The devastating ransomware attack suffered by the NHS last week did much to elevate the cyber risk within the national consciousness. While dated IT appears to have played a significant part in the extent to which the NHS was affected, it is troubling that the Wannacry virus claimed in excess of 45,000 victims in over 100 different jurisdictions. More troubling still is the general consensus that the attack could, and should, have been easily avoided, had basic routine maintenance been applied to the affected computer networks.
For some time now, businesses have been concerned about the risks presented by cyber crime. The Cyber Security Breaches Survey published by the Government at the end of last year reported that almost 70% of businesses said that cyber resilience was a paramount consideration. It is therefore surprising that the majority of businesses remain so under-prepared to respond to the cyber threat, far less the fallout from a cyber attack.
It is currently estimated that only 10% of businesses have an incident response plan, which means that nine out of ten businesses do not have a strategy in place which will allow them to respond quickly and effectively to any cyber attacks that do take place.
The old adage failing to prepare is preparing to fail is particularly true so far as cyber attacks are concerned. A business could not possibly hope to take the appropriate steps to respond to an attack in the panic and confusion that inevitably follows the discovery of a cyber breach.
The good news is that there is much a business can do to reduce the chance of suffering an attack. It is also possible to mitigate the effects of any attacks that do take place.
A business would be well advised to carry out a comprehensive risk assessment, which identifies key assets, the security which surrounds them and the risks that would attach to those assets being compromised.
Further, investment in an effective incident response plan brings with it many benefits. The response time to a cyber attack improves, the cost of dealing with a cyber incident reduces and a well prepared business can generally expect to see results in terms of business continuity during the period in which the cyber threat is being investigated/neutralised. A well prepared business also reduces the risk of facing negative press in the aftermath of an attack.
The weakest link in the security chain is always the human element. For that reason, any business is only as secure as its weakest employee. Employees who do not understand the risks associated with clicking on links/attachments contained in infected emails present a serious risk to their employers as this is generally how ransomware attacks begin. It is therefore important that staff members are educated of the risks and understand how to spot compromised emails/attachments in the hope that potential threats will be recognised before it is too late.
While most businesses understand that significant losses can arise in the aftermath of a cyber attack through business interruption costs and reputational damage, very few understand the significant litigation and regulatory risks that can be faced as a result of a cyber attack.
Under the General Data Protection Regulation, which is due to be enforced across Europe and beyond from 25 May 2018, regulators can now impose a fine of up to €20m or 4% of global annual turnover which could be imposed in respect of breaches of cyber security. Further, for FCA regulated or listed companies, regulators have the power to impose unlimited fines for breaches of the FCA Handbook/Listing Principles (both of which would be of indirect relevance to victims of cyber attacks).
However, the risks don’t stop there. It is quite possible that the victim of a cyber attack could face litigation founded in breach of contract or negligence in the event that confidential information or assets are compromised as a result of a cyber attack.
While there have been few reported cases of court actions being raised against victims of cyber attacks in this jurisdiction, one need only look at other jurisdictions (notably the USA and Canada) to understand just how significant the litigation risks can be. In the USA, one victim of cyber crime who was deemed to have been negligent in failing to prevent the cyber attack it suffered was recently ordered to pay damages in excess of $100 million. Further, with many commentators predicting an increase in the use of class actions before the UK Courts, it may only be a matter of time before those who lose money or data as a result of a cyber attack more regularly face litigation in respect of it.
It is clear that cyber crime is here to stay. It is therefore important that businesses do all they can, on a proactive basis, to ensure that the appropriate steps are taken to mitigate the cyber threat and ensure that a quick and effective strategy can be implemented in response to any attacks that do take place.
If you think your organisation may be affected by any of the above, or if you have any other questions, please contact:
This briefing is written as a general guide only. It is not intended to contain definitive legal advice which should be sought as appropriate in relation to any particular matter.
Read more here: https://www.mms.co.uk/mms-knowledge/mms-newsroom/latest-news/18-may-2017-cyber-crime-is-bad-for-your-health