In business, cyber-attacks have become a part of reality and are no longer something that happens “out there”. Most do not become public knowledge, but numerous companies have already suffered production shutdowns, compromised confidential/sensitive data, and funds stolen or extorted (extortion ware), as well as faced other catastrophic consequences of cyberattacks. We must address these challenges not only technically, but also from other aspects.
How should management act in the new cyber reality?
Managing a company requires a higher level of diligence, namely the due diligence of a prudent businessperson. The manager should be familiar with and understand cyber risks and their management, even though they may not have the specific technical know-how. It is commendable that information security risks (e.g. a cyberattack) are already designated as the most critical in many companies.
Is identification/awareness enough?
Due diligence is demonstrated by the management who not only realistically evaluates the risks of a cyberattack, but also introduces appropriate measures and supervises their implementation. In the course of planning, it is crucial to consider the following: How will we measure the success of these measures? “We will not be attacked” is not the best approach, as risks and vulnerabilities are unpredictable. It is more appropriate to consider whether the level of information security has been adequately increased. Despite every effort, not all incidents can be prevented since there is no such thing as absolute security. With carefully planned measures, however, it is possible to raise information security to a level that should preclude critical incidents and the worst consequences.
The purpose of risk assessments and the implementation of security policies and measures is not to create documents, but to be practical: to connect key players in the company (IT, management, DPO, HR, PR, and other critical stakeholders) and provide them with adequate resources. Cybersecurity cannot be the responsibility of the IT team alone, but rather the duty of all employees, as the weakest link is often uninformed users. In the event of an attack, only concerted action and coordinated response can successfully prevent critical incidents and limit negative consequences.
“The analysis of cyberattacks frequently exposes inadequately identified risks, failure to implement appropriate policies, poor coordination of key players, and lack of know-how and resources. If the management can demonstrate that they have in fact done everything that a diligent and prudent businessperson would do, they can be much less concerned about the legal repercussions.“
Jure Planinšek, M.Sc., Head of Compliance and Legal, NIL (part of Conscia Group)
What are the potential legal consequences of insufficient due diligence of the management?
(a) Impact on business and contractual damage liability: Contracts with customers or suppliers usually stipulate the legal consequences of delays and extend contractual damage liability. This means that in case of a breach of contract, the company is obligated to pay contractual penalties and/or is liable for damages to the partner. In addition to direct damage, cyberattacks often cause indirect damage as well, mainly in the form of loss of customer confidence and reputation. Indirect damage is more difficult to measure and, in many cases, exceeds direct damage.
(b) Fines: Due to the increasingly complex legislation that stipulates due diligence in protecting confidential, personal, and other types of data, a company can have very high fines imposed as a result of a cyberattack. For example, a well-known airline paid a fine of EUR 22 million for failing to adequately protect customers’ personal data.
(c) Loss of license: In the case of regulated activities (banking, insurance, stock brokerage, etc.), companies’ licenses or authorisations to operate may be revoked and other consequences may arise as laid down in special legislation.
(d) Criminal proceedings: Since cyberattacks usually have the characteristics of criminal offences, it is also necessary to notify the law enforcement authorities about them. In exceptional cases, criminal liability of the management is not completely excluded if severe negligence was involved.
(e) Management’s liability for damages: A cyberattack will not be overlooked by the company’s supervisors and owners who may decide to replace the management. In case of insufficient due diligence, the legal basis is given for compensation claims to be filed directly against the management.
How can management defend itself?
In all the above examples, the key legal question with regards to the professionalism and consequently the responsibility of the management will be whether an adequate level of information security during a cyberattack was realized. The usual defence that the incident could not have been prevented is only partly acceptable. A manager who proves to have acted with due diligence and provided for the implementation of concrete measures will not be blamed. The analysis of cyberattacks frequently exposes inadequately identified risks, failure to implement appropriate policies, poor coordination of key players, and lack of know-how and resources. If the management can demonstrate that they have in fact done everything that a diligent and prudent businessperson would do, they can be much less concerned about the legal repercussions.
Careful planning and prioritization make adequate cybersecurity feasible. Even though hackers are constantly inventing new ways to attack increasingly complex information systems, experienced experts can implement solutions that reduce the likelihood of these attacks being successful. Due to a lack of qualified personnel and the cost-effectiveness of such solutions, most organizations engage experienced partners who have certificates, references, and hands-on experience with security incidents. Drawing from their experience, such partners will also be able to help when an incident indeed occurs, and it is necessary to mitigate the negative consequences and comply with complex legislation. Good cybersecurity plans are not limited to the IT department, software solutions and/or insurance, which cannot cover the entire damage (mainly damage liability and loss of reputation).