can have a devastating effect on a company’s reputation, particularly where it’s handled badly and this, in turn, can have a hefty impact on company value.

“It is not possible to eradicate completely the prospect of a successful cyber-attack but what you can do is ensure that you have planned responses in place to limit the damage if you do fall victim to one. This includes ensuring there are back-up systems in place to keep your business running after an attack but also thinking in advance about what third parties might potentially be affected by a breach, what contractual and regulatory obligations you will have to notify and how you will message a breach externally. In most circumstances, corporate and individual counterparties will be relatively understanding that breaches can occur. What they will not forgive is a breach response that doesn’t adequately minimise the impact on them or, worse, adds additional layers of complexity.”

How are world events – energy and cost-of-living crises, Ukraine war, home-working affecting cybersecurity? What can be done to combat these threats?

“Home working creates an obvious risk from a cybersecurity perspective. Aside from the fact that remote systems are often not as secure as in-office solutions, there is a greater temptation for those working remotely to find work-arounds for IT problems which can, themselves, create security risks. This can include saving documents to a home environment rather than a secure document management system or using alternative online tools which have lower security barriers than company approved software. This temptation arises partly because the home environment often creates challenges that would not arise in an office (even something as simple as difficulties connecting home printers to the work system) and also because IT help services may not be as immediately accessible (for those that are less IT-savvy, there is no prospect of a member of the IT team coming round to fix an issue “on -site” as they might in an office). Similarly, where the recipient of a phishing email might previously have checked with a co-worker sitting next to them or even the person the email purported to be from, they are perhaps less likely to do so in a remote environment.

“Combatting these increased threats really comes down to three main areas. First, trying to ensure insofar as possible that the home working environment replicates the office; second, making sure that IT assistance is quickly and easily accessible for those working remotely; and third, trying to educate remote-workers on the systems in place to help them and the risks associated with using unapproved work-arounds.”

How much of a threat are cyber-attacks now compared to 1-3 years ago?

“The number, scope and sophistication of cyber-attacks have continued to increase over the last few years. That has, no-doubt, been exacerbated by COVID and the sudden need for entire workforces to work remotely for a prolonged period but there is no sign of the trend changing anytime soon.

“There are also shifting sands around the risks arising from cyber-breaches. For example, there has been a global tendency toward larger regulatory fines for breaches. Similarly, the landscape for mass claims across the UK and EU has been changing significantly. While the prospects for mass data breach claims in the UK has been slowed for the time being following the UK Supreme Court decision in Lloyd v Google, the broad direction of travel appears clear and I would expect to see some form of opt-out class action available in the UK for breach cases in the relatively near term. The UK has already shown itself willing to introduce an opt-out class action regime in the competition space which has largely been considered a success and there is a clear appetite for individuals affected by corporate data-breaches to have some form of accessible redress.”

How are most cyber-attacks carried out and what is the best way of countering them?

“While there is an ongoing game of cat and mouse between those developing IT security systems and those trying to breach them, the biggest weak spot in any system will virtually always be individual users and the vast majority of cyber breaches arise from user error. It’s the person who inadvertently provides their user details in response to a phishing email or even the person who politely holds open the door to a secure area for someone they don’t know.

“It’s not possible to eradicate human error entirely but the first line of defence is education. Often a “less is more” approach is the most effective. Rather than a constant stream of educational material and alerts, which can lead to fatigue and key messages being missed or ignored, less frequent messaging focussing on two or three key points each time may hit home better. In a similar vein, changing the format for cyber-security messaging can help, for example by avoiding the temptation always to send messages by email and instead using other formats such as posters in communal areas.”

What is an in-house lawyer’s role in cyber-security?

“Dealing with a cyber breach throws up issues that cut across IT, legal and compliance. For a breach to be handled effectively requires real coordination between those functions as well as with the board.

“In-house lawyers are, by the very nature of their role, strong crisis managers and good at thinking ahead to spot potential risks. In my experience, it generally falls to the legal team to take the lead in response coordination, liaising with external counsel, forensic experts, insurers as well as drawing together the internal streams. By that token, while in-house lawyers do not necessarily need a hugely in-depth knowledge of the technical IT side, they do need to have a close working relationship with their CIO and know enough to be able to deal with the immediate crisis response and translate the technical IT issues to key stakeholders internally and to external providers.

“One of the key roles in-house counsel will generally take in cyber-security is putting in place breach response protocols which take into account not only the technical necessity to limit the impact of the breach and getting systems running as normal but also the regulatory framework, contractual obligations and other issues such as availability of legal professional privilege.”

What are the main challenges involved in this role and how can these challenges be tackled?

“The main challenge that in-house counsel report to me is time and resource. Having a clear cyber-response plan and effective cyber-awareness training in place are both hugely important but are just two of a long list of important things for the business and the legal team at any given time, many of which have concrete and urgent deadlines. As such, budget for external assistance and in-house counsel’s own bandwidth can be limited.

“The key, as ever, is to ensure you don’t let the pursuit of perfection get in the way of having the basics in place. For example, while data-breach response plans can be extremely sophisticated and tested through the use of simulated breaches put together by external counsel and forensic experts, they don’t necessarily have to be. Even having a document which clearly defines the division of labour following a breach can help save valuable time when the clock is ticking to ascertain the scope of the breach and to notify regulators and those affected. All too often I have seen time lost because it is not clear internally whether the call to instruct external legal counsel or an external forensic expert is to be made by the CIO, GC or at board level or who is to engage with insurers.”

How can technology be used to help fulfil this role? Should they get outside help? Where from?

“Technology can certainly help to alert workers of potential risks and, therefore, reduce the risk of a breach. However, an overreliance on automated solutions can cause issues. For example, there is a tendency, where flags appear on emails to alert users to potential issues that those flags get ignored if they are too frequent or that users assume the technological safety net will catch them and become less vigilant themselves.

“Outside help is available from multiple resources if budget allows. An often overlooked resource, however, is the company’s cyber-insurers who have a depth of experience in handling cyber-breaches and will often have resources available to insureds to help minimise risk before a breach has occurred.”

Top tips for in-house lawyers in charge of these areas?

“Preparation, preparation, preparation. The lengths to which a company can go to prepare for a breach can range from something fairly basic all the way through to a full cyber-breach simulation with external counsel and forensic experts engaged to test every aspect of the response plan. At the very least, though, in-house lawyers should ensure there is a clear plan of action in the event of a breach so that the relevant people in the legal team, IT and at board level know who to call and whose responsibility it is to engage external resource.

“Take the time to understand the cyber-insurance cover the business has in place and the help that the insurer can provide following a breach. Often there are resources available under cyber-insurance policies that insured’s are unaware of such as preferential rates on credit monitoring products for affected individuals.

“Try to keep on top of the contractual notification provisions you have in place with different counterparties and, where possible, keep them as similar as possible from counterparty to counterparty. Data protection provisions are often seen as boiler plates which are given relatively little consideration but, where there are different notification requirements for each counterparty, that can cause real issues in the event of a breach.”