What company directors must know about cyber security

The company director’s guide to cyber security: Managing data breaches, ransomware and legal risk

Cyber security breaches pose significant commercial, legal and regulatory risks to any organisation, particularly when personal data is involved. Under the UK GDPR and Data Protection Act 2018, organisations are legally required to implement appropriate technical and organisational measures to safeguard personal data. Failure to do so can result in:

  • claims for damages from affected individuals 
  • ICO investigations and swinging fines and 
  • notification obligations to the ICO and any affected individuals. 

There will also be potential third party claims if business data or confidential information is lost due to a failure to keep data secure, as this failure is likely to be a breach of express or implied contractual obligations.  Your organisation remains liable even if IT services are outsourced. Insurance limitations and the interplay of limitation of liability clauses with data protection clauses must be carefully considered, as increasingly contract terms require a breaching party to indemnify all losses caused by data protection breaches.

In the recent Marks & Spencer cyber incident, it has been reported that the retailer  suffered losses of £300m but only had cyber cover for £100m….

Priority actions following a cyber-attack

When an attack occurs, swift and coordinated action is essential on several fronts. Organisations must:

  • cleanse/isolate infected systems 
  • consult legal counsel to check whether ICO/individual notification is necessary and whether there are any potential claims that can be made by or against the company 
  • manage public relations 
  • notify insurers and 
  • activate disaster recovery plans. 

In particular, there will be an obligation to notify the ICO of any cyber attack where there is a serious risk that personal data has been compromised – where there is a particularly high-risk to individual rights and freedoms there will also be an obligation on the data controller to notify such individuals. The ICO should be notified within 72 hours of an organisation becoming aware of a serious breach.  This obligation to notify is subject to important exceptions:

  • where the controller has taken measures that mean personal data is unintelligible (i.e. encrypting data); or
    • the controller has taken remedial measures to ensure that there is no longer a high risk after a breach; or
    • where notifying individuals would need a “disproportionate effort” and instead notification can be by some form of public communication – e.g. a general press release or a website alert. 

Accordingly, expert advice from IT specialists, lawyers, PR professionals, and insurers will be crucial. Costs can be significant to cleanse IT systems.

Post-incident reviews should be conducted to identify system weaknesses, learn lessons and improve resilience.

Dealing with ransom demands

Ransomware attacks present a difficult dilemma. While paying a ransom to an attacker is naturally unattractive, it may be commercially necessary in practice. Hackers often leak sensitive data on the Dark Web or threaten to do so, meaning that it is very difficult to avoid reputational damage or damaging use malevolent parties even if you can cleanse IT systems quickly. Payment may prevent further leaks and restore access to critical systems and there is evidence that “serious” hackers have an interest in restoring access or data if the ransom is paid, otherwise their ransom demands will be ignored in the future. Ransom sums are often negotiable, and insurers may cover payments if they are consulted closely in line with the insurance policy. Careful strategic considerations and risk management are essential in these situations, which will be highly fact-specific.

Cyber security is a board level responsibility

Company boards play a critical role in setting the tone and strategy for cyber resilience and those organisations that have boards actively involved in cyber security are more likely to avoid damaging attacks. Boards must identify risks, develop strategies, foster a security culture, plan for incidents, and establish governance structures. 

The good news is that boards do not need to do this from scratch: in order to help boards do this, the UK Government has issued a Cyber Governance Code of Practice that outlines 5 key governance actions that are needed in the areas of: 

  • Risk Management 
  • Strategy 
  • People 
  • Incident Planning, response and recovery and 
  • Assurance. 

The Code is further supplemented by its Cyber Governance Training and Cyber Security Toolkit for Boards which explain why governance is needed and how to implement action in practice: whilst board directors do not need to become cyber security experts themselves, they do need to know enough about the underlying issues in order to delegate tasks to colleagues within the organisation and monitor their performance.

Cyber security training for directors

The Cyber Governance Training comprises five 20-minute video modules with a video covering each of the 5 key principles mentioned in the Code whilst the Cyber Security Toolkit for Boards provides additional details and practical tips to help company boards implement the 5 principles set out in the Code. 

The Cyber Essentials Scheme – finally, all organisations should aim to be accredited with this Government-backed certification scheme that is seen as offering a fundamental level of cyber security; even better is being accredited with Cyber Essentials Plus, as this requires an organisation to be audited by a third party in relation to its cyber security practices.

Conclusions

Cyber security is a matter requiring strategic board-level attention but it is not always treated this way. Directors must understand the commercial and legal risks of a cyber security breach, prepare for breach scenarios and ensure robust governance structures are in place. By leveraging government resources, taking professional legal advice and implementing best practices, boards can reduce their company’s commercial and legal exposure and maintain its brand reputation too.

How Moore Barlow can help

Our Commercial and Technology lawyers can help board directors and companies with cyber security issues on a number of fronts, including advice on:

  • data protection agreements
  • IT supply contracts
  • legal requirements/obligations/remedies in the event of a data breach
  • ICO notifications and press releases
  • drafting/implementing cyber security policies
  • dealing with claims for/against the company.