As the risk of a cyberattack grows, it is pivotal to consider whether the directors of a company hit by a ransomware attack, for example, can bear any liability for negligence in failing to take steps to limit the risk.
During the past few weeks, I had the pleasure of running a presentation on how to deal with the risk of ransomware cyberattacks on corporations for the benefit of members of the “In the Boardroom” training course dedicated to professionals who are or aspire to become board members of publicly traded companies. As part of the presentation, we tried to give practical guidance and shared some “lessons learned” from previous cyberattacks. And the number of questions showed how the issue is relevant and the possible liability for directors.
This article aims to provide recommendations to directors of listed and unlisted companies on actions to take in advance, during, and after a cyberattack.
To indicate the size of the cyber risk to companies, there is, on average, a cyber-attack every 39 seconds, which does not mean that every attack is successful, but that there is an attempt to access companies’ computer systems with that frequency.
According to research conducted by IBM, the average cost to companies of a data breach in 2022 is US$ 4.35 million, which increases to US$ 4.54 in the case of ransomware attacks. Of course, this amount is simply an estimate, and the average cost is higher in certain jurisdictions, such as the United States, where it is close to US$ 10 million, while in Italy, it is in line with the average.
Based on my experience, this estimate is even optimistic when considering cases where the company’s business is global. In addition, the cost depends on the time it takes to identify abusive access to computer systems, which on average is more than six months. If the identification time is longer, more data have been exfiltrated until the access has been identified. And this often happens when the hacker, the so-called threat actor, starts encrypting the computer systems.
Moreover, the operational consequences of a cyber attack should not only be analyzed in terms of compromising the personal data of its customers and employees. Encrypting computer systems can bring business operations to a standstill, partially because attacks usually occur when the company is least ready to respond e.g., at Christmas, during the summer, and on weekends. If encrypted data cannot be restored, the production line, stores, eCommerce sites, and all business operations are brought to a standstill, and there may even be a problem with the reliability of the company’s balance sheet, not to mention the possible reputational damages that can lead to loss of customers.
Add to that, there is the risk of penalties and fines (which are not insurable in most jurisdictions) not only under privacy and data protection regulations but also on the basis of cybersecurity regulations that are now proliferating. There have not been many class actions in Europe for cyberattacks, but if the attack impacts customers located in, for example, California, the risk of a class action is high. Furthermore, serial civil actions by individuals whose data has been compromised by a data breach are increasing exponentially also in Europe, backed up by law firms with success fee arrangements in place.
Given the scale of cyber risk to companies, the board of directors of companies, especially in the case of publicly traded companies, must monitor the actions taken by the company to prevent a cyberattack and promptly take corrective action.
Unfortunately, this situation, in some cases, does not happen. Also, due to the costs of the pandemic, but in general due to the other overriding priorities, some companies sometimes
It is not just a matter of recommending investments in security measures because 95% of cyber attacks occur because of human error. For example, an employee who clicks on a phishing e-mail always uses the same authentication credentials for work and private accounts or connects corporate devices to USB sticks or sites from which the threat actor can enter systems.
A cyber risk analysis must have a significant component of training and a review of organizational control processes. Because it is not possible to completely rule out the risk of a cyberattack since cyber criminals are always ahead of their victims
Based on my experience, if a company suffers a major cyberattack, the CEO, the general manager, and the board of directors are immediately involved. I have been “catapulted” in front of the CEO of multinational corporations to assess the risk arising from a cyberattack during the Christmas vacations, holidays, and endless weekends. The risk to the company from a cyber attack is so high that the company’s top management is immediately involved.
In this context, some of the worst-case scenarios from the perspective of directors’ liability should a cyber attack occur are the following:
All of these scenarios have occurred based on my professional career, and the Board of Directors meetings where they have been analyzed have not been pleasant.
The BoD will have to, among others,
But the “trickiest” topic certainly concerns the decision of whether or not to pay ransom in a ransomware attack. Normally when a ransomware attack happens, “American cop movie”-style negotiations happen with cyber criminals to buy time, reduce the amount demanded, and get the potential approval from the insurance company. In most cases, the company will do anything to avoid paying the ransom because
However, in some cases, a company has no way out because, for example, even data backup copies have been encrypted, and there is no way to restore data. In that case, the company might consider paying the ransom if it does not violate local regulations. The more complex problem, though, is how to have a board approval of the payment of the ransom. There is no single correct answer, and no answer is 100% perfect; one will have to analyze the circumstances of the case.
Beyond the regulatory reporting requirements, reporting a cyberattack to the public is definitely tricky.
The worst mistake one can make is to “lie,” denying what happened. To date, hackers often have websites, and there are websites dedicated to information about cyberattacks. In addition, the threat actor will probably publish exfiltrated data on the dark web to provide proof of exfiltration and solicit payment for the ransom.
It is necessary to ensure that the public is informed of the cyberattack from the company before they get it from the press to maintain trust. Also, in the case of global cyberattacks, local culture must be taken into account in communications. It is possible to create FAQs to answer questions, but a call center or, in any case, have dedicated people to answer (numerous) requests for clarification from customers and employees.
Most privacy authorities have a dedicated e-mail address to handle user complaints, and the cybersecurity authorities monitor all attacks that impact companies, making the risk of sanctions higher.
It happens more and more often that companies that are victims of a cyberattack suffer another one in the following 12 to 24 months. In these cases, companies have not thoroughly analyzed the dynamics of the attack, cannot ensure that the threat actor is not still in the company’s systems, and have not taken corrective actions to remedy the attack.
In these cases, the possible liability of administrators could be even more difficult to handle because the company would be a recidivist.
This article illustrates just some of the points of attention for directors in cyber risk management, with the understanding that the dynamics of attacks are constantly evolving and, therefore, corrective actions must also be adopted. On a similar topic, you can read the article “ENISA 2022 ransomware report gives insights on recent changes“.
About the author: Giulio Coraggio
I am the location head of the Italian Intellectual Property & Technology department and the global co-head of the IoT and Gaming and Gambling groups at the world-leading law firm DLA Piper. IoT and artificial intelligence influencer and FinTech and blockchain expert, finding solutions to what’s next for our client’s success.
(SecurityAffairs – hacking, cyberattack)