After a cyber-attack is discovered, legal will have a key role to play in guiding a firm’s response.

Having spoken with a number of regulated financial institutions clients, a consistent area of uncertainty is: “What is the legal department’s role in defending a cyber-attack?”. Whilst the exact answer to that question will depend on the institution in question, certain common themes have emerged from our discussions.

  1. Have pre-agreed lines of communication. Is the escalation route set up so that the right people (in terms of technical knowledge and authority for sign-offs) are lined up in advance?
  2. Know your contractual liability profile. Do you know if there are specific cyber-attack provisions in your contracts, or if there are general limitation of liability clauses that can be used? Do you know the terms in key client contracts that may well be heavily negotiated and depart from your “house” position?
  3. Understand if you need to notify clients. Whilst your business colleagues are likely to debate whether or not notifying clients is a good idea as a commercial matter, do you know if the nature of your legal obligations to the clients mean that there is not really a choice?
  4. Have a list of interested regulators. You are likely to have a good understanding of when to notify your main financial services regulators, but do you know if there are other non-financial regulators who may need to be notified?
  5. Have a clear policy on client compensation. Be careful to ensure that you act consistently and in accordance with objective standards when deciding on client compensation. If you're not obliged to compensate but decide you want to do so, there may be a risk if you are under a regulatory obligation to treat customers fairly that compensating one client binds you into making similar payments to other clients in future.