As the risk of a cyberattack grows, it is pivotal to consider whether the directors of a company hit by a ransomware attack, for example, can bear any liability for negligence in failing to take steps to limit the risk.
During the past few weeks, I had the pleasure of running a presentation on how to deal with the risk of ransomware cyberattacks on corporations for the benefit of members of the “In the Boardroom” training course dedicated to professionals who are or aspire to become board members of publicly traded companies. As part of the presentation, we tried to give practical guidance and shared some “lessons learned” from previous cyberattacks. And the number of questions showed how the issue is relevant and the possible liability for directors.
This article aims to provide recommendations to directors of listed and unlisted companies on actions to take in advance, during, and after a cyberattack.
The size of the cyber risk to companies cannot be underestimated
To indicate the size of the cyber risk to companies, there is, on average, a cyber-attack every 39 seconds, which does not mean that every attack is successful, but that there is an attempt to access companies’ computer systems with that frequency.
According to research conducted by IBM, the average cost to companies of a data breach in 2022 is US$ 4.35 million, which increases to US$ 4.54 in the case of ransomware attacks. Of course, this amount is simply an estimate, and the average cost is higher in certain jurisdictions, such as the United States, where it is close to US$ 10 million, while in Italy, it is in line with the average.
Based on my experience, this estimate is even optimistic when considering cases where the company’s business is global. In addition, the cost depends on the time it takes to identify abusive access to computer systems, which on average is more than six months. If the identification time is longer, more data have been exfiltrated until the access has been identified. And this often happens when the hacker, the so-called threat actor, starts encrypting the computer systems.
Moreover, the operational consequences of a cyber attack should not only be analyzed in terms of compromising the personal data of its customers and employees. Encrypting computer systems can bring business operations to a standstill, partially because attacks usually occur when the company is least ready to respond e.g., at Christmas, during the summer, and on weekends. If encrypted data cannot be restored, the production line, stores, eCommerce sites, and all business operations are brought to a standstill, and there may even be a problem with the reliability of the company’s balance sheet, not to mention the possible reputational damages that can lead to loss of customers.
Add to that, there is the risk of penalties and fines (which are not insurable in most jurisdictions) not only under privacy and data protection regulations but also on the basis of cybersecurity regulations that are now proliferating. There have not been many class actions in Europe for cyberattacks, but if the attack impacts customers located in, for example, California, the risk of a class action is high. Furthermore, serial civil actions by individuals whose data has been compromised by a data breach are increasing exponentially also in Europe, backed up by law firms with success fee arrangements in place.
What obligation and liability for directors have to prevent a cyberattack?
Given the scale of cyber risk to companies, the board of directors of companies, especially in the case of publicly traded companies, must monitor the actions taken by the company to prevent a cyberattack and promptly take corrective action.
Unfortunately, this situation, in some cases, does not happen. Also, due to the costs of the pandemic, but in general due to the other overriding priorities, some companies sometimes
- do not conduct periodic penetration tests and analyses of the state of maturity of technical and organizational measures taken to reduce cyber risk;
- when these analyses flag weaknesses, they do not immediately handle them but are added to a “to-do-list” without a specific deadline in the short term; and
- they rely on an incident response plan that has not been tested and, therefore, may not properly function in the event of an attack.
It is not just a matter of recommending investments in security measures because 95% of cyber attacks occur because of human error. For example, an employee who clicks on a phishing e-mail always uses the same authentication credentials for work and private accounts or connects corporate devices to USB sticks or sites from which the threat actor can enter systems.
A cyber risk analysis must have a significant component of training and a review of organizational control processes. Because it is not possible to completely rule out the risk of a cyberattack since cyber criminals are always ahead of their victims
- companies have to be able to demonstrate to have taken all the measures required by privacy and cybersecurity regulations through a cybersecurity compliance program, which requires sophisticated legal as well as technical knowledge because the burden of proof will be on the company; and
- the adoption of an insurance policy to cover cyber risk can minimize the negative economic effects on the company and allow it to rely on the incident response systems and consultants in the panel of insurance companies.
What should directors do if a cyberattack happens to the company?
Based on my experience, if a company suffers a major cyberattack, the CEO, the general manager, and the board of directors are immediately involved. I have been “catapulted” in front of the CEO of multinational corporations to assess the risk arising from a cyberattack during the Christmas vacations, holidays, and endless weekends. The risk to the company from a cyber attack is so high that the company’s top management is immediately involved.
In this context, some of the worst-case scenarios from the perspective of directors’ liability should a cyber attack occur are the following:
- the actions listed above have been discussed at the board of directors meeting, but no activity has been undertaken;
- risk analysis actions were undertaken, a weakness in the information systems was identified, but the company did nothing (or very little) to correct them in a timely manner;
- the company realizes that it has not paid for the renewal of the insurance policy covering the cyber risk, considering it to be remote and assessing the policy to be excessively expensive.
All of these scenarios have occurred based on my professional career, and the Board of Directors meetings where they have been analyzed have not been pleasant.
The BoD will have to, among others,
- analyze the corrective actions to be taken to minimize the negative consequences of the cyber attack,
- assess the economic impact of the attack, including in terms of possible penalties, to possibly inform shareholders and create a budget reserve, and
- decide whether the incident should be reported to the appropriate authorities and communicated to the individuals whose data was compromised.
But the “trickiest” topic certainly concerns the decision of whether or not to pay ransom in a ransomware attack. Normally when a ransomware attack happens, “American cop movie”-style negotiations happen with cyber criminals to buy time, reduce the amount demanded, and get the potential approval from the insurance company. In most cases, the company will do anything to avoid paying the ransom because
- depending on the jurisdiction and the identity of the threat actor, it may be illegal,
- the payment does not guarantee that the data will be decrypted, which also requires an analysis of the threat actor’s reputation and track record; and
- there could be reputational damage.
However, in some cases, a company has no way out because, for example, even data backup copies have been encrypted, and there is no way to restore data. In that case, the company might consider paying the ransom if it does not violate local regulations. The more complex problem, though, is how to have a board approval of the payment of the ransom. There is no single correct answer, and no answer is 100% perfect; one will have to analyze the circumstances of the case.
How should a cyberattack be reported to the public?
Beyond the regulatory reporting requirements, reporting a cyberattack to the public is definitely tricky.
The worst mistake one can make is to “lie,” denying what happened. To date, hackers often have websites, and there are websites dedicated to information about cyberattacks. In addition, the threat actor will probably publish exfiltrated data on the dark web to provide proof of exfiltration and solicit payment for the ransom.
It is necessary to ensure that the public is informed of the cyberattack from the company before they get it from the press to maintain trust. Also, in the case of global cyberattacks, local culture must be taken into account in communications. It is possible to create FAQs to answer questions, but a call center or, in any case, have dedicated people to answer (numerous) requests for clarification from customers and employees.
Most privacy authorities have a dedicated e-mail address to handle user complaints, and the cybersecurity authorities monitor all attacks that impact companies, making the risk of sanctions higher.
What should directors recommend after the emergency of the cyberattack?
It happens more and more often that companies that are victims of a cyberattack suffer another one in the following 12 to 24 months. In these cases, companies have not thoroughly analyzed the dynamics of the attack, cannot ensure that the threat actor is not still in the company’s systems, and have not taken corrective actions to remedy the attack.
In these cases, the possible liability of administrators could be even more difficult to handle because the company would be a recidivist.
This article illustrates just some of the points of attention for directors in cyber risk management, with the understanding that the dynamics of attacks are constantly evolving and, therefore, corrective actions must also be adopted. On a similar topic, you can read the article “ENISA 2022 ransomware report gives insights on recent changes“.