The Booming IoT Will Increase the Risk of Cyberattacks

In the aftermath of the huge global cyberattack involving WannaCry ransomware, which affected more than 200,000 systems in more than 150 countries, organisations are taking the opportunity to examine their safety protocols with the hopes of optimising their praxis and reducing their risks. Some very significant national and international organisations suffered the consequences of a virus which, taking advantage of the security weaknesses existing in certain versions of Windows, encrypted information and blocked users' access to it until a ransom was paid in the cryptocurrency known as Bitcoin (USD 300 - 600), a system that allows hackers a certain degree of anonymity. What was remarkable was the speed with which the "worm" spread through the internet, attacking the protocol that facilitates file transfers in Windows networks.

In light of the alarm that this type of massive attacks generates, particularly in the business sector, it is important to remember that the measures aimed at fighting this type of risk are not all of a technical nature. Legal, regulatory and even organisational measures can be key to avoiding damage, or at least to minimizing its impact. Having proper legal mechanisms in place is essential for a company to quickly evaluate whether or not certain specific conditions have been met so the matter can be brought before the courts and the company can act before potential consequences arise.

Each case is different and there are no general rules that apply to all situations. In any case, we can highlight certain key questions that companies should bear in mind.

For example, the inclusion of specific clauses that regulate cybersecurity risks in contracts between technology suppliers and their clients. Such clauses clarify the security measures that are to be implemented and stipulate the contractual parties that will be in charge of them, thus avoiding a situation where the responsibility for such matters falls in some type of "know man's land". It would also impose contractual liability correctly, so compensation could be claimed for damages when an organisation undergoes this type of attack.

Internally, a company can develop policies for how its employees should use technology. It can also provide the training necessary to effectively reduce the risk of said employees involuntarily facilitating a cyberattack. Furthermore, if said internal rules are established while taking into account legal aspects, they may also be used as evidence of the company's diligence with regard to these matters and thus decrease its liability, if there are claims brought by clients, shareholders, associations or some other type of affected user.

As to pursuing attackers, regulatory differences make it complicated to investigate and persecute the responsible parties. However, on the other hand, it is possible that we will soon see legislative changes that confer more power on authorities, so they can act more effectively, which will increase private organisations' collaboration in this regard.

Once a computer attack is detected, an investigation must be carried out, with speedy international coordination if necessary. When the cybersecurity of an organization has been hit in several countries, a typical mistake is to file a complaint in only one country and wait for justice to do its work. However, filing actions in a coordinated manner in several countries can help avoid the attackers from walking free, as it compensates for the territorial limitations that judges and law enforcement face when it comes time to act.

Regarding the regulatory side to this matter, it is important to remember that managing this type of incidents poorly can trigger not only business losses or claims from affected parties, but also potential penalties.

In this regard, the European Union recently approved the General Data Protection Regulation (GDPR), which will be directly enforceable as of May 2018. Said Regulation establishes the obligation for a company to send a notice to the authorities and to the affected parties within a period of 72 hours, in certain circumstances, if there has been a security failure such as those that could arise from this type of attacks. The same obligation can be found in other related regulations, such as the so-called Cybersecurity Directive or the NIS Directive (EU DIRECTIVE 2016/1148) or in the regulations governing electronic communication services (whose scope of application is to be increased by the future E-privacy Regulation, and a future directive that establishes a European Code for Electronic Communication).

In light of the additional risks that applying said regulation could produce (for example, under the GDR, penalties can reach EUR 20 million or 4% of the annual billing, whichever is higher), it is advisable to establish preventative measures such as attack rehearsals, models for communicating with authorities and affected parties, internal rules, etc. that bear in mind the legal function in the company and create a crisis committee that includes both legal and technical experts that will help the company react in the best manner possible while the attack is underway and subsequent thereto. To such end, it should be highlighted that the internal and external communication of a company are key elements when reacting to this type of incidents. Of course, the marketing and communication department plays a leading role when designing the messages that will be sent during the crisis; however, having proper legal support will help reduce the risk of claims and penalties, and it will contribute to the strategy for defending and protecting the interests of the attacked organisation.

This time, the virus massively affected companies, institutions and individuals all over the world but the regions that were affected the most were Asia and Europe. The spread of the virus started to slow down before it took root in the U.S., where many companies already have insurance policies in place to cover this type of risk. In Europe, it is expected that the new regulatory obligations mentioned above, which force companies to publicly reveal this type of attacks, will increase litigation. Therefore, the market for insurance to cover cybersecurity attacks or "cyberinsurance" will grow after the WannaCry attack. In fact, it is currently one of the fastest growing market segments. For example, Allianz expects that annual premiums of USD 3000 - 4000 million will leap to more than USD 20,000 in 2025. Properly negotiating coverage will, therefore, be of key importance to managers of threatened companies, if they hope to get some sleep.

For some time now we have been hearing about computers being hacked but there had never been an incident of this dimension. It is also expected that attacks of this type will be more frequent and more hostile in the future. Any device connected to the internet is susceptible to being hacked and, with the growth of IoT (internet of things), such risk will grow exponentially.

Thus, it is increasingly important that cybersecurity (and specifically, how we respond to and recover from an attack) become a matter of maximum importance and priority for Top Management.

Technical measures are clearly essential, but not sufficient. Officers who are legally responsible and in charge of compliance issues must work as closely as possible with systems experts to ensure that their companies have the highest level of protection possible.