The threat from cyberbreaches has been growing for a long time.
However, the cyberattack itself is no longer the biggest threat for the senior executives of larger organisations. The case of Travelex shows that a single security breach is capable of bringing down a long-established, successful business, while costs have risen disproportionately for larger enterprises. A survey by Bitglass of the largest breaches over the past 5 years, which include Marriott, Facebook, Chegg, Equifax, Dun and Bradstreet, Sonic, Yahoo, Linked In, Uber and Verizon, showed that these organisations lost on average $347M in legal fees, penalties, remediation costs and other expenses.
We now have regulatory fines for breaches of data protection law up to 4% of global turnover. In addition, the Google v Lloyd judgement in the UK has established the use of the representative claims procedure set out in Civil Procedure Rule (CPR) 19.6 for data loss, leading to the potential for class action lawsuits estimated to be 3 to 5 times the size of the regulatory fines. Currently the biggest case underway is EasyJet. UK law firm PGMBM has issued a claim in the London High Court, and widely publicised that it would be seeking damages of up to £18billion on behalf of EasyJet's impacted customers, although that is likely to be reduced to the low billions if an out-of-court settlement is reached.
Many businesses believe that cyber insurance will cover their breach costs. However, insurers have refused to pay out anything like the full claim in large cases. Insurers are now increasing their exclusions as well.
There is also the growing possibility of executives facing criminal charges for offences such as failing to disclose a data breach, as Uber’s executives have been, as well as shareholder action.
This means that the biggest breaches have a disproportionate impact on the largest companies. The costs and penalties for security breaches are starting to look very similar to those associated with Health and Safety law.
The principle of legal defensibility
One of the most important requirements for legally defensible cybersecurity is seeking independent expert advice. According to Richard Dutton, co-founder of specialist legal data advisory business ELIAS Partnership, there are at least five reasons why seeking independent advice is important in the current environment:
If you’re a member of the C Suite of an enterprise level business and you’ve experienced a serious cyber or data breach/event, you’ve been sued and you’re in court, the first question leading Counsel will ask you is “Did you take independent expert advice?” It’s a key requirement in the ICO guidance and other ISO regulations.
If you are a C Suite or senior manager in the Financial Services or Insurance industry you are governed by the Senior Managers and Certification Regime (SM&CR) which carries personal liability if you fail to discharge your responsibilities appropriately. Independent expert advice can demonstrate you’ve acted responsibly.
If you are a NED of an enterprise level business, reputational risk has never been higher so you would want an independent expert assessment as part of your Board Assurance Framework.
There is no certification of GDPR or DPA Compliance. An organisations DPO can’t provide assurance of compliance but leading Queens Counsel can make an assessment of whether your business has a legally defensible position in the face of those regulations.
The ICO has a poor record of enforcement on the GDPR and so many organisations have been lulled into complacency. What the C Suite should be most concerned with is the increasing use of class actions. Having a legally defensible position in the face of one of those will be very important for the reputation of the Board and the business.
Finally, Richard says that there have been too many examples recently where some firms’ retained professional advisors are being sued for not being challenging enough to C Suites. Independent expert advice - legal and technical - provides a counter to this.
What is legally defensible cybersecurity?
Legal defensibility means that an organisation has taken all reasonable steps to protect itself and its assets, on the assumption that it will experience a security incident that will lead to regulatory/legal proceedings that challenge whether its preparations were sufficient.
It is not sufficient, though it is a good start, to have certifications like ISO27001 or as cases like British Airways and EasyJet show. Despite having a well-developed cybsecurity strategy and ISO 27001 certification, Easyjet is facing a class-action lawsuit claiming £18Bn in compensation, and many others are waiting for the outcome of the Google v Lloyd appeal in April. Regulators and barristers aren't impressed by certifications, they will require evidence that risks had been properly evaluated and reasonable processes and defences were in place.
The most important thing in legal defensibility is understanding how regulators think and the investigative resources they have at their disposal. Were your statements and policies in line with legal requirements? Did you regularly test your defences and review your security strategy? Did you take all reasonable steps to both prevent and to remedy any breach?
What would be regarded as “all reasonable steps”? There are various elements that business executives should be looking for in a legally defensible cybersecurity strategy.
Risk Analysis: It is essential to understand the real risks the organisation faces in managing and protecting data, information, and assets that could be vulnerable to a cyber-attack. This involves identifying all of the possible ways that compromises could occur and evaluating the associated value-at-risk.
Security architecture: Security architecture is a unified approach to security design that takes a risk-based approach to protecting assets, covering the risk register, policies, processes, technical architecture and monitoring. A well-crafted security architecture is designed to meet security goals and those goals must be based on an understanding of the risks the organisation faces. A security architect understands how vulnerabilities are exploited and therefore how best to defend an organisation against exploitation.
Contingency Planning: Cybersecurity incidents can escalate fast. It is essential to have contingency plans in place that cover not only technical recovery but the legal and media fallout and the financial consequences. Those contingency plans should include suitably experienced external advisors capable of providing the specialist support required in a crisis.
Testing: Contingency plans have to be regularly practiced to be effective when called into use. These plans should be tested at senior management and board level, not just lower down in the business, because in a contingent event . Simple things like knowing where to get hold of a copy of the contingency plans or contact a senior executive when normal systems are unavailable can make the difference between a successful invocation and failure. The GDPR legislation contains a requirement for regular testing also, which would be taken into account by regulators and courts. Finally, regular independent penetration testing helps identify any vulnerabilities in your security architecture that may have been overlooked or created.
Klaatu's RAPTOR service has all of the advisory and contingency testing elements necessary to help ensure that, even if breached, your risks are minimised. From advanced simulations that prepare the team for any breach through development of a robust security architecture to a rapid response capability based on the government and security services rapid response model, we help ensure that your business is resilient in the face of today’s escalating threats.