Rise in data breaches provokes cyber blame gameby
With cybersecurity lawsuits on the rise, the probability and financial impact of cyber incidents are ever-growing for businesses. Bill Mew looks at the increasingly complex question of liability.
Instances of ransomware are on the increase. During 2019 malware monitor ID Ransomware recorded 452,151 confirmed incidents, but with only a quarter of organisations submitting reports to it, the figure could be four times as large.
Ransomware demands doubled in the final quarter of 2019. The average demand rose to $84,000, but in 2020 we have already seen demands escalate further with £42m demanded in the REvil (Sodinokibi) ransomware attack on a New York-based law firm. A third of companies are reported to have agreed to pay such demands.
The cost of the ransom itself is dwarfed by other costs. Incidents result in an average of 16 days downtime at a cost of $5,600 a minute – equating to a global total for ransom demands and downtime of between $42bn and $169bn.
Reputational damage, cost of recovery and regulatory fines and litigation add even more to the overall cost: Norsk Hydro suffered a ransomware incident that cost it more than €70m, but its cyber insurer paid out only €3.6m – only about 6% of the total. And EasyJet has been setting records in the UK with a data breach impacting nine million victims resulting in an £18bn litigation claim, with 10 thousand claimants signing up in the first three weeks – the largest and also fastest growing privacy claim in UK legal history.
All organisations of all sizes are potential targets. It’s probably not a matter of if you’ll get hit, but when. And since the average breach takes more than six months to detect, it may well already have happened.
The cyber blame game
Cyber insurance is unlikely to be the answer with so many exclusions in current cyber policies that insurers could well refuse to pay out on just about any claim for any incident.
With such large risks and potential costs, there is inevitably a blame game that follows any significant incident. In this aftermath period, senior managers, shareholders, regulators and, sometimes, even litigating claimants seek to apportion blame, seek to levy fines, level claims and demand redress. But who they go after and for how much is key.
Many have been following the Morrisons case, in which the supermarket was hit by a claim for damages after a disgruntled employee leaked the personal details of 100,000 staff online. Initially, the supermarket was held vicariously liable for failing to prevent the incident – a precedent-setting ruling that a firm can be held liable for the criminal actions of its staff.
However, while this ruling was partially overturned on appeal, much to the supermarket’s relief, the Supreme Court upheld the legal principle that employers can now be legally responsible for data breaches caused by their employees – under the law of vicarious liability.
Further precedents will be needed to establish exactly how far an employer’s liability extends and if it is judged that an employer is ultimately responsible for even just the careless rather than malicious actions of its employees, then the risk, compliance and cost implications would be enormous.
Individual executive liability
Attempts to combat financial crime were ineffective until they introduced regulations like Senior Managers and Certification Regime (SMCR) to make company directors liable. Likewise, measures to combat health and safety abuse led to corporate manslaughter provisions – not just to hold companies to account, but also their directors.
While many already see GDPR as draconian, it is a matter of time before privacy failure sanctions are extended to company directors. This is already starting to become a reality:
- In a cyber incident court case in New York, a new precedent was set when board members and a CISO were individually named as defendants.
- In a further warning shot, prosecutors allege that former Uber security chief Joseph Sullivan was charged with obstruction of justice for covering up a major breach, in the first high-profile case of its kind.
- This week, Gartner issued a report predicting that CEOs could soon be held personally liable – with 75% of CEOs personally liable for Cyber-Physical Security (CPS) incidents by 2024.
The trend may be starting in the US, but as with privacy class action lawsuits like the EasyJet’s data breach, Europe is unlikely to be far behind.
In its report, Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023. Even without taking the actual value of a human life into the equation, the costs for organisations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant.
Prevention and preparation
The rise in cyber lawsuits make prevention and preparation more essential than ever. Preventative measures need to include regular patches and back-ups. And preparation needs to include realistic simulation exercises that include the active participation of senior management. After all, they are the ones that could be individually liable if it all goes wrong.
Despite the fact that “regularly testing, assessing and evaluating” cybersecurity processes is mandated by GDPR law, senior management are either failing to ensure that cyber incident response exercises are conducted or are failing to participate in these themselves, meaning that those involved in a real crisis were not present at any training.
One survey found that a quarter of organisations ran crisis exercises without senior cybersecurity leadership in attendance, and only 20% of exercises involved communications team members.
Expert support when things go wrong
When facing a cyber incident, IT teams often attempt a DIY fix before finding that they are out of their depth and calling for help. By then, it’s often a little too late. The impact and exposure have magnified significantly and, not having time to accurately select the right experts, they call in the wrong people.
Given the financial exposure, it is worth having real experts on the technical, legal and financial aspects of cybersecurity on speed dial – and including them in your rehearsals.
Cybersecurity is not just an IT problem. Given how high the stakes are and how great the potential liabilities are, it is significant financial risk. Being prepared and having expert support to hand has never been more essential.
Foresight is a whole lot cheaper than hindsight
Managing such a significant financial risk is easiest with prevention and preparation and dealing with such incidents is most effective with expert support.
The budget for all of this should, if anything, be easier to obtain approval for if the board members are aware that they could be individually liable if or when it all goes wrong. But then again does the board actually understand the cyber risk?
You might also be interested in
Founder and CEO of CrisisTeam.co.uk (SiliconANGLE global Startup of the Week – May 2019), an elite team of experts in incident response, cyber law, reputation management and social influence that help clients minimize the impact of cyber incidents. Previous cloud strategist at UKCloud (the...