According to a recent Global Information Security Survey of EY, only nine percent of the respondents are extremely confident in their organizations' cybersecurity risk and mitigation measures – a sharp decline from 20 percent in the year before. At the same time, incidents are on the rise.
Preparing, handling and following-up on a cyber-attack have become topics that no longer should only be the focus of technical specialists such as the Chief Information Security Officer. They are today issues that every general counsel and their team should be concerned about. Not being prepared and not reacting in the right manner can lead to severe fines, damage claims and other trouble.
Policies, Ransom and Privilege
Preparation includes having the necessary policies in place, getting appropriate insurance coverage and knowing which immediate steps are to be taken in the first 72 hours of an emergency, such as doing "data breach notifications". From a legal point of view, cyber-attacks are also not only about personal data of employees, customers and business partners. More often than not, they can also lead to the theft and disclosure of third-party business secrets which an organization has undertaken to protect.
In particular in attacks using ransomware, we often see that stolen data gets stolen should have deleted by the organization a long time ago – under applicable data protection law, you may retain personal data only for as long as you have a legal or sound business need. Ransomware attacks also raise a number of further questions such as whether paying ransom should actually be considered and permitted (we believe it is currently permissible under Swiss law). We also see that many companies on the one hand notify data breaches even when there is no need, but on the other fail to document them properly. Moreover, many are not prepared for the practical issues such as foreign language requirements in actually making data breach notifications.
A Corporate Counsel Checklist
To help you better prepare for the task, we – together with colleagues from Ernst & Young (EY) and the insurance broker specialist Kessler – have prepared a quick reference guide that serves as a checklist for corporate counsel: It provides an overview of the most important steps to undertake in preparing, handling and following-up on a cyber-attack to your private sector organization, covering not only legal & compliance, but also information security, forensics and insurance issues.
The "Cyber Attack Readiness and Response Cheat Sheet" can be downloaded here. It has been published in cooperation with the Association of Corporate Counsel (ACC) and first presented at an ACC evening event on September 27, 2022 in Zurich, Switzerland, where there was lively discussion on the topic with a group of corporate counsel. Please find our presentation covering the "legal side" of preparing for and dealing with cyber-attacks and in particular ransomware cases here.