Georgie Collins explains how in-house counsel are increasingly vital to an organisation’s cybersecurity strategy - and its response to a cyber-attack.
‘I am convinced there are only two types of companies: those that have been hacked and those that will be’ (Robert Mueller, former FBI director)
The cost of cyber-attacks to global businesses in 2016 is estimated to be US$445 billion (according to a report conducted by internet security company McAfee). Cybersecurity is now one the biggest challenges facing a business.
In-house counsel operate at the intersection of complex legal and business challenges facing organisations; they are ideally placed – and increasingly required – to play a central role in cybersecurity strategy, risk assessment, prevention and crisis management.
In terms of risk management, developing and implementing a strategy for cybersecurity, a real stumbling block is that cybersecurity often does not feature prominently on the agenda in the boardroom. It is seen by many as a techy IT matter, rather than a practical business issue that has to be dealt with and co-ordinated across various stakeholders in a business. The false belief that ‘it won’t happen to us’, coupled with the perception that cyber-attacks and data breaches are the preserve of financial institutions, technology companies and government-related agencies, is a dangerous one, and leaves businesses hugely vulnerable.
Whether through an internal error or malicious external attack, at some stage a business will suffer a security breach. We are no longer in the era of it being a question of ‘if’; it is a question of ‘when’.
Companies that fail to take the threat seriously may be subject to claims, not just by regulators, but by stakeholders in the business. If appropriate risk and crisis management measures are not put in place, the directors themselves may be exposed to significant legal threats, including potential breaches of directors’ legal duties, corporate governance and disclosure obligations.
The reality is that, from a board and corporate governance perspective, cyber is now just as important as audit and accounting. Every business with any online presence or footprint, which holds data and information or has staff, is at risk. Beefing up your IT system with security protocols and firewalls in not enough – the next step is to educate all staff from the boardroom down as to the risks and potential ramifications.
The matrix below highlights the key risks and practical considerations associated with cyber-risk management and incident response.
The role of in-house counsel
In-house counsel are well placed to help a board understand and facilitate its obligations in the arena of cybersecurity. Answering the following questions will be essential to understanding an organisation’s cyber-risk profile, both from a practical and legal perspective:
1. What plans are in place to reduce the prospect and impact of a cyber-incident?
2. Does the organisation have an incident response plan?
3. Are there resources to deal with a cyber-incident?
4. Does the organisation have cyber-insurance?
5. Does the organisation have measures in place to deal with regulatory and legal claims?
Central to this is understanding the relevant stakeholders, both internal and external, and the roles they have to play, both in terms of risk planning and prevention, and incident response and crisis management.
Key internal stakeholders are:
• the board
Key external stakeholders are:
• outside counsel
• insurance companies
• market analysts
In formulating a plan, it’s important to gain an understanding of the threats to an organisation, which of course, may differ depending on the nature of the business of a particular organisation. The main incidents are:
• theft of PII (personal identifiable information)
• sabotage of systems
• theft of confidential or sensitive data
• denial of service
• malware infection
The legal framework
In addition to the above, in-house counsel need an understanding of the legal framework that deals with cyber-risk and compliance, and the array of legislation, notably the following.
- The Data Protection Act 1988 imposes various obligations on data controllers, including the requirement to take appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss or destruction of or damage to personal data.
- In addition, the General Data Protection Regulation (GDPR) will come into force on 25 May 2018, when the UK is likely to still be in the EU. This imposes strict obligations upon organisations that collect personal data about their employees, customers, clients or suppliers. Those that fail to comply with its provisions risk fines of up to €20m, or 4 per cent worldwide annual turnover, whichever is the greater. The GDPR will apply up until any departure from the EU thereafter it will then fall away. It is anticipated the government will support the retention of the GDPR, whether in its current form or by adopting similar national legislation.
- The Computer Misuse At 1990 (as amended by the Serious Crime Act 2015) provides criminal sanctions for cyber-related offences, such as unauthorised access to or interference with a computer and the impairing of a computer to cause serious damage.
- The Privacy and Electronic Communications Regulations 2013 place obligations on public electronic communications networks and service providers to take appropriate technical and organisational measures to safeguard the security of their services. The Information Commission must be notified of any personal data breach without undue delay.
- The Communications Act 2003 places obligations on public electronic communications network and service providers to ensure security and give notification of any breaches. Ofcom is the enforcing regulator.
- The Network and Information Security Directive (which came into force in August 2016, with an implementation period of 21 months) imposes security and reporting obligations on ‘operators of essential services’ (including entities in the energy, transport, banking, financial markets, infrastructure, health, drinking water supplies and digital infrastructure sectors). There are requirements on identified ‘operators of essential services’ and ‘digital service providers’ to take appropriate and proportional technical and organisational measures to manage risks to networks and information systems, and to take appropriate measures to prevent and minimise the impact of incidents.
In-house counsel are integral to most of the response activities and involvement with the relevant stakeholders. They will need as much information as possible in order to determine an organisation’s compliance, legal obligations and liabilities so as to be able to effectively co-ordinate and communicate with internal and external stakeholders, and ensure their organisation is in the best possible position to prepare for and react to a cyber-incident.