Eversheds Sutherland comment: Preparation across an organisation is essential against the inevitability of future cyber attacks

• Global

15-05-2017

With the ramifications of the global ransomware cyber attack still being felt by organisations across the world, Paula Barrett, Partner and International Head of Data Privacy and Cyber Security at Eversheds Sutherland, comments:

“While the scale of technical vulnerability to this attack is catching attention, this should be the trigger for those who haven’t been directly affected to ask the question “what if?” and act as encouragement (if any is still required) to take proper action to prepare for the inevitability of future cyber attacks. It is a serious point – the adage that for data breaches it’s a case of “when, not if” is being made all the more real by the relative ease with which ransomware can now be purchased and deployed.

“Within a business, this should not just be something left to information security or IT teams to deal with alone. Yes, they will play a significant role, but this is a critical risk management issue. Quite simply, the organisation may not be able to function in the event of an attack. So, it is imperative that these scenarios are actively explored and played out to understand both how to protect against and respond to these events when they happen. The operational impacts of these attacks can be quite devastating; so having a prepared framework on which to form your response can be enormously helpful.

“Some pointers include:

• Have a crisis response team ready and geared up for communications to employees, clients and wider public
• Mock events can be an invaluable way of stress testing mechanisms and processes, as well as training those who will be called upon to be making the decisions
• Team members should be drawn from across the organisation – Legal team representation will be important here to work alongside IS/IT, communications and HR as well as business/function leadership
• Participation from board executive and operational leadership/reporting also needs to be considered
• Wider reporting requirements need to be understood in advance, as well as associated timings – external reporting may be mandatory for some regulated and listed businesses, public authorities, utilities and others; you may need to act within hours
• Contractual reporting requirements are often overlooked – increasingly Confidentiality, Data Security and Data Protection clauses with customers or others require this, where that third parties’ data might be at risk, often within very short timescales. Failure to do so can add contract breach and damages to the list of consequences
• Understand your insurance position – are you covered and do you need to notify your insurers? Don’t assume you will be
• Have you outsourced your IT? Do you know what this arrangement says about data security and responses to this type of event? One of the interesting points that will play out over the coming months in respect of the current incident will be who is responsible for patching under IT support and outsourcing contracts, as well as liability that could flow where the malware has been introduced from one party to another where systems with customers and vendors are interfaced
• Ransonware brings with it some particular difficulties, some ethical as well as legal, so understanding the boundaries of criminal and civil law domestically and internationally is important

“Building a culture of information security is key. Working together across functions to understand the risks and protect the business or organisation against those risks is essential to be well-prepared.”

• Paula Barrett
• Partner
• +44 207 919 4634
• +44 207 919 4634
• Connect with Paula Barrett on LinkedIn

< Go back