On Tuesday, 3 March 2020, we welcomed our financial services clients in London to a lively panel event, which covered the multitude of issues which arise in a cybersecurity incident.
Using a hypothetical case study, revealed in a series of short animations, Hogan Lovells partners Philip Parish, Arwen Handley, Nicola Fulford and Peter Marta considered topics such as good cyber incident preparedness, board responsibility, data issues, regulatory notifications, litigation and regulatory enforcement risk, liaison with law enforcement, and follow-up steps, and answered questions covering the legality of ransom payments to the perpetrators of cyberattacks and insurance for cyber incidents.
Over the past decade, cybersecurity has emerged as one of the most serious and challenging threats to businesses, with CEOs around the world naming it as the main worry that keeps them up at night. Although a lot of attention is paid – as it must be – to the technological aspects of cybersecurity breaches, we believe that the litigation and regulatory risks cannot be overstated.
The panel’s key messages for clients included the following:
- Data security and privacy are mission critical and should be discussed at the most senior levels of the organisation.
- Preparation is key: Preparation for a cyber incident should include the production of a concise incident response plan that lists key internal and external contacts, outlines a precise escalation protocol and sets out the decisions that need to be made in the first 24 to 48 hours. The incident response plan should be tested in tabletop exercises involving the individuals and teams who would be involved in a real-world incident. Lessons learnt from tabletop exercises and from actual incidents can then be incorporated into the incident response plan. Firms should identify and line up external resource in advance, establishing contact with the relevant local law enforcement if appropriate.
- Regulatory disclosures: A cyberattack typically has a very substantial impact on the affected business. As a result, it will trigger numerous disclosure obligations to data and financial regulators, to customers and to the market. If an attack is carried out on a multinational business, the effects may be suffered in multiple jurisdictions each with different regulations and laws in relation to disclosure obligations and timeframes.
- Data protection: It is essential to understand what, if any, personal data has been impacted by the attack and the extent of the damage this may cause to those affected. Notification requirements may kick in, meaning that the business may be under an obligation to tell the ICO about the breach no later than 72 hours after becoming aware of it. Accountability is a key requirement under the GDPR, and to comply with this, the business will need to have up to date security policies – as well as incident response plans – in place, together with compliant contracts with any external third parties.
- Response coordination: It is important to coordinate the response to a cyberattack across all stakeholders, including senior business management, legal counsel and internal/external PR teams. This ensures consistent messaging to all relevant parties.
- Insider trading: Major incidents such as cyberattacks often create a risk of insider trading prior to any public announcement, so this risk, and steps to manage it, should be included in the incident response plan.