Sam De Silva FBCS provides an overview of some practical guidance, from a legal perspective, concerning responding to cyber-attacks.

Immediate action following an attack

Each incident and the proportionate response will need to be considered in all circumstances. It should be noted that over-reaction to a relatively minor incident can also have serious detrimental effects in financial and reputational terms. The first action should be calling the incident response team into action.

The incident response team for a major incident is likely to be made up of both employees of the organisation under attack and external advisers, including appropriate external lawyers and public relations advisers. IT experts may also be required to deal with both the immediate response to the breach and to undertake a forensic exercise to determine the cause of the attack.

In the absence of, or in addition to, expert in-house counsel, external lawyers often form a useful part of an incident response team. One of the key roles of external lawyers should be to advise on the legal consequences of the incident and any proposed responses and public announcements, taking into consideration the regulatory and litigation risks. In addition, external lawyers should be asked to advise on the maintenance of legal privilege.

Damage limitation

Steps should be taken to stop or contain the breach. Many attacks are on-going and repeated, so this may involve the temporary suspension of affected systems or websites.

Impact and risk assessment of breach

Some cyber attacks suffered by organisations may only require limited action. Accordingly, an assessment of the impact of and risks relating to the breach should be conducted to inform an appropriate response, including:

  • Verification. The apparent breach should be investigated and verified by IT experts. It is possible that following the initial report it is concluded that the incident is a result of a hoax or an error
  • What has happened to the data? Has data been stolen or has it been encrypted or restricted so that the organisation cannot access it, but neither can the attackers (i.e. ransomware - see below)
  • The type of data affected. Has any personal data has been stolen and, if so, what type of personal data is involved?
  • The degree of sensitivity of the data
  • Are there any protections in place, such as encryption? It should be noted, however, that the fact that stolen data is encrypted does not mean that there is no cause for concern
  • How many individuals are affected? Where it is clear that only a small subgroup of data subjects are affected, a more measured response may be required. In many cases, however, the true extent of the breach may not be established until some days or weeks later, so a decision may need to be taken based on limited information and considering the risk of the worst case
  • Who are the individuals? The stolen data may relate to one or more categories of individual, including employees, consumers, business customers or suppliers
  • The potential detriment to individuals. Some thefts of payment card data might, for example, be enough for the perpetrators to authorise fraudulent payments immediately. The detriment relating to the disclosure of other types of data may be non-financial, but could still represent a potentially highly invasive loss of privacy. ICO guidance on assessing risks immediately following a breach involving personal data is set out in section 2 of its Guidance on Data Security Breach Management.

How to respond to threats and extortion

Most or all of the responses in this article may be appropriate depending on the specific circumstances and extent of the attack, but there is a heightened need to immediately inform the police and the newly established Cyber Security Centre of on-going attacks. Unfortunately, ransom demands are sometimes complied with.

However, police advice is typically never to comply with extortion demands. It should be noted that under certain circumstances under English law (such as payment of a terrorist ransom under the Terrorism Act 2000), or under the laws of other jurisdictions, payment of a ransom can amount to a criminal offence.

External considerations and notifications

Parallel to the efforts to secure internal systems and initiating internal response plans, the organisation will need to consider both the effect of the attack on third parties and who needs to be informed in the short and longer term. The following issues need to be considered:

  • crisis management PR
  • complaints and customer service
  • informing insurers
  • informing banks
  • notifying data subjects (if appropriate or as required by law)
  • reporting to regulators (if appropriate or as required by law).

Whether the organisation needs to notify data subjects and report to regulators depends on a multitude of factors and is a complex matter (particularly with the implementation of the GDPR). Legal advice should be sought early.

Lessons learned

It is important for the organisation to reflect on what improvements can be made as a result of the breach and the response to it. As part of this exercise the following should be considered:

  • reviewing how the organisation’s response plan worked in practice and adjustments made where improvements are required
  • specific vulnerabilities permitting the actual breach should be addressed and resolved
  • if there was no insurance cover in place, or that it proved insufficient, it might be advisable to obtain adequate insurance cover
  • the attack may well have revealed limitations in contracts and areas where the allocation of risk could be better
  • if investigations show that a third-party supplier was a cause of the incident, the due diligence undertaken in relation to third-parties may need to be improved and the relevant third-party contracts may need to include new or revised provisions dealing with security requirements, compliance audits and requirements to notify if there is a breach. The adequacy of any limitations or exclusions of liability on the supplier should be assessed in the light of the potential cost of cyber security breaches to the organisation.

Summary

Unfortunately, there is no ‘one size fits all’ approach suitable for all types of attack, nor is there a single approach suitable for each type, size and sector of organisation. However, the following key principles should be applicable to most scenarios:

  • verify the breach
  • determine the extent of the breach
  • contain and mitigate the breach
  • consider what data is affected, if any, and what risks might arise as a result
  • consider whether there is a compulsory requirement to inform anyone (regulators, data subjects, suppliers etc.) of the breach, or if there are good reasons to do so even if there is not
  • consider any communications in the light of regulatory requirements, public relations considerations and litigation risk review and modify systems and processes in the light of the experience to limit the risk of reoccurrence and to make sure the response is as effective as possible if it does.

Dr Sam De Silva, CITP, FBCS is a partner and head of the commercial IT and outsourcing group, Nabarro LLP, is Vice-Chair of the BCS Council, and is also an International Advisory Board Member of the Cyber Rescue Alliance.