Whether a director of a company subject to a cyberattack is liable for negligence for failing to take steps to limit the risk.
As the risk of cyber-attacks increases, it is key to consider whether directors of ransomware-hit companies can be held liable for any negligence for failing to take steps to limit the risk.
Over the past few weeks, I have had the pleasure of delivering a presentation on how to manage the risk of a ransomware cyber attack in a company to members of the Board Room training course for professionals who are or would like to be on the board of public companies a member of. As part of the demo, we try to provide practical guidance and share some “Learn a lesson” from previous cyberattacks. The number of issues shows the relevance of the issues and the possible liability of the directors.
This article seeks to provide advice to directors of public and private companies on actions to take before, during and after a cyber attack.
The scale of cyber risk businesses face cannot be underestimated
To give an indication of the magnitude of the cyber risk companies face, a cyber attack occurs on average every 39 seconds, which does not mean that every attack is successful, but that someone attempts to gain access to a company’s computer systems with that frequency.
According to research conducted by IBM, the average cost of a data breach to a company in 2022 is $4.35 million, increasing to $4.54 in the case of a ransomware attack. Of course, this amount is only an estimate, and the average cost in some jurisdictions is higher, such as the US approaching $10 million, while in Italy it is on par with the average.
In my experience, this estimate is even optimistic when you consider that the company’s business is global. In addition, the cost depends on the time it takes to identify misused computer systems, which averages over six months. If the recognition time is longer, more data has been leaked before the recognition access. This usually happens when hackers, so-called threat actors, start encrypting computer systems.
Furthermore, the operational consequences of a cyberattack should not be analyzed solely in terms of compromising the personal data of their customers and employees. Encrypting computer systems can bring business operations to a standstill, in part because attacks often occur when companies are least prepared to respond, such as Christmas, summer and weekends. If the encrypted data cannot be recovered, production lines, stores, e-commerce websites, all business operations will come to a standstill, and even the reliability of the company’s balance sheet may be in question, not to mention the possible reputational damage. May lead to loss of customers.
Add to this the risk of penalties and fines (which are not insurable in most jurisdictions) not only under privacy and data protection regulations, but also on top of the now proliferating cybersecurity regulations. There aren’t many class-action lawsuits over cyberattacks in Europe, but if the attack affects customers located in places like California, the stakes are high. Also in Europe, a flurry of civil lawsuits by individuals whose personal data has been compromised as a result of a data breach is growing exponentially, backed by law firms with successful fee arrangements.
What duties and responsibilities do directors have to prevent cyberattacks?
Given the scale of cyber risk faced by companies, it is imperative that corporate boards, especially public companies, oversee the company’s actions to prevent cyber-attacks and take timely corrective actions.
Unfortunately, in some cases, this doesn’t happen.Also, due to the cost of the pandemic, but in general, due to other top priorities, some companies sometimes
- Failing to conduct regular penetration testing and analysis of the state of maturity of technical and organizational measures taken to reduce cyber risk;
- When these analyzes flag weaknesses, they don’t address them immediately, but add to the “to do list” with no specific deadline in the short term; and
- They rely on untested incident response plans, so they may not function properly in the event of an attack.
It’s not just a matter of recommending investing in security measures, as 95% of all cyberattacks occur due to human error. For example, an employee who clicks on a phishing email always uses the same authentication credentials for work and private accounts, or connects a company device to a USB drive or site from which a threat actor can gain access to the system.
A cyber risk analysis must incorporate a significant component of training and review of organizational control processes.Because it is impossible to completely exclude the risk of cyber-attacks as cyber criminals always come before victims
- Companies must be able to demonstrate that all measures required by privacy and cybersecurity regulations have been taken through a cybersecurity compliance program, which requires complex legal and technical knowledge, as the burden of proof will be on the company; and
- Adopting an insurance policy to cover cyber risk minimizes the negative economic impact on the company and enables it to rely on incident response systems and advisors in the insurance company’s group.
What should directors do if there is a cyber attack on the company?
In my experience, if a company suffers a major cyberattack, the CEO, managing directors, and board of directors are immediately involved. I already”ejected” In front of the CEO of a multinational corporation assessing the risk posed by a cyber attack during the Christmas holidays, holidays and endless weekends. The risk posed by a cyber attack to the company is so high that the top management of the company is immediately involved.
In such circumstances, in the event of a cyber-attack, some worst-case scenarios from a directors liability perspective are as follows:
- The above actions have been discussed at a board meeting, but no action has been taken;
- Risk analysis action was taken and weaknesses in information systems were identified, but the company took no steps (or very few steps) to correct them in a timely manner;
- The company realized it wasn’t paying renewals for an insurance policy that covered cyber risk, arguing it was remote and assessing the policy as too expensive.
All of these scenarios take place based on my career, and the boardroom meeting analyzing them was not a pleasant experience.
Among other things, the board must,
- Analyze the corrective actions to be taken to minimize the negative impact of the cyber attack,
- Assessing the economic impact of the attack, including possible penalties, to potentially notify shareholders and build budgetary reserves, and
- Decide whether the incident should be reported to the appropriate authorities and communicated to the individual whose data was compromised.
But the “toughest” topic is of course the decision about whether to pay the ransom in a ransomware attack. Typically, when a ransomware attack occurs, there are “American Police Movie”-style negotiations with cybercriminals to buy time, reduce the amount requested, and gain potential approval from insurance companies.In most cases, companies will do everything to avoid paying the ransom because
- Depending on the jurisdiction and identity of the threat actor, this may be illegal,
- Payment does not guarantee that data will be decrypted, which also requires analysis of the threat actor’s reputation and track record; and
- Damage to reputation may result.
However, in some cases, there is no way out for businesses, for example, data cannot be recovered even though the backup copy of the data is encrypted. In this case, the company may consider paying the ransom if local regulations are not violated. More complicated, though, is how to get board approval to pay the ransom. There is no single right answer, and no 100% perfect answer; one will have to analyze the circumstances of the case.
How should cyberattacks be reported to the public?
Beyond regulatory reporting requirements, reporting cyberattacks to the public is definitely tricky.
The worst mistake a man can make is “lie“, denying what happened. To date, hackers often own websites, and there are websites dedicated to providing information about cyberattacks. In addition, threat actors may publish leaked data on the dark web to provide evidence of the breach and demand ransom.
There is a need to ensure that the public is aware of a company’s cyberattacks before they get information about them from the media in order to maintain trust. Furthermore, in the case of global cyberattacks, local culture must be considered in communications. FAQs can be created to answer questions, but call centers or in any case have dedicated personnel to answer (many) requests for clarification from customers and employees.
Most privacy agencies have a dedicated email address for handling user complaints, and cybersecurity agencies monitor all attacks affecting companies, making the risk of sanctions even higher.
What advice should directors make following a cyber attack emergency?
Increasingly, companies that have been hit by a cyber attack are being hit by another cyber attack within the next 12 to 24 months. In these cases, the company did not thoroughly analyze the dynamics of the attack, ensure that the threat actor was not on the company’s systems, and take corrective action to remediate the attack.
In these cases, the possible liability of managers can be more difficult to deal with because the company will become a repeat offender.
This article just illustrates some of the things supervisors should look out for in cyber risk management, with the understanding that the dynamics of attacks are constantly evolving and corrective actions must also be taken. On a similar topic, you can read the article “ENISA 2022 Ransomware Report Offers Insights on Recent Changes”.
Original post: https://www.gamingtechlaw.com/2022/10/board-directors-liability-cyberattack.html
Photo by Towfiqu barbhuiya on Unsplash
About the Author: Giulio Coraggio
I am Resident Head of the Italian Intellectual Property & Technology Department and Global Co-Head of the IoT and Gaming & Gaming teams at DLA Piper, a world-leading law firm. IoT and AI influencers, as well as fintech and blockchain experts, find the next step in our client’s success.
(security affairs – hacking, cyber attack)