In 2020 companies around the world were hit by a wave of cybersecurity incidents. Our Amsterdam Technology & Data team spoke with over 30 organisations that represent a cross-section of the Dutch corporate community about their experiences, key challenges and the impact of cybersecurity incidents on their business. In this blogpost we share our main findings and our recommendations regarding cybersecurity.
Cybersecurity has become a major threat. Almost all companies we spoke to experienced at least one cybersecurity incident in 2020 and we expect the number of cybersecurity incidents to increase in the next few years. It is hard to keep up with ever more clever hackers And, although it seems obvious, being prepared is of the essence. That is the key take-away of all organisations after having suffered a cyber attack. To avoid chaos, panic and a huge loss of revenues due to a business meltdown caused by a cyber attack, it is critical to have a robust cybersecurity incident response plan in place.
If you have any questions about our research or preparing for or dealing with a cyber attack then feel free to contact Nicole Wolters Ruckert.
- In general, we would like to note that the impact of the Covid-19 pandemic on cybersecurity incidents has been substantial. Many people are working from home, and this poses specific and relatively new security threats. The overall trend is for hackers to become more inventive and cyber attacks to become more dangerous for businesses; it is challenging to keep up with these developments. Our key findings are:
- A solid (cyber)security incident response plan is vital for business continuity and all organisations confirmed they had such a plan in place, ready to use. A number of organisations indicated that they have different incident response plans in place for minor and major (cyber)security incidents. The consensus was that it is indeed worthwhile to categorise cybersecurity incidents by severity and have different response plans in place for each category.
- The most challenging aspect of the incident response plan is involving the right stakeholders at the right moment. Almost all organisations said that interaction with(in) the response team is a key success factor to effective and efficient response, and deciding whom to involve and when is therefore critical. The data protection officer and legal team should of course always be involved, but depending on the nature and extent of the incident, others need to be involved. The most likely candidates are IT or the security department of course, besides internal communications and external PR advisors and managers of affected (parts of) business units.
- Organisations are especially worried about being the victim of ransomware attacks. A key point of contention was when and how to involve the police in case of an attack. Everyone agreed there are obvious and substantial benefits to involving the police. However, some made the point that not involving them at the right moment can result in a severe slowdown in the handling of the ransomware attack that can have a major adverse effect on the business.
- Organisations find big differences between regulators (DPAs and others) in Europe when it comes to cybersecurity incident notifications and the handling of cybersecurity incidents. Some participants said that from a practical perspective, it would be preferable if all notification forms and requirements were standardised throughout Europe.
- Cybersecurity (due) diligence has become increasingly important in M&A transactions. Vulnerabilities in (legacy) systems of target companies represent a severe risk for the buyer, to the extent these may result in major fines imposed by supervisory authorities. Each M&A team should therefore be made (more) aware of these risks, and the participants felt that members of the legal team and/or the Data Protection Officer should at an early stage have a seat at the table.
Based on our research and experience advising clients on cybersecurity incidents our key recommendations are:
Have procedures and policies in place
- Make sure you have a clear picture of your legal responsibilities and risks. Prepare an overview of legislation (e.g. GDPR, NIS directive, financial regulatory law) applicable to your organisation, understand which notification requirements follow from the applicable legislation and the relevant timelines.
- Have a thorough understanding of what information should be disclosed to the regulators in the jurisdictions you are active in in case of a cybersecurity attack, and when. Knowing the ins and outs of the notification duties is crucial in view of the substantial enforcement risks, as many DPAs’ enforcement cases under the GDPR have to do with not notifying the DPAs correctly and on time.
- Have proper detecting and monitoring mechanisms in place. Equally, require your third party service providers to have the same mechanisms in place and, for that purpose, have adequate contractual arrangements in place. Early detection is important to limit the impact of the cyber attack. It also may help to avoid interference by regulators, and thus the risk of fines. In our experience, the more time between the actual start of the attack and the detection of it, the more likely it is regulators will get involved and start an investigation (which may lead to fines).
- As part of your preparation, consider whether your existing internal standard is (or should be) to never pay the hackers behind a ransomware attack. Assess thoroughly the pros and cons of paying, and especially check that payment would not put you in breach of other laws and regulations. In any event, keep in mind that in the case of a ransomware attack it is never 100% certain – even if you pay – that the data will not still be stolen or copied. Even if a ransom is paid, data may still appear on the dark web and/or otherwise be abused (e.g. sold).
- Often, cybersecurity incidents are caused by human failure. Organisations should have policies in place for how to deal with the individual that has ‘caused’ the incident. Such policy should include considering if HR should be involved and whether suspension of the individual is appropriate.
- If you or your third party service supplier has cybersecurity insurance make sure you have a clear understanding of what exactly is covered. In many cases your or the third party’s insurance will only cover the direct effects or costs of the cyber attack but many do not cover any other damages resulting from the cyber attack such as consequences of the loss of data.
Have your team ready
- Give careful thought about which individuals, representing different functions in your organisation, will be part of your incident response team. Make sure to include at least one member of the board.
- It is important to have a clear picture of third parties that you may need to involve when a cybersecurity incident hits you. You should have pre-negotiated contracts in place with all of them. You want them to be ready-to-go in case of an incident and definitely do not want to discuss fees and other terms and conditions when you are under pressure. Relevant third parties to consider include law firms (client/attorney privilege), an external forensic IT team, cybersecurity insurers, and public relations advisors.
- Be aware that cybersecurity insurers in some cases impose instructions on you for handling the cybersecurity incident: for example whether or not to pay a demand for ransom, when to communicate about the incident, or which third parties to involve. Please take this into consideration when negotiating your cybersecurity insurance.
- Prioritise training of your M&A team on the impact of potential cybersecurity incidents. We also recommend you always do a full IT systems and cybersecurity audit during, or otherwise directly after, an acquisition. Even if the IT systems and policies of the buyer will replace those of the target, these legacy IT systems should be audited for vulnerabilities and adequate risk-mitigating measures put in place.