Skip to main content
Article

The far-reaching impact of Cyber-attacks

Summary of our Live Crisis Managment Workshop held in London 10 September

Risk & Analytics|Cyber Risk Management
N/A

October 3, 2019

In this article we consider the issues raised from our live crisis management workshop with comments from our expert panel.

Cyber incidents can have devastating consequences, posing unwelcome and often unexpected questions for business leaders. Simulating just such an event (a ransomware attack, to be precise) at our live crisis management workshop on 10 September provoked controversy and debate, and demonstrated that whilst there may not always be one “right” answer, it’s nonetheless wise to consider these questions prior to rather than during an incident. Here we consider some of the issues raised with commentary from our expert panel to add to the mix. Thank you to all of our panellists and audience for your contributions.

Upon first discovery of a suspected cyber incident, how quickly should organisations act?

In our expert panel’s experience, internal IT departments habitually ask for more time to investigate the nature and extent of the incident before those responsible for business continuity activate incident response plans, notify affected parties/regulators or take proactive steps to mitigate damage. Our audience were overwhelmingly of the same opinion (95%). Care should be taken to avoid excessive delay caused by an IT department’s understandable concern to “manage” the incident themselves.

Should organisations negotiate with cyber extortionists?

Whilst many in the audience were uneasy about engaging with extortionists, our panel pointed out that such engagement (even if there is no intention of paying the ransom) can be hugely beneficial, not least in terms of buying more time and lowering the extortionists’ expectations. “A negotiation allows you to reduce the demand and push back the deadline allowing more time to remediate the exploit and mitigate against its effects or the chance of it happening again,” said Tim Lambon, Director of Cyber Response, NYA.

To pay or not to pay? That is the question

It’s perhaps easy to take the moral high ground when not faced with an immediate crisis, but in the heat of the moment organisational blanket prohibitions against paying ransoms can start to look questionable. Whilst our audience were against paying a ransom( 83%) our panel explained that the payment of ransoms is generally not unlawful (unless there’s reason to suppose that the proceeds will fund terrorist or other proscribed organisations), and suggested that there are many occasions where the threatened outcomes, and the disproportionate resources that would be required to avoid/mitigate those outcomes, could outweigh the disadvantages of paying ransoms. Specialist cyber extortion advisers have the experience to gauge whether paying a ransom is likely to achieve the desired result or will simply lead to further demands. Experienced cyber incident lawyers can advise on law enforcement engagement, and on ensuring appropriate due diligence is carried out in order to mitigate the chance of subsequently being found to have paid a ransom to proscribed organisation. “This due diligence process is vital – ransoms are likely to be paid in cryptocurrency to a pseudonymised wallet, but that does not mean that the identity of the extortionist cannot be ascertained”, said Steve Hadwin of Norton Rose Fulbright. “Paying a reduced ransom after a resistive negotiation will decouple your reputation from the data and ensure the Threat Actor does not come back with a second demand,” added Tim Lambon of NYA.

How does an organisation manage stakeholder communication and reputational fall-out?

Managed communication is key, both to maintaining staff morale and client/supplier confidence, and to mitigating wider reputational damage. Whether to share information at an early stage with employees may depend on the size, structure and collegiality of the organisation. Expert advice is invaluable with regard to timing, format (interview? press release?) and messenger (CEO? Marketing?). Whichever strategy is chosen, the organisation should be seen as the authoritative source of information, providing reliable updates and, where appropriate, clarifying false information in the public sphere. Peter Barrett, Director, Infinite Global said ‘Crisis communicators must project calm control, think laterally and avoid the bunker mentality that high pressure breach scenarios can quickly generate”. “The aim is to provide communications which are compliant with specific legal and regulatory requirements, but which above all help affected individuals to understand what has happened and mitigate any risks that they might face”, added Steve Hadwin of Norton Rose Fulbright.

Can insurance help?

Cyber insurance can help by putting in place and funding multi-disciplinary teams with genuine expertise in responding to cyber incidents. The importance of having the right vendors lined up prior to an incident cannot be underestimated (especially if, as in the case of widespread ransomware attacks, the best experts may already be committed elsewhere). Similarly, cyber insurance will cover ransoms and liability claims from third parties (whether data protection- or network security- related) and regulatory investigations following a breach (subject to the legal insurability of fines), as well as business interruption losses stemming from IT outages.

On an individual level Directors & Officers insurance helps with the increasing trend for Directors to be held personally liable to stakeholders for inadequate cyber security measures or questionable decision-making in responding to the crisis.

In the case of both cyber and D&O insurance, early notification and proactive engagement with insurers can be critical, in the latter case even before individual directors have been taken to task.

What you can do?

32%
of business have had a cyber attack in the last year.

It is a sad fact that organisations are more likely than ever to be the victim of a cyber attack of some description. According to the Cyber Security Breaches Survey 2019 report from The Department of Digital, Culture, Media and Sport 32% of business have had a cyber attack in the last year.

Our event highlighted the risks resulting from such attacks span financial, regulation and reputation, and It is easy to imagine just how quickly a crisis can unfold.

But despite this the Cyber Security Breaches Survey shows that when organisations reflect on their approaches to cyber security, they may be undervaluing the true cost and impact of cyber security breaches. Risk teams should act now to fully understand their unique risks, you can be prepared!

View a recording of the event here or if the subjects covered in the workshop has raised any lingering doubts in your mind then please contact us for an initial chat to talk through your concerns.

Contacts

Executive Director, Cyber and TMT

Mitch McBain
Head of London Broking
Executive Director
FINEX, Directors & Officers

Contact Us