At the gates – How to survive the era of cyber insecurity

Businesses face more legal risks, a mine field of regulation, and individual liability for failures. Getting the basis right is more important than ever.

Alex Cravero, senior associate and Andrew Moir, partner, Herbert Smith Freehills

Published: 19 Jul 2023

While the cyber security industry has existed for decades, when it comes to digital business, never has there been such anxiety about the safety of our digital spaces. The spheres of high finance, defence, healthcare, critical infrastructure and our personal lives rely on online nervous systems susceptible to attack by malevolent forces. As more devices connect to complex networks, more vectors are becoming available to cyber criminals.

The consequences of these attacks can range from costly to catastrophic. Yet, crucially for boardrooms, they have also grown more frequent and more severe.

As if that was not enough to arrest attention, businesses are also contending with an increasingly complex regulatory landscape and litigious environment.

It is imperative to prepare for a broad range of risks particularly because regulators are increasingly active and resourced, often looking to directly inculcate officers and directors of corporates.

Under siege

It means that there are three main trends for businesses to contend with: an increasing legislative burden; a more contentious environment following cyber incidents; and an increased focus on individual liability.

The legislative angle is increasingly complex in jurisdictions across the globe. In the UK, for example, from the Computer Misuse Act in 1990 and the EU Data Protection Directive of 1995 through the Security of Network & Information Systems Regulations in 2018 to the UK’s General Data Protection Regulation in 2021 and the upcoming EU AI Act, business is wrestling with a myriad of government interventions impacting digital security. In the US, the White House has published its National Cybersecurity Strategy, looking to improve cyber investments and risk allocation. The Australian Government is also developing the country’s cyber security strategy, foreshadowing material legislative reform.

Plus, cyber security is a multinational issue, which means you have to deal with different regulatory regimes across the jurisdictions you operate in. It becomes a minefield.

According to Chainalysis, estimated global payments identified as received by cyber extortion attackers more than quadrupled annually from $174 million in 2019 to $765 million by 2020. The hike has prompted some governments to consider intervention, with the Australian Minister for Home Affairs and Cyber Security, Clare O’Neil, flagging that the Australian Government is considering a proposal to ban ransom payments. While logically a ban would remove the commercial incentive of ransomware attacks, the proposal remains complex, particularly if core assets or operations are impacted by ransomware.

Even if the frequency or value of extortion payments begin to fall, it is generally accepted that the broader cost of cyber-crime will continue to rise.

The numbers involved tell their own story. According to the United Nations Capital Development Fund, the total direct cost of global cybercrime in 2020 was approximately $945 billion. However, when indirect costs such as brand disparagement, intellectual property infringement and lost opportunities are considered, the figure inflates to around $4 trillion.

In this context, it is unsurprising regulatory scrutiny looks set to increase.

Moreover, regulatory attention is being monitored by parties looking to commence class action claims. In Australia, recent high-profile data breaches have resulted in multiple class action claims with the impacted organisations also the subject of investigations by the Office of the Australian Information Commissioner. Meanwhile, UK regulators are becoming similarly focused. The Information Commissioner’s Office has issued two so-called ‘mega fines’ following breaches in recent years, with Marriott receiving a £18.4 million penalty in 2020 following a 2014 cyber incident and British Airways being fined £20 million following a breach disclosed in 2018.

Of course, regulators might take a particular interest in a data breach if they believe there were shortfalls in the company’s cyber security. This may be weaponised by plaintiff firms, who leverage the findings of regulators to bring claims on behalf of those affected.

While all this should be enough to concentrate the minds of boardrooms, there’s another point of vulnerability: a renewed focus on individual director liability. This is primarily playing out in the US but advisers warn it may be a sign of things to come globally. Those operating in the UK financial services sector are already subject to the Senior Managers and Certification Regime.

2022 saw the highest rate of mobile phishing attacks on record, according to software firm Lookout. In the UK, government figures show 83% of the businesses that reported a cyber-attack in 2022 identified phishing attempts as the means of attack.

The fear is that these methods are becoming more effective due to developments in artificial intelligence (AI). A notable example is OpenAI’s chatbot, ChatGPT, which was recently exploited by cyber criminals to generate malicious content such as phishing emails and malware. Of course, AI’s potential cuts both ways: the technology can be deployed in cyber defence as well as cyber-crime, but concerns are growing.

Duck and cover

Insurance markets typically excel at putting a price on risk – a reality which has seen some unusual policies taken out over the years. However, recent developments in the insurance sector are undermining confidence that the industry will step in to cover cyber risks. Last year, Lloyd’s of London announced cyber policies will have an exemption for attacks by state-backed actors. Initially, this may seem unsurprising – acts of war have long been excluded by insurance policies. However, it is an unsettling qualification when the question of whether a threat actor is state-sponsored is increasingly unclear.

Moreover, legal clashes over whether an attack has been supported by a country seem inevitable. For example, in 2022 pharmaceutical group Merck succeeded in a US court claim that a war exclusion should not be applied to an assessment of its $1.4 billion loss suffered from a 2017 malware attack known as NotPetya. The distinction between digital war and digital crime has never been blurrier, and insurers are hoping to provide clarity in what is still a relatively young market.

For now, businesses are facing intense pressure to demonstrate to insurers they have a robust and workable strategy to defend against cyber incidents. Cyber insurance is generally only available to companies that can demonstrate an acceptable level of resilience. Furthermore, the risks are driving premiums upwards, as too are significant losses incurred by cyber insurance providers early in the policy lifecycle.

Forever war games

It has been a common refrain among military tacticians since remarked by Prussian commander Helmuth von Moltke in 1880: no plan survives first contact with the enemy. But while the maxim holds true in matters of digital conflict and crime, it does not change the fact that a rigorously tested and flexible plan of action is far better than improvisation once cyber hostilities commence. Drawing up coherent plans, ensuring widespread awareness throughout the business, and wargaming those plans to maintain familiarity, socialise the sorts of questions the business will have to answer, and reveal unforeseen problems are the most effective measures businesses can take to protect themselves.

Cyber security also involves more than just tech – the human element is central. The absolute basic thing is training your people and not losing sight of the human dimension alongside the technical dimension. You could patch against every possible security vulnerability out there and still have a huge incident because someone’s credentials were stolen.

Yet, ensuring the technological and human pillars of cyber resilience are sufficiently resourced and trained requires complete board buy-in. The boardroom needs to realise things will change over the coming years and that it’s better to be on the front foot and having made plans and budgeted for it. Put simply, if every board member across every UK board was switched on and had instructed for proper preparation and reviewed all this, then the entire nation’s resilience would be much higher.

The ultimate reality is that cyber-crime, despite existing as a mainstream concern for 20 years, is an escalating risk factor for business. The best defence remains less about cutting-edge tech and more the unglamorous business of sound organisational process. Getting the basics right: educating staff, keeping software updated, backing up data, and maintaining sensible, actionable response policies. As much as the risks and technologies continue to morph in the cyber sphere, the basics of well-implemented but unflashy risk policies remain as relevant as ever.