Cyber attacks – is your Board ready?

Businesses in Australia again woke up last week to reports of another cyber attack.  This time it was the Petya virus. 

The virus locks the screens of affected users, with a message that all of the data is encrypted that can only be unlocked by purchasing a key for a ransom.  Victims of the recent attack have reportedly included pharmaceutical companies, global law firms, food wholesalers, shipping companies and food manufacturers.

This attack follows cyber attacks such as the well-publicised WannaCry attacks in May 2017.

Law enforcement agencies do not have the means or the resources to deal with this new wave of crime.  Debate continues as to whether businesses should pay the ransom, or allow their systems to be locked down until the systems can be restored – which could take days or weeks.

Cyber attacks can come in different forms and so too the damage that can be inflicted.  In a ransomware attack, productivity is lost as workers arrive at work unable to use computers and devices.  The safety of employees, who are working off-shore or remotely, may be also compromised if communication systems are affected.  Contractual obligations to third parties may be breached.

Other forms of attack can result in data breaches, and the personal information of customers and employees stolen.  Australia will soon be catching up with USA and United Kingdom, with the imposition of mandatory reporting disclosure obligations of data breaches on businesses.

The perpetrators of these attacks are organised and sophisticated.  The image of the teenage hacker in sneakers and sweatshirts is outdated.  Cyber attacks are big business.  Criminal syndicates are generally behind such attacks, but we have also seen the rise of political activist’s cyber-attacking organizations, as well as reports of state-sponsored activity.  The Petya virus is unusual in that no ransom was sought, and no apparent motive other than to cripple the systems of businesses. 

One of the biggest risks to an organization is a tarnished reputation.  According to ASIC, 60% of customers would stop using a company’s products or services if a cyber-attack resulted in a known security breach.¹

Companies may be exposed to litigation risks in many ways.  In the USA, we have already seen class actions against firms such as Target which was impacted by data breaches.  On 23 May 2017 it was announced that Target had reached an $18.5 million settlement with 47 states over its 2013 data breach.  Target disclosed that the cost of the data breach was USD 202 million.² It is believed that cyber attackers entered into Target’s network via a third party, namely a small heating and refrigeration contractor.  

The malware was introduced into the contractor’s system when a worker opened an attachment to an email.  But the malware was not aimed at the contractor.  When the contractor gained access to Target’s system, the attackers gained access to Target’s system, including the point of sale registers and servers.  Data was stolen from up to 40 million debit and credit cards.

As a result, both Target’s CFO and CIO stepped down.

It is not just the large companies that are prone to attack.  Many attacks on small to medium sized businesses, including family and private companies, and not for profit organizations, go unreported. 

Cybersecurity has been identified by ASIC as an area that requires active engagement by the board and directors in managing the risk.³  

In the 2016, an Australian Cyber Security Centre Survey, published in April 2017, reported that 90% of organizations faced a form of attempted or successful cyber security compromise during the 2015-2016 financial year.⁴  The ACSC also reported that one of the key factors that distinguished more cyber-resilient organisations from less resilient ones was that cyber security was regularly discussed and at the most senior or board management level.⁵

A cyber attack should now be considered a reasonably foreseeable event.  If a company is victim to a successful cyber attack, the regulators, customers and shareholders will be asking what was done to minimize the risk.

Standards

There are a number of standards that may be used and adopted by a board when considering a framework for governance and risk minimization.  The International Standards Organization publishes a standard for IT Governance, ISO/IEC 38500:2008(E).  The National Institute of Standards and Technology of the US Department of Commerce has also published the NIST Cybersecurity Framework a framework for cybersecurity, frequently referenced in publications. 

The questions will be:

• has your organisation taken all steps to prevent such an attack, and is your organisation ready to deal with an attack should it occur?
• is your data encrypted?
• has your organisation downloaded all available patches?
• has your staff been trained, particularly since May, to be able to identify phishing and malicious attachments to emails?

If you do not know the answers to these questions, then you may not have done enough to discharge your duties as a director or officer of a corporation.  Your organization, and you personally, may be liable for the damage done as a result.

Prevention

What should you be doing as a director or officer of an organization? You should:

• identify the assets most at risk, and what needs protecting;
• identify and secure where and how your information is held;
• prioritize resources to mitigate the risk;
• provide training for all staff;
• consider the cyber resilience of third party providers and contractors.

Respond and recover

A response plan is required. What will you do if your organization is affected?

• the safety and welfare of your employees must be a priority;
• have a data breach response plan;
• in the event of a data breach, discharge your disclosure obligations;
• if you are a corporation or listed entity consider your disclosure requirements to investors;
• assess the effect the incident may have on contractual obligations with third parties.

Insurance

Insurance is available for the risk of cyber attack.  Have you insured your risks?  Are your firm’s key assets protected?

Lavan comment

Before the attack Lavan can help you:

• review your risk protocols and procedures;
• assess your litigation risk;
• provide advice to the Board and senior management on risk management;
• review your contracts for identifiable risks that may be transferred or mitigated.

If you experience an incident Lavan can:

• advise on your disclosure obligations to regulatory authorities and shareholders;
• advise you with respect to steps to be taken to minimize contractual risks;
• consider if action can be taken against third parties in the event the attack came through a third party provider;
• provide advice to minimize litigation risk.