This article was originally published in Blockchain Industry Review - a Crypto Curry Club Magazine published monthly and available in soft copy and the printed version.
Written by Guest Contributor, Charlotte Hill,
Senior Associate of UK and international law firm, Penningtons Manches Cooper LLP
Over the past six months or so, you would be hard pressed to have not read or heard about a cyber-attack. Attacks on the Colonial Pipeline in the United States; on Brenntag, a German chemical distribution company operating in over 77 countries; on the Harris Federation Schools, the largest academy trust in the UK where data from 38,000 pupils was stolen; the more recent attack on Kaseya, an US information technology company, over the 4th July weekend; and the two recently reported attacks on barristers chambers in London with threats to publish sensitive client data if ransoms were not paid, are a just small handful of those recently reported. Such an attack can be highly damaging, with sensitive data being published on the dark web or more widely distributed if a high ransom is not paid, reputations are being damaged or destroyed and, in circumstances where healthcare organisations such as the NHS have been attacked, they can (and have) put lives at risk.
It may surprise some to learn that cyber-security is a board level responsibility - directors could fall foul of the individual duties that they personally owe to the company if they do not consider and take reasonable steps to mitigate against potential losses and damage arising from such an attack. While directors can obtain insurance cover to protect them and the company against such risks, they will still need to demonstrate that they have taken reasonable steps to prevent a cyber-attack to escape potential liability.
In the UK, the National Cyber Security Centre (the NCSC) has been working hard, along with law enforcement, including the National Crime Agency, and other governmental bodies across the globe, to fight cyber-crime: the NCSC has dealt with over 2,000 significant incidents since its creation in 2016, and has taken down more than 700,000 online scams in the UK in the last year alone; 80,000 of which were discovered from tip offs from the British public through the NCSC’s ‘Suspicious Email Reporting Service’1 . The Information Commissioner’s Office recorded a total of 8,815 data security incidents during 2020/21 and, over the past three years, police forces across England and Wales suffered an average eight breaches a week2 .
It is, however, anticipated that hundreds, if not thousands, more attacks have taken place but have not been reported. Many victims of cyber-attacks choose not to report the crime to law enforcement, or to publicise its payment of the demanded ransomware for fear of repeat offending, incrimination from regulators or law enforcement, bad press and/ or the potential withdrawal of cover from its insurer if a ransom is paid or dealt with in the wrong way. That is unsurprising given that the payment of ransomware – usually cryptocurrency - being demanded by the attackers is not illegal in the UK (despite the fact that the payment of a bribe is)
What is a Cyber-Attack?
A cyber-attack is typically carried out by an unknown third-party gaining access to a computer system, server or a set of files which are held ransom and threatened to be released to the public unless a demand is met. The third party often gains access by sending a fishing email asking for sensitive information (such as bank details) or encouraging the recipient to visit a fake website. In the UK alone, HMRC fishing scams are reported to have grown 87% during the COVID-19 pandemic, surging from 572,029 during 2019/20 to 1,069,522 during 2020/213. Other ways in which attackers can access systems is by the dispatch of an email which contains a trojan horse - an attachment, or a link for the unsuspecting to click on - which, once downloaded, hides malicious code within legitimate software for the task that the attacker designed it for, often to steal sensitive data or to spy on online activity and learn of passwords / sensitive information etc.
Is Payment of a Random Demand Illegal?
It is not currently illegal to pay a ransom demand in the UK which may surprise some considering the payment of a bribe, which is akin to a ransom payment, is illegal, as is making a payment to terrorists and other prescribed groups. Equally, those falling victim to an attack in the UK are not required by law to report it, although law enforcement strongly recommend reporting it at the earliest opportunity to seek their assistance and expertise to maximise opportunities and to mitigate the threat.
Conversely, Australia – whose meat operations were impacted following the attack on JBS Foods until they paid a ransom of $11 million in June 2021 - has introduced a Parliamentary Bill seeking to make the reporting of a ransom demand compulsory, and it has been reported that the Biden Administration in the US is considering doing the same. While both of these positions are encouraged, the reporting of a ransom demand will only help law enforcement to collect information and data about such attacks; without the payment of a demand being made illegal, ransomware demands will almost certainly continue to increase and so directors in particular ought to take steps to protect themselves and their companies from such attacks.
Why Should Directors Concern Themselves with
As explained above, cyber-security is a board level responsibility – directors are likely to be held liable by the company if they fail to consider how best to mitigate against potential cyber-attacks.
As will be known from just the handful of examples set out above, when the existence of an attack enters the public domain, it can damage a company’s reputation (and stock value, if listed) and may have widespread repercussions on the future trading of the company . Add to that the fact that attacks take a lot of time, effort and costs to seek to resolve, often requiring the assistance of a specialist incident response company (IRC), lawyers and other professionals, which adds to the layer of cost required in addition to the demand of a ransom payment, it is clear why this tangible risk ought to be considered by the board of a company.
By way of demonstration, the Harris Federation Schools estimated that, in addition to the ransom of nearly £3m that was demanded, it suffered around £500k of costs over the course of three months to deal with the at- tack while the education of their pupils was impacted – they could not access school buildings which were electronically con- trolled, the CCTV was down, and registers were inaccessible from day one. They were required to hire the services of a foreign IRC (all UK companies were too busy to deal with this attack) to assess the level of penetration and, in parallel, work with others to understand the extent of the data stolen, contain it, seek to recover it, eradicate the virus, monitor the system, remediate them and negotiate the ransom payment demanded. The impact of a cyber-attack is far reaching and so steps must be taken to deter a cyber-attack and to prepare for one should the worst-case scenario come true.
How to Escape Liability
Given the increasing number of reported cyber-attacks of late, companies, directors and all key stakeholders ought to be on high alert and ready to act as soon as possible to provide sufficient protection against cyber-attacks and breaches.
Companies ought to consider obtaining sufficient insurance to protect them against the worst-case scenario and to fund (or indemnify) the urgent response team required to deal with the attack and to remediate the systems to ensure that the company is operating as normal as soon as possible. They also ought to prepare a detailed disaster recovery plan and to test it on a regular basis (noting the results in doing so by way of board minutes) so that they are ready to act out a doomsday scenario in real life should the (hopefully unlikely) need arise. On a more practical level, directors should ensure that their IT teams or directors responsible for their IT / cyber matters are implementing sufficient security measures with, at the very least, regular backups of all data on, ideally, an off-site location; two-factor authentication; the regular changing of passwords; offering their employees cyber-security training etc.
If a director can demonstrate that he/she acted reasonably by, for example, seeking professional advice in this regard and acting upon such advice, it is likely that he/she will not fall foul of the Companies Act 2006 and other duties which he/she owe to the company.
The situation is far from straightforward. Some sympathy must be offered to the victims who choose not to report or publicise the attack – it can be seen how knowledge of an attack could fuel the risk in further attacks. By way of example, on learning of the attack, criminals will know that certain companies have sufficient insurance cover to meet any such demand and will know that, if they breach that companies’ systems, they are almost guaranteed a pay-out. Further, if a company has sufficient insurance, it could be considered that that company may be more relaxed with regard to its cyber security and so the criminals may be encouraged to attack those systems assuming they will be easier to penetrate than others.
That being said, while the reporting of an attack remains voluntary, and the payment of a demand legal, it is no surprise that cyber-attacks are increasing in monumental percentages on an almost daily basis. These criminal gangs prosper by the anonymity of the attacks and the payments being made: the cryptocurrency often used to pay the demands will no doubt be used for other criminal activities which will continue to fuel the dark web and black markets if it is not cleaned and taken out as fiat in another, more favourable jurisdiction. Until reporting becomes compulsory and the payment of a ransom illegal, the trend in cyber-attacks will continue to grow and so swift action must be taken now to prevent, prepare for and know how to remediate any attack should the worst happen.