The transformative power of technology has made it integral to many businesses’ growth plans.
Technology delivers tremendous benefits but it can also present risk: it could malfunction, not perform as anticipated or have unintended consequences, such as increased cybersecurity vulnerabilities.
In January 2021, Hogan Lovells published a report, Litigation Landscape: How to prevail when technology fails. We were interested in understanding how businesses viewed, prepared for and protected themselves against these risks.
One of the areas we focused on was the potential risks and consequences of a cyberattack.
The risks of cyberattack have increased during the covid-19 pandemic, with employees working from home and firms subject to information security challenges, including increases in phishing campaigns and ransomware attacks.
Recent coverage of serious cyberattacks directed at critical infrastructure and services has increased awareness of such incidents and led to calls for governments to address, in particular, the issue of ransomware attacks.
This article looks at some of the potential risks for UK firms in the event of a cyberattack. We consider the findings of our report in relation to cyber-preparedness in that light and provide some suggestions as to how firms can prepare themselves for such attacks.
Risks of cyberattack – a minefield
Once a firm becomes aware of a cyberattack, it moves into crisis management mode, devoting all available resources to:
- identifying the source of the attack;
- resolving the attack;
- assessing the consequences of the attack, including whether any data held by the firm has been exfiltrated;
- keeping relevant internal and external parties informed;
- making any necessary regulatory notifications; and
- putting arrangements in place to preserve legal privilege.
The list goes on and on.
Notwithstanding the need to manage the crisis, a firm will need to be aware of the potential legal and regulatory risks arising from the attack and to take steps to manage those risks as soon as possible. There are a number of questions that a firm should ask itself in these circumstances.
Does the firm have any reporting obligation? This will depend on the nature and consequences of the attack:
Information Commissioners’ Office (ICO) – If personal data has been exfiltrated or leaked during the attack, the firm will have to consider whether it needs to make a report to the Information Commissioner’s Office (ICO). The ICO requires firms to consider the likelihood and severity of the risk to people’s rights and freedoms following the breach. If it is likely there will be a risk, the firm must notify the ICO within 72 hours of becoming aware of the breach, where feasible.
Affected individuals – In the event a breach involves the loss of personal data, and if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the firm must also inform those individuals without delay.
Financial regulators – Financial services firms are under a duty to be open and transparent with their financial regulators. In the UK, for example, there is a general obligation under principle 11 of the Financial Conduct Authority’s (FCA) principles for businesses to notify the FCA of anything relating to the firm it would reasonably expect notice of.
More specifically, there is guidance on notifications in the FCA handbook. For example, SUP 15.3.1 talks about the need to notify the FCA immediately of “any matter which could have a significant adverse impact on the firm’s reputation”; and “any matter which could affect the firm’s ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the firm”. A significant cyberattack, whether or not accompanied by a data breach, is likely to fall within one or more of these notification obligations.
Law enforcement – Although there is no legal requirement to notify law enforcement of a cyberattack, many businesses will want to notify the relevant authorities and work with them to manage the incident.
The firm’s customers
In addition to personal data breach notifications, there may be practical considerations to be borne in mind. If, for example, a cyberattack on a bank has resulted in customers being unable to access their accounts online or withdraw cash from their accounts, those customers will want to understand immediately what is happening.
Firms will need to ensure that they have processes in place to manage the need to keep customers informed about the incident.
Firms that are in a regulated sector are likely to have regulatory obligations which apply in these circumstances. In the financial services sector, the FCA and the Prudential Regulation Authority (PRA) have been increasingly focused on cybersecurity in recent years and have emphasised that cybersecurity issues should be on the agenda at board level.
The FCA’s principle 3 requires a firm to take reasonable care to organise and control its affairs responsibly and effectively with adequate risk management systems. Its focus on operational resilience is also highly relevant to firms’ preparation for, and response to, a cyberattack.
In March 2021, the FCA published final rules on operational resilience. These require firms to take steps by 31 March 2022 to (among other things):
- Identify their important business services which, if disrupted, could cause intolerable harm to consumers of the firm or risk to market integrity;
- Threaten the viability of firms or cause instability in the financial system;
- Set impact tolerances for the maximum tolerable disruption to these services; and
- Develop internal and external communications plans for when important business services are disrupted.
In addition, under the FCA’s senior managers and certification regime, a senior individual at the firm should be identified as the senior manager with responsibility for cybersecurity issues.
That responsibility should be identified in the relevant senior manager’s statement of responsibility. In the event of a breach of the FCA’s requirements in this area, the responsible senior manager could be held accountable if they did not take reasonable steps to prevent or stop the breach.
Given that a cybersecurity breach can arise from activities directed at individual employees (for example, a phishing email), the senior manager will need to ensure (among many other things) that regular reminders and training are provided to everyone in the organisation.
The FCA’s financial crime rules are also relevant and should be interpreted as including cybercrime. Breaches of the FCA’s requirements may lead to enforcement action against the firm and, potentially, individuals – particularly those with a relevant senior manager role.
Where could litigation risk lie?
Where personal data has been compromised, there is a real and increasing risk that litigation could follow.
Consumers affected by a data breach, supported by their law firms and litigation funders, are increasingly looking to English collective action mechanisms to bring claims for data breaches. The amounts claimed in such actions can be significant.
In England claimants might argue, for example, that their rights under the General Data Protection Regulation (GDPR) have been infringed, they have suffered damage (material or non-material, including for distress) and they are entitled to receive compensation.
They might claim that their private information has been misused and they have suffered damage; and/or they might bring a claim for breach of confidence. Under English law there are two types of collective action which tend to be used for data breach claims:
Representative action (CPR 19.6) – Where more than one person has the same interest in a claim, the claim may be begun by one or more of the persons who have the same interest, as representatives of any other persons who have the same interest. Judgment is binding on all persons represented in the claim. The Supreme Court is currently considering the use of representative actions for claims brought on behalf of large classes of individuals for misuse of data, and this should provide some clarity in respect of the availability of this type of action going forward.
Group litigation order (GLO) (CPR 19.10) – a GLO provides for the case management of claims which give rise to common or related issues of fact or law. Each claimant must issue a claim, which is then entered on a group register. The judgment is binding on the parties to all claims that are on the group register at the time the judgment is given.
Ransomware attacks have been on the increase during the covid-19 pandemic. In addition to the policy and reputational issues involved in deciding whether or not to pay a ransom demanded by attackers, there are number of legal considerations which may arise, depending on whether the identity of the attackers is known.
For example, if the attackers could be terrorists, the firm would need to consider the laws which forbid terrorist financing; and if the attackers could be a sanctioned nation state or entity, the applicable sanctions laws must be complied with.
Preparing for cyberattack
As shown in this brief summary, there are significant litigation and regulatory risks associated with a cyberattack. Two thirds of businesses in our survey acknowledged that costly litigation or a regulatory investigation might follow a data breach.
However, our survey data showed that UK firms could do more to prepare for cyberattacks and data leaks: just 8 per cent of boards at respondent UK businesses oversee technology risk “to a significant extent”, deeming technology risks to be as important as financial risk and other traditional risks.
The survey also showed 30 per cent of UK businesses surveyed had not reviewed their cyber response plans within the last two years.
The good news is that there are key steps that businesses – including law firms – can take in order to prepare for, and mitigate the risk of, cyberattacks, including:
- Putting in place a practical and well thought through cyber response plan, prepared in collaboration with the business’s legal teams or the General Counsel’s office.
- Testing the plan regularly, and incorporating lessons learned and improvements.
- Ensuring cybersecurity risk identification and mitigation measures are overseen by senior management and the board. For the financial services sector, the FCA recently published insights from its 2020 cyber coordination groups (CCG). CCG members noted that the increased threat level from ransomware had led to board awareness of this issue and its potential brand impact. This had, in turn, helped cyber risk become a higher priority across firms.
- Regularly assessing the cybersecurity credentials of the business’s third-party suppliers and partners – a business is only as strong as its weakest third party.
- Ensuring that regular reminders and training about the importance of recognising a cybersecurity risk, such as phishing attempts, are provided to all staff.
Arwen Handley is a partner in the financial services litigation and investigations group at Hogan Lovells hoganlovells.com...