Cybercrime - are you protected? Legal aspects of safeguarding your business
In this second part of our cybersecurity feature, we asked Eversheds LLP, a multinational law firm, about how they can support businesses safeguard themselves from security breaches of this kind. Rebecca Copley, Head of Financial Services Disputes and Investigations for the Middle East, and Laura Shingler, Senior Associate, Eversheds, answered our questions.
Having seen how caustic such an event can be for a business, can you explain what the wider risks of such a data breach can be?
The effects of a cybersecurity breach on an organisation can be devastating. In addition to the obvious commercial repercussions such as the system downtime and the costs to clean up the issue and to restore and enhance the systems - a security breach can result in legal and regulatory action, significant fines, substantial legal fees, corporate liability for the company and personable liability for the directors. In addition, there may be a number of hidden costs such as increased insurance premiums, public relations costs, the loss of customers or contracts and an irreversible impact on reputation. Trust is key to an organisation’s success and the harm caused to a brand’s reputation as a result of a breach can be long lasting and in some cases, irreversible. Not only are companies who fall victim to a data breach liable to customers and investors, but they often face scrutiny, and in some case, fines from regulators. Some may say that it is the appearance of negligence that has the most devastating impact on an organisation. This often results in the loss of business, which can have significant consequences, beyond the initial financial costs incurred.
How can a business prevent hacking incidents?
Ensuring that all executives and board members fully recognise the risks associated with a data breach is a critical first step towards developing an effective risk management programme. The temptation to side step the subject of cybercrime, on the basis that it is an ‘IT problem’, still exists. However, this approach leaves organisations ill-equipped to prevent, identify and remedy cybercrime incidents as and when they occur, which they inevitably will, and is rarely going to be an acceptable defence to regulators or law enforcement. Organisations must therefore recognise that data protection is everyone’s responsibility from the top to the bottom of an organisation and that when that attack occurs, clarity over the organisation’s incident response plan and precisely who is responsible for what will prove essential. Planning and education is key when it comes to cybersecurity and all businesses will benefit from reviewing their security practices and procedures before putting in place stringent policies. These policies should be communicated to all employees through training and awareness programmes, helping to raise awareness and risk management of data protection. Implementing frequent ‘ fire drills’ will also help assess readiness and response. Organisations should also implement policies on device management and data handling to minimise the risk of inadvertent data exposure, especially in companies that operate under 'bring your own device' models ( BYOD) where employee devices do not have the same security levels as corporate devices. Employees with access to sensitive data should also be monitored to ensure data is secure even after the employee has left the company. At an external level and in addition to the technical precautions put in place to stop cyber attacks, businesses must have a clear understanding of how data is managed by third party vendors and suppliers. We would also urge organisations to review their contracts with third party suppliers to ensure that they contain the necessary protections to minimise the risk of cyber threats and data breaches. Finally, it is important to check that insurance policies cover the consequences of internal and external cyber attacks. Ensuring that there are no legal loopholes in your insurance cover is not an exercise that you can afford to leave until after the event. Check them now and seek input from legal specialists to obtain the clarity you need.
How does Eversheds complement the protection provided by those organisations specialising in cybersecurity?
As with all compliance related risks facing an organisation, companies need to implement a robust compliance programme in order to effectively mitigate the risks of cybercrime. Eversheds’ compliance experts have extensive experience in helping clients implement cost effective and tailored solutions to the risks they face across the globe, including those that are ‘cyber’ in nature. With the added benefit of being able to benchmark clients’ existing practices against those of others, comparative in size, sector and industry, we are able to help clients design, implement and review their programmes in a way that makes the biggest impact.
The extent to which an organisation can successfully mitigate its risks is clearly dependent on its ability to identify them in advance. Consequently, we recommend this as the starting point in any strategy designed to combat cybercrime and are frequently called upon to assess the key areas of risk, taking account of our clients’ products, employee behaviour and third party relationships.
Policies and procedures
Once the risks are assessed, we can then move to helping our clients’ manage them by drafting appropriate policies and procedures, ensuring they are fit for purpose and tailored to the organisation. This can involve drafting the documents from scratch or reviewing and amending those in place to help ensure that they take account of new and emerging risks.
Process review and Audits
Investing time testing the extent to which your cybercrime policies and procedures have been fully implemented and are complied with will pay dividends down the line. Whilst some clients are engaging in such exercises, we are yet to see organisations actively test the operational and control effectiveness of their cybercrime controls in the way we do in the context of other risks. We can help manage this process by reviewing and benchmarking practices against other organisations in the industry, identifying gaps and areas of improvement, incorporating best practice principles and regulatory expectations.
Training is an essential element in ensuring a company’s approach to cyber risk is fully understood from top to bottom. We can offer the resource, insight and independence needed to help deliver those messages and sharpen employees’ risk management radars, in a tailor made form.
Legal advisory services
The issues surrounding cyber breaches cut across a multitude of laws in different jurisdictions. We regularly help clients navigate their way through this legislative maze, by delivering user friendly solutions focused advice, making full use of our expansive network of lawyers covering 29 different countries.
Drafting, negotiating and providing guidance on protective language in commercial and third- party agreements is a service we have provided for many years in relation to financial crime related risks. We are now seeing the demand for this service grow specifically in the context of cyber related risks as a robustly drafted contract can prove invaluable in the event of a breach, providing clients with effective contractual remedies and the ability to exit adverse agreements with limited consequences.
How does Eversheds help a business develop legal protections/processes if this sort of time-critical incident happens?
Our ethos is to help clients avoid problems before they occur. However, sometimes new and historical failings cannot be avoided. Our global team is on standby 247/ to respond rapidly anywhere to an issue or an investigation, to help navigate our clients through the issues, protect their rights, provide strategic guidance, liaise with the regulator/ enforcement agencies, seeking to obtain the best outcome and minimise the impact of the process. We have worked on hundreds of internal investigations varying from own- initiative led audits or reviews, third-party assessments and multi- jurisdictional in- depth internal reviews following on from an external investigation. We produce simple privileged businessfriendly reports that make practical recommendations. We also advise on reporting obligations and negotiate disclosures on behalf of clients. In addition, we understand the critical importance of brand and reputation and the damage a compliance failure can cause. When an incident occurs, we can help to control damage by briefing communications teams and liaising with the regulator or enforcement agency to limit media coverage. About Eversheds Eversheds is a Top 50 law firm headquartered in London with offices based in Jordan, Iraq, Qatar, Saudi Arabia and United Arab Emirates. Eversheds was named Banking & Finance Team of the Year at the annual The Oath’s Middle East Legal Awards, and ‘Project Finance Deal of the Year’ at the International Financial Law Review’s (IFLR) 11th annual Middle East Awards. www.eversheds.com