The crucial question that a company and its board will face if it suffers a cyber security breach is: "Had you taken reasonable steps to try to prevent a breach, and to prepare to handle any breach that occurred?" If the answer to that question is "yes", the company will have minimised its risk of legal liability, regulatory censure and lasting reputational damage arising from the breach. If, however, the answer is "no", the company and the board may find themselves in a distinctly uncomfortable position.
With that crucial question in mind, a report published last month by the Department for Digital, Culture, Media and Sport (DCMS) provided some concerning indications as to the potential exposure of UK businesses to liability arising from a cyber breach.1 The report summarises the experiences of a range of businesses that recently suffered a serious cyber security attack, and was commissioned as part of DCMS's ongoing research aimed at helping businesses to understand the cyber security threats that they face. While some of the key findings of the report are not perhaps the most insightful (such as the consensus that cybercrime is a significant and growing business risk), a closer look at the individual case studies does provide some instructive and cautionary practical insights.
Most strikingly, 70% of the businesses reported either inadequate staff training in relation to cyber risks and/or the implementation of more rigorous training following the breach. Given that the vast majority of cyber attacks still rely on human fallibility to succeed (such as a recipient employee clicking on a malicious link in an email), a robust and thorough staff training programme is one of the most basic and fundamental risk management tools. The report highlights the fact that many businesses still appear to regard cyber security purely as an IT issue that can be managed by protective software. This misguided belief may be fuelled by the frequency with which reported cyber attacks are described as "sophisticated". Chances are, they are not.
Of equal concern is the fact that half of the businesses in the report cited poor engagement by the board/senior management in relation to cyber security. A lack of meaningful board ownership and oversight of a company's cyber risk management not only exposes the company and the directors themselves to potential liability for damage suffered as a result of a breach, but is also a lost opportunity to instil a genuine culture of cyber security awareness and risk mitigation across the business. Way back in 2016, when the Information Commissioner's Office imposed a then record fine of £400,000 on TalkTalk for its cyber security failings, the Information Commissioner took that high profile opportunity to stress that the fine should act as "a warning to others that cyber security is not an IT issue, it is a boardroom issue". It is concerning that, despite this message having been repeatedly reinforced by multiple regulators over the years since, many boards are still apparently failing to engage.
Poor delivery by third parties
An often underappreciated area of risk is revealed by the fact that half of the businesses reported failings by the IT service providers they had engaged. These failings (some of which were responsible for the breach itself) included incorrectly configured software, delays in notifying the business of the breach, incorrect information concerning the cause of the breach, and a lack of responsiveness and support in dealing with the breach. This provides a salutary illustration of the importance of thorough due diligence when appointing service providers. A robust procurement process which verifies the quality and track record of potential service providers is crucial, as is ongoing monitoring to ensure quality of service delivery and effective protection. Unquestioning reliance on a service provider's claims as to its capabilities and experience exposes a business to significant risk.
Lack of basic certification
A third of the businesses confirmed that, at the time of the breach, they did not have any basic cyber security certification (such as that provided by the government backed Cyber Essentials scheme, which helps businesses guard against the most common cyber attacks). Obtaining such accreditations is one of the easiest and most obvious ways for businesses to demonstrate that they have taken concrete steps to start to understand and manage their cyber risk.
Very few organisations in the study undertook a formal 'lessons learned' exercise following the breach. Not only do such exercises provide a golden opportunity for a business meaningfully to reduce its future risk exposure, but there is little likely to provoke customer/market anger and regulatory censure more than a failure to learn and improve from past breaches (and, indeed, from breaches suffered by others to the extent they become public).
Other points of note
Notwithstanding the above areas of concern, the case studies do also include some illustrations of good practice. For example, the board of one respondent who was hit by a ransomware attack already had a policy in place of never paying ransom demands, meaning that vital response time was not used up deciding whether to pay the ransom. The decision as to whether or not to pay a ransom involves a number of legal and practical considerations, which take time to work through and often provoke passionate discussions and disagreements around the boardroom table. It is therefore infinitely preferable for such discussions to have taken place as part of a company’s breach response planning rather than in the immediate aftermath of a breach.
Two important limitations on the value of the insights provided by the report should be noted. First, none of the breaches involved personal data, and so none of the respondents had to grapple with reporting to regulators. Such reporting, and the publicity that often accompanies it, are some of the most challenging aspects of many significant cyber breaches. Second, none of the case studies involved an internal bad actor. While such internal breaches are less common than external attacks, they invariably raise additional complexities and are potentially more damaging, as the insider knows where the most valuable information is and can take their time accessing it.
In conclusion, while the report does suggest that many organisations are still failing to implement some of the most elementary cyber risk management measures despite cyber breaches having consistently topped lists of key business threats for several years, it does also provide some reassurance. None of the cyber attacks covered by the case studies was particularly novel, and none of the above risk management issues is new or surprising. Ensuring that the above basic issues are rigorously addressed will therefore help companies and their boards to have greater confidence that, when the time comes (which it will, sooner or later), they should be able to answer “yes” to the crucial question they will face.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2022 White & Case LLP