Cy­ber­crime - are you pro­tected? Le­gal as­pects of safe­guard­ing your busi­ness

Middle East Business (English) - - CONTENTS - by An­nemarie Rob­son، In­ter­na­tional Ed­i­tor Mid­dle East Busi­ness - UK

In this sec­ond part of our cy­ber­se­cu­rity fea­ture, we asked Ever­sheds LLP, a multi­na­tional law firm, about how they can sup­port busi­nesses safe­guard them­selves from se­cu­rity breaches of this kind. Re­becca Copley, Head of Fi­nan­cial Ser­vices Dis­putes and In­ves­ti­ga­tions for the Mid­dle East, and Laura Shin­gler, Se­nior As­so­ciate, Ever­sheds, an­swered our ques­tions.

Hav­ing seen how caus­tic such an event can be for a busi­ness, can you ex­plain what the wider risks of such a data breach can be?

The ef­fects of a cy­ber­se­cu­rity breach on an or­gan­i­sa­tion can be dev­as­tat­ing. In ad­di­tion to the ob­vi­ous com­mer­cial reper­cus­sions such as the sys­tem down­time and the costs to clean up the is­sue and to re­store and en­hance the sys­tems - a se­cu­rity breach can re­sult in le­gal and reg­u­la­tory ac­tion, sig­nif­i­cant fines, sub­stan­tial le­gal fees, cor­po­rate li­a­bil­ity for the com­pany and per­son­able li­a­bil­ity for the direc­tors. In ad­di­tion, there may be a num­ber of hid­den costs such as in­creased in­surance pre­mi­ums, pub­lic re­la­tions costs, the loss of cus­tomers or con­tracts and an ir­re­versible im­pact on rep­u­ta­tion. Trust is key to an or­gan­i­sa­tion’s suc­cess and the harm caused to a brand’s rep­u­ta­tion as a re­sult of a breach can be long last­ing and in some cases, ir­re­versible. Not only are com­pa­nies who fall vic­tim to a data breach li­able to cus­tomers and in­vestors, but they of­ten face scru­tiny, and in some case, fines from reg­u­la­tors. Some may say that it is the ap­pear­ance of neg­li­gence that has the most dev­as­tat­ing im­pact on an or­gan­i­sa­tion. This of­ten re­sults in the loss of busi­ness, which can have sig­nif­i­cant con­se­quences, be­yond the ini­tial fi­nan­cial costs in­curred.

How can a busi­ness pre­vent hack­ing in­ci­dents?

En­sur­ing that all ex­ec­u­tives and board mem­bers fully recog­nise the risks as­so­ci­ated with a data breach is a crit­i­cal first step to­wards de­vel­op­ing an ef­fec­tive risk man­age­ment pro­gramme. The temp­ta­tion to side step the sub­ject of cy­ber­crime, on the ba­sis that it is an ‘IT prob­lem’, still ex­ists. How­ever, this ap­proach leaves or­gan­i­sa­tions ill-equipped to pre­vent, iden­tify and rem­edy cy­ber­crime in­ci­dents as and when they oc­cur, which they in­evitably will, and is rarely go­ing to be an ac­cept­able de­fence to reg­u­la­tors or law en­force­ment. Or­gan­i­sa­tions must there­fore recog­nise that data pro­tec­tion is ev­ery­one’s re­spon­si­bil­ity from the top to the bot­tom of an or­gan­i­sa­tion and that when that at­tack oc­curs, clar­ity over the or­gan­i­sa­tion’s in­ci­dent re­sponse plan and pre­cisely who is re­spon­si­ble for what will prove es­sen­tial. Plan­ning and ed­u­ca­tion is key when it comes to cy­ber­se­cu­rity and all busi­nesses will ben­e­fit from re­view­ing their se­cu­rity prac­tices and pro­ce­dures be­fore putting in place strin­gent poli­cies. These poli­cies should be com­mu­ni­cated to all em­ploy­ees through train­ing and aware­ness pro­grammes, help­ing to raise aware­ness and risk man­age­ment of data pro­tec­tion. Im­ple­ment­ing fre­quent ‘ fire drills’ will also help as­sess readi­ness and re­sponse. Or­gan­i­sa­tions should also im­ple­ment poli­cies on de­vice man­age­ment and data han­dling to min­imise the risk of in­ad­ver­tent data ex­po­sure, es­pe­cially in com­pa­nies that op­er­ate un­der 'bring your own de­vice' mod­els ( BYOD) where em­ployee de­vices do not have the same se­cu­rity lev­els as cor­po­rate de­vices. Em­ploy­ees with ac­cess to sen­si­tive data should also be mon­i­tored to en­sure data is se­cure even af­ter the em­ployee has left the com­pany. At an ex­ter­nal level and in ad­di­tion to the tech­ni­cal pre­cau­tions put in place to stop cy­ber at­tacks, busi­nesses must have a clear un­der­stand­ing of how data is man­aged by third party ven­dors and sup­pli­ers. We would also urge or­gan­i­sa­tions to re­view their con­tracts with third party sup­pli­ers to en­sure that they con­tain the nec­es­sary pro­tec­tions to min­imise the risk of cy­ber threats and data breaches. Fi­nally, it is im­por­tant to check that in­surance poli­cies cover the con­se­quences of in­ter­nal and ex­ter­nal cy­ber at­tacks. En­sur­ing that there are no le­gal loop­holes in your in­surance cover is not an ex­er­cise that you can af­ford to leave un­til af­ter the event. Check them now and seek in­put from le­gal spe­cial­ists to ob­tain the clar­ity you need.

How does Ever­sheds com­ple­ment the pro­tec­tion pro­vided by those or­gan­i­sa­tions spe­cial­is­ing in cy­ber­se­cu­rity?

As with all com­pli­ance re­lated risks fac­ing an or­gan­i­sa­tion, com­pa­nies need to im­ple­ment a ro­bust com­pli­ance pro­gramme in or­der to ef­fec­tively mit­i­gate the risks of cy­ber­crime. Ever­sheds’ com­pli­ance ex­perts have ex­ten­sive ex­pe­ri­ence in help­ing clients im­ple­ment cost ef­fec­tive and tai­lored so­lu­tions to the risks they face across the globe, in­clud­ing those that are ‘cy­ber’ in na­ture. With the added ben­e­fit of be­ing able to bench­mark clients’ ex­ist­ing prac­tices against those of oth­ers, com­par­a­tive in size, sec­tor and in­dus­try, we are able to help clients de­sign, im­ple­ment and re­view their pro­grammes in a way that makes the big­gest im­pact.

Risk as­sess­ments

The ex­tent to which an or­gan­i­sa­tion can suc­cess­fully mit­i­gate its risks is clearly de­pen­dent on its abil­ity to iden­tify them in ad­vance. Con­se­quently, we rec­om­mend this as the start­ing point in any strat­egy de­signed to com­bat cy­ber­crime and are fre­quently called upon to as­sess the key ar­eas of risk, tak­ing ac­count of our clients’ prod­ucts, em­ployee be­hav­iour and third party re­la­tion­ships.

Poli­cies and pro­ce­dures

Once the risks are as­sessed, we can then move to help­ing our clients’ man­age them by draft­ing ap­pro­pri­ate poli­cies and pro­ce­dures, en­sur­ing they are fit for pur­pose and tai­lored to the or­gan­i­sa­tion. This can in­volve draft­ing the doc­u­ments from scratch or re­view­ing and amend­ing those in place to help en­sure that they take ac­count of new and emerg­ing risks.

Process re­view and Au­dits

In­vest­ing time test­ing the ex­tent to which your cy­ber­crime poli­cies and pro­ce­dures have been fully im­ple­mented and are com­plied with will pay div­i­dends down the line. Whilst some clients are en­gag­ing in such ex­er­cises, we are yet to see or­gan­i­sa­tions ac­tively test the op­er­a­tional and con­trol ef­fec­tive­ness of their cy­ber­crime con­trols in the way we do in the con­text of other risks. We can help man­age this process by re­view­ing and bench­mark­ing prac­tices against other or­gan­i­sa­tions in the in­dus­try, iden­ti­fy­ing gaps and ar­eas of im­prove­ment, in­cor­po­rat­ing best prac­tice prin­ci­ples and reg­u­la­tory ex­pec­ta­tions.


Train­ing is an es­sen­tial el­e­ment in en­sur­ing a com­pany’s ap­proach to cy­ber risk is fully un­der­stood from top to bot­tom. We can of­fer the re­source, in­sight and in­de­pen­dence needed to help de­liver those mes­sages and sharpen em­ploy­ees’ risk man­age­ment radars, in a tai­lor made form.

Le­gal ad­vi­sory ser­vices

The is­sues sur­round­ing cy­ber breaches cut across a mul­ti­tude of laws in dif­fer­ent ju­ris­dic­tions. We reg­u­larly help clients nav­i­gate their way through this leg­isla­tive maze, by de­liv­er­ing user friendly so­lu­tions fo­cused ad­vice, mak­ing full use of our ex­pan­sive net­work of lawyers cov­er­ing 29 dif­fer­ent coun­tries.

Com­mer­cial con­tracts

Draft­ing, ne­go­ti­at­ing and pro­vid­ing guid­ance on pro­tec­tive lan­guage in com­mer­cial and third- party agree­ments is a ser­vice we have pro­vided for many years in re­la­tion to fi­nan­cial crime re­lated risks. We are now see­ing the de­mand for this ser­vice grow specif­i­cally in the con­text of cy­ber re­lated risks as a ro­bustly drafted con­tract can prove in­valu­able in the event of a breach, pro­vid­ing clients with ef­fec­tive con­trac­tual reme­dies and the abil­ity to exit ad­verse agree­ments with limited con­se­quences.

How does Ever­sheds help a busi­ness de­velop le­gal pro­tec­tions/pro­cesses if this sort of time-crit­i­cal in­ci­dent hap­pens?

Our ethos is to help clients avoid prob­lems be­fore they oc­cur. How­ever, some­times new and his­tor­i­cal fail­ings can­not be avoided. Our global team is on standby 247/ to re­spond rapidly any­where to an is­sue or an in­ves­ti­ga­tion, to help nav­i­gate our clients through the is­sues, pro­tect their rights, pro­vide strate­gic guid­ance, li­aise with the reg­u­la­tor/ en­force­ment agen­cies, seek­ing to ob­tain the best out­come and min­imise the im­pact of the process. We have worked on hun­dreds of in­ter­nal in­ves­ti­ga­tions vary­ing from own- ini­tia­tive led au­dits or re­views, third-party as­sess­ments and multi- ju­ris­dic­tional in- depth in­ter­nal re­views fol­low­ing on from an ex­ter­nal in­ves­ti­ga­tion. We pro­duce sim­ple priv­i­leged busi­ness­friendly re­ports that make prac­ti­cal rec­om­men­da­tions. We also ad­vise on re­port­ing obli­ga­tions and ne­go­ti­ate dis­clo­sures on be­half of clients. In ad­di­tion, we un­der­stand the crit­i­cal im­por­tance of brand and rep­u­ta­tion and the dam­age a com­pli­ance fail­ure can cause. When an in­ci­dent oc­curs, we can help to con­trol dam­age by brief­ing com­mu­ni­ca­tions teams and li­ais­ing with the reg­u­la­tor or en­force­ment agency to limit me­dia cov­er­age. About Ever­sheds Ever­sheds is a Top 50 law firm head­quar­tered in Lon­don with of­fices based in Jor­dan, Iraq, Qatar, Saudi Ara­bia and United Arab Emi­rates. Ever­sheds was named Bank­ing & Fi­nance Team of the Year at the an­nual The Oath’s Mid­dle East Le­gal Awards, and ‘Project Fi­nance Deal of the Year’ at the In­ter­na­tional Fi­nan­cial Law Re­view’s (IFLR) 11th an­nual Mid­dle East Awards. www.ever­

Newspapers in English

Newspapers from Palestine

© PressReader. All rights reserved.