Cybersecurity Breach Response

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

31.1 Introduction

The Information Age has brought unprecedented advantages for business: global connectivity, decentralisation of computing, the power of big data collection, automation and artificial intelligence. No matter the business, there is invariably some level of integration with digital tools and online services; however, technological advantages and efficiencies also create a level of risk.

Cybersecurity risks can pose an existential threat to businesses. Understanding the risk that comes with digital transformation and taking a proactive approach is crucial. For lawyers and professionals navigating this space, understanding cyber risk is not just about decoding technical jargon: it requires an in-depth understanding of what that risk means to the business, and what can be done to try to mitigate it.

This chapter looks at the threat landscape, highlights key legal frameworks, obligations and responsibilities relevant to affected businesses, and provides some practical guidance about how to navigate the unique challenges of a cyber incident or data breach. Given the complexity, this chapter does not attempt to identify all relevant considerations, challenges, concepts or legal regimes in play, but instead emphasises some of the more major issues that practitioners will encounter as they navigate incident response.

31.1.1 Central themes

Cyber incidents give rise to a particularly challenging form of investigation. They are inherently multifactorial, adversarial (involving many stakeholders and adversaries whose interests do not align with the victim business), technical and complex, and are very often undertaken in a state of emergency. Uniquely, incidents often play out in public because of leaks by malicious actor or the victim’s inability to do business, or because the victim is required to notify regulators or markets of the attack or its consequences.

At the outset, it is useful to identify a number of themes that are central to cyber incident and breach response and will help to illustrate the overall picture. Each of these themes will affect how professional advisers should approach their role.

31.1.2 The hidden cost

Beyond the immediate business interruption and the obvious financial consequences from extended operational downtime or service outage, an attack will often result in a cascade of financial risks. Remediation and recovery costs are not insignificant even in comparison with the potentially huge regulatory fines that may arise in cases where, for example, a business is found to be culpable for its insufficient security. Follow-on litigation (whether from affected business partners in supply chain attacks, or from individual data subjects whose data has been compromised) adds to the potential risk exposure that victim businesses face. Businesses may be unaware of the intangible but very real cost of reputational damage incurred by even fully recovered victims of a cyberattack – with some data indicating that victim companies will routinely underperform in the medium and long terms when compared with the market trends.[2] According to Cybersecurity Ventures 2022 ‘Official Cybercrime Report’,[3] the global cost of cybercrime is predicted to hit US$8 trillion in 2023 and will grow to US$10.5 trillion by 2025. The risk is not limited to the business alone. In recent US Federal Trade Commission (FTC) enforcement cases, we have seen ‘consent orders’ made against businesses and their senior executives (C-suite) personally, meaning the consent order will follow these individuals for the duration of the order and will continue to impose obligations on individual executives even if they move to a different organisation.[4]

31.1.3 Digital arms race

At the heart of this threat landscape is a perpetual arms race. On one side are sophisticated cyber criminals, looking for a way to breach security and gain a foothold within an organisation. On the other side are the businesses and cybersecurity professionals that (in an ideal world) are constantly updating and fortifying their digital defences with detection and prevention technologies. It is a dynamic game in which the success of one side forces the other to innovate. The attackers or ‘threat actors’ can have a range of motivations (from financial to corporate espionage), but their fundamental goal is to identify the weakest link. While security technologies become more advanced and novel, one attack vector stays fairly consistent: the human element. We return later in the chapter to questions of resilience, tactical hardening, preparedness and to the unique challenges posed by social engineering, manipulation and poor cybersecurity practices.

31.1.4 Increasing frequency

Attackers are not just becoming more sophisticated; they are also increasing their activity. Why? As businesses increasingly shift to digital platforms and as our world becomes ever more interconnected, the avenues for potential attacks multiply. More connectivity means more vulnerability. In 2023, the UK Department for Science, Technology and Innovation, in partnership with the UK Home Office, produced a Cyber Security Breaches Survey[5] of UK businesses, charities and education institutions as part of the UK National Cyber Security Programme. According to the survey, 32 per cent of all businesses and 24 per cent of charities reported having experienced a cybersecurity breach or attack in the previous 12 months. These figures are considerably worse for medium-sized and large businesses, with 59 per cent of medium-sized businesses, and 69 per cent of large businesses reporting a cyber incident in this time frame.[6]

31.1.5 Beyond data privacy concerns

Although data privacy laws and large fines under the UK General Data Protection Regulation (UK GDPR)[7] fines have previously dominated headlines in the United Kingdom,[8] they represent just one piece of the legal and regulatory picture. Various jurisdictions have their own particular rules and expectations, especially around a nation’s critical infrastructure providers, and digital and financial services. Each business must understand its unique legal obligations as part of assessing its overall risk profile. Regulators and lawmakers continue to develop frameworks and standards that set the baseline for what is expected, in an attempt to respond to the rapidly developing technological environment and the magnified risk that comes with the huge volumes of data now held by these companies. But on the ground, in the midst of an attack, the immediate focus is always on recovering operations and ensuring the survival of the business. In existentially threatening circumstances, there is little time to reflect on what the obligations might be. Accordingly, businesses must understand them in advance, along with associated risks such as litigation and regulatory investigations, to ensure a strong response to the incident. Recovering from an incident is not just containing the threat: it means having a plan and a strategy to put the organisation in the best position for any consequences that follow.

31.1.6 A borderless world

As businesses operate in a global network, cyber threats become cross-jurisdictional issues. An attack might originate in one country, affect servers in another and affect customers in a third. This international tapestry turns both preventing and responding to attacks into a complex challenge with many overlapping legal frameworks, jurisdictionally based obligations and interested regulators. Navigating this terrain involves a complex legal analysis and a wide view across all potentially affected geographies.

31.1.7 Publicity, communications and reputation management

Amid the urgency to resolve technical issues, businesses must also strike a delicate balance between transparency and discretion. Sharing too little information can erode public trust and fuel speculation (with its own regulatory consequence in some cases[9]), while revealing too much might compromise current investigations, give attackers undue advantage and perhaps unnecessarily increase regulatory scrutiny. Given the rapidly evolving nature of cyber incidents, early information is often incomplete or inaccurate, which raises the risk of miscommunication and loss of stakeholder confidence. Timely, accurate and confident public response is a central element of incident management.

31.2 Legal obligations, standards and pre-incident readiness

Fundamentally, controls around security standards, pre-incident readiness and preparedness involve the anticipation of potential cybersecurity threats, and taking proactive measures to prevent or mitigate their effects. A multitude of different sources of practice guidance, compliance standards and legal obligations exist, which businesses must consider in formulating their security controls and response procedures. The extent to which these apply will depend on the jurisdiction in which the business operates, as well as the industry sector or nature of the business.

In the United Kingdom, there is no comprehensive cybersecurity law. A patchwork of legislation and guidance exists, which, taken together, underpins the minimum expected standard. Those sources (including, among others,[10] the UK GDPR, the Data Protection Act 2018 and the Network and Information Security Regulations 2018 (the NIS Regulations[11])) may apply differently to different businesses, especially if the business operates in regulated sectors such as financial services, telecommunications or critical infrastructure services.[12] Although these laws require that businesses take steps towards establishing appropriate, sufficient and effective cybersecurity, they generally afford a degree of operational latitude in terms of precisely how businesses go about security and achieving compliance. This approach makes sense given the need to future-proof the legislation in the middle of the ‘cyber arms-race’, but it also creates ambiguity for organisations that want to know whether they have done enough.

As mentioned above, although the GDPR and UK GDPR do not create cybersecurity-specific obligations, they do create obligations on data controllers[13] to protect personal data[14] and to ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’.[15] Failure to maintain appropriate security can carry the potential for heavy fines.[16] On the basis that, functionally, all businesses deal with some volume of personal data (whether customers or simply employees), these regulations will require businesses to maintain a particular standard of security. The standard itself is not precisely defined but must be appropriate to the risk posed to the rights and freedoms of natural persons. The regulations give some indication of factors relevant for consideration, such as ‘state of the art, the costs of implementation and the nature, scope, context and purposes of processing’, as well as other factors such as pseudonymisation of data, the sensitivity (or ‘special category’ status[17]) of data, and the ability to ensure resilience and to restore availability of the systems. Guidance provided by data protection regulators[18] further indicates what may be deemed ‘appropriate technical and organisational measures’ but this is ultimately a largely fact-dependent question that may only be analytically tested in the event of a regulatory inquiry or litigation.[19] Similarly, the NIS Regulations (applying variously to relevant digital service providers and operators of essential services) require ‘appropriate and proportionate’ security standards to protect network and information systems.[20] In large measure, therefore, businesses often look to other industry standards and frameworks to benchmark their own security posture against an objective external metric.

The United Kingdom’s National Cyber Security Centre (NCSC) publishes guidance[21] with respect to complying with the NIS Regulations, and also administers the Cyber Essentials scheme.[22] Internationally, several recognised standards and frameworks offer helpful guidelines on cybersecurity and readiness. These include ISO/IEC 27001[23] and the NIST Cybersecurity Framework,[24] but there are many other such standards, frameworks and benchmarks.[25] Although the various sources of guidance and law are helpful indicators, they are not prescriptive and therefore do not set out specific measures that must be taken to reach required standards.[26] Accordingly, it is always the company’s responsibility to assess the specific circumstances, the nature of the data it holds, the systems it operates and the particular risks it faces, and then to adopt a programme of security designed to address that risk. In practice, this might mean identifying what is defensible if challenged by a regulator.

Across these various laws and standards, the importance of a multi-layered approach to security, combining various types of control in tandem (often referred to as the defence in depth approach[27]), is widely accepted. This layered approach ensures that if one control fails, others are in place to catch or prevent the security breach.

The NIST Cybersecurity Framework 2.0[28] gives a helpful summary of the core objectives underpinning any cyber resilience programme, split into discrete ‘functions’ of which there are six: Govern, Identify, Protect, Detect, Respond and Recover. Each of these functions affects and informs the others, and in conjunction comprise a holistic approach to resilience.

Security controls are often organised into categories so as to provide a structured approach to security design. In general, cybersecurity controls can be broadly categorised as follows:

  • Preventative controls: designed to prevent potential security incidents. Examples include firewalls,[29] access controls, security training and awareness programmes, security patches and strong password policies.[30]
  • Detective controls: helping to identify aberrant activity and react to security incidents. Examples include intrusion detection systems,[31] end-point detection and response tools,[32] log monitoring,[33] security information and event management systems,[34] and antivirus and anti-malware software that alerts users to malicious activity.
  • Corrective controls: put into action during or after a security incident to mitigate potential damage and restore system operations. Examples include backup and data restoration solutions, incident response plans (IRPs),[35] and antivirus and anti-malware tools that can quarantine or remove malicious files.
  • Physical controls: to secure physical resources and environments in which information assets are stored and accessed. Examples include security guards, door locks, CCTV surveillance, restricted access, secure data centres and protected hardware storage areas.
  • Administrative controls (or procedural controls): these focus on procedures and policies concerning the management of the organisation and its people. Examples include security policies, device and technology use policies, technical security audits, hiring practices (such as background checks), security training programmes,[36] crisis response table-top exercises, incident response procedures and comprehensive cyber incident insurance.[37]
  • Technical controls (or logical controls): technology-based solutions used to protect systems and data. Examples include encryption,[38] data anonymisation or pseudonymisation, multi-factor authentication,[39] access control lists and network segmentation.
  • Recovery controls: used to help with restoring and validating system performance for operations after a security incident. Examples include air-gapped and offline backups, restoration and recovery tools, fault-tolerant systems and high-availability configurations.

31.3 Threat landscape

The term ‘cyber incident’ is generic and covers an extremely broad range of fact patterns, including simple unauthorised access to a network or an email sent to an incorrect recipient, all the way up to complex and tightly orchestrated ransomware attacks.

Among the various definitions of ‘cyber incident’,[40] the concept of a ‘breach of security’ or ‘security incident’ appears repeatedly. This will resonate in the minds of data privacy practitioners given that breach of security is a necessary feature of a personal data breach, as defined under Article 4(12) of the GDPR and UK GDPR (see further, below, about the treatment of personal data breaches under the UK GDPR and other privacy frameworks); however, it is relevant to clarify at this stage that, although cyber incidents and personal data breaches often coincide, the two are not synonymous. While considerable overlap exists in practice, it is important to understand that not all cyber incidents are personal data breaches and not all personal data breaches are cyber incidents. A personal data breach is a special class of incident that meets a set of legal criteria, namely that a breach of security occurred that has led to some impact or consequence for personal data. The occurrence of a cyber incident or cyberattack does not inherently imply anything about the existence of a personal data breach, and in fact an important objective for the investigation that follows an incident will involve determining the answer to this question.

31.3.1 External threats

In the context of an attack, information about the perpetrator’s identity can be important for a number of reasons. This is known as attribution. Most importantly, understanding the adversary will provide intelligence about the likely objectives, incentives and known methods of the perpetrator, which will inform strategic decision-making. For the purposes of this chapter, we consider three broad categories of external threat actor: cybercriminals, state-sponsored attackers and hacktivists.

Cybercriminals primarily focus on financial gain, usually through extortion. Their strategies generally range from deploying ransomware to encrypting information technology (IT) systems and disrupting a business’s day-to-day operations, to stealing sensitive personal data from an organisation for onward sale (or at least threatening to do so).[41] The more prolific cybercriminal groups have a recognisable modus operandi that commonly involves a combination of systems or data encryption and data exfiltration.[42] This enables the threat actor to demand financial payment using a two-pronged threat leveraging: (1) the permanent loss of encrypted systems and data (which could itself pose existential threat to the business if recovery is not otherwise possible); and (2) publication of exfiltrated data (which could precipitate irrevocable reputational damage and heavy regulatory fines). Responding to incidents caused by cybercriminals requires a focus on understanding the nature and extent of the systems and data affected or exfiltrated, the ability of the business to recover its systems from backup, and the financial and regulatory implications of engaging in any ransom negotiation or payment.

State-sponsored attackers are backed (whether openly or covertly) by national governments and conduct cyber operations for geopolitical aims. Although they might pose as cybercriminals, seeking financial reward to disguise their identity, their objectives often include espionage, disruption of critical infrastructure[43] or causing economic damage to their international adversaries.[44] They are typically well-funded and can deploy highly sophisticated, long-term attacks, often remaining undetected for months, if not years. Depending on the facts, engaging with national defence or intelligence agencies in response to incidents that appear to be perpetrated by nation-state actors may be appropriate.

Hacktivists are motivated by ideology. Their primary aim is to further a particular political or social cause, rather than seek financial reward. Hacktivist methods might include defacing websites, launching denial-of-service attacks[45] or revealing sensitive information to the public. When responding to hacktivist-led incidents, organisations must be conscious not only of the technical aspects of the incident but also of the underlying issues that the activists are seeking to highlight. The roles of public relations and stakeholder communications are vital in these cases.

31.3.2 Insider threats

Insider threats represent another category of cyber incident perpetrators and cover individuals within an organisation who have insider information concerning its security practices, data and computer systems. These can be employees, contractors or business partners. They pose unique challenges because of their authorised access to the organisation’s internal resources. There are generally two types of insider threats: innocent and malicious.

Innocent insiders are employees or partners who unintentionally cause harm, often because of a lack of awareness, training or a simple mistake; for example, they might fall for a phishing scam or accidentally leak personal data. The vast majority of personal data breaches that are reported to privacy regulators involve incidents of this kind.[46]

Malicious insiders deliberately attempt to compromise an organisation’s security, whether for personal gain, revenge or some other motive. This might involve stealing proprietary information and valuable intellectual property, sabotaging systems or selling access to external threat actors. Responding to insider threats requires a different approach from that used for external threats. It is essential to strike a balance between ensuring security and maintaining trust within the organisation. Methods such as continuous monitoring, user behaviour analytics and regular training sessions can be effective. Moreover, incident response plans must incorporate strategies for legal, human resources and organisational ramifications when dealing with insiders.

31.4 Incident response

When a cyber incident occurs, time is of the essence and the situation can be chaotic. Success requires swift coordination, communication and action. The best responders have practised their response at regular intervals and already have a good understanding of who should do what, and why: there is little time for debate during a live incident. Although simple data breaches[47] may require only a small-scale response effort, with minimal investigation or remediation, larger cyberattacks are likely to require a carefully managed and sophisticated response; however, it is not always easy to tell whether you are dealing with a small or large attack at the outset. The broad objectives of incident response will involve (1) threat containment, (2) investigation, (3) risk mitigation and (4) recovery and remediation. Each of these objectives must be pursued immediately and alongside one another, which requires management, vigilance and precise allocation of resources. We now provide an overview of the typical challenges in a cyber incident scenario and offer some guidance, from the moment of the attack onwards, for practitioners to build into their own response plan.

31.4.1 Operational command

Managing crisis response, especially in the case of a serious cyber incident or attack, requires a single, centralised command structure capable of making swift and informed decisions. A core incident response team should be rapidly put in place to serve as ‘operational command’, bringing clarity and structure to the decision-making process. In high-pressure scenarios, the singular authority and organisational direction from such an operational command is crucial to an efficient and effective response to the evolving situation. The constitution of this leadership team will ideally have been clearly defined in the company’s IRP, but even if they exist, predefined processes often need to be adapted to some incidents. The role of the centralised command unit is to aggregate the most reliable and up-to-date information flowing from all relevant sources (investigations, news media, internally from employees, etc.) and to facilitate robust decision-making in a timely manner at the highest level of the organisation. Building this team is about having the right people in the room to make these difficult decisions. Accordingly, operational command will commonly be composed of core business leadership;[48] experts from the organisation’s information security, technology or operations teams; project management officers; human resource or employee liaison; communications or public relations officers; and other key roles as the circumstances may require. Alongside these in-house capabilities, operational command will also include in-house or external legal counsel (or both). Retaining and including expert cybersecurity lawyers who understand the challenges and risks is especially crucial in serious, complex and high-stakes circumstances.

The role of an expert legal adviser is sometimes unclear to those who may not have dealt with a cyber incident, often because of a misunderstanding around the nature of the challenge itself. As set out above, cyber incidents are not merely an IT or technical issue. To treat them as such is to expose the organisation to significant legal, regulatory and reputational risk. Any sophisticated response to an incident must be fully cognisant of the future consequences of each action in the wake of an attack, even as early as ‘day zero’ and before. In smaller incidents, with limited effects or operational downtime, it may be sufficient for in-house information security personnel to investigate and remediate, with lawyers (whether in-house or external counsel) providing minimal oversight and light-touch advice about legal obligations flowing from the incident; however, in many attacks (certainly those affecting organisations of appreciable scale), the legal team will be central to the crisis management and incident response team. External legal experts will need to slot seamlessly into the crisis response structure (which is ideally defined in the IRP) and perform multiple functions, ranging from strategic oversight, workflow coordination and leadership, risk mitigation and stakeholder liaison. Expert legal advisers will be able to collaborate with other expert teams, instructing and directing forensic investigation, negotiation, remediation and communication efforts – all of which involve highly sensitive information and difficult decision-making. The role of the expert legal adviser will need to adapt to meet the requirements of each case, but will routinely involve leading the investigation and response directly, and integrating with business leadership as one centralised decision-making unit. From this central position, legal advisers are able to anticipate and identify risk and to recommend mitigating action that is appropriate to the overall risk that the business faces.

However the team is ultimately constituted, there should be clear decision-making procedures and mechanisms for facilitating the inflow of information into operational command, and the outflow of instructions back to the various satellite teams driving specific areas of the IRP (developed further, below). It is likely to be necessary to establish a regular cadence of updates whereby operational command convenes, shares the latest intelligence and developments, makes decisions on action and instructs sub-teams accordingly.

31.4.2 Engagement of experts and legal privilege

In complex cases, victim companies are likely to need to rely on various external expert service providers. It will be the role of in-house or external legal counsel to instruct and lead these expert services providers, not least so that their work, communications and output are covered by legal privilege to the fullest extent possible. Investigations by regulators or third-party litigation are often likely consequences of cyber incidents. Tripartite arrangements are commonly used to structure the engagements between company, legal adviser and expert vendor, with lawyers instructing the expert vendor on behalf of their client and for the purpose of delivering legal advice or in anticipation of litigation. Experts of all kinds, including forensic investigators, IT recovery specialists, ransomware negotiators, public relations experts and communications or call-centre service providers may all be instructed in relation to complex cyber incident response matters.[49] Managing these relationships and ensuring seamless communication, collaboration and integration with the incident response team is a task often led by expert legal counsel. Protocols should be established and circulated that set out guardrails for how all relevant parties (including the victim business, legal advisers and expert vendors) communicate with one another, so that legal privilege can be defensibly maintained and so that confidentiality and discretion is afforded to the most sensitive correspondence. Lawyers will draft a communications protocol with which third-party providers will be required to comply when communicating about the incident, conducting their investigation, storing evidence within their own systems and sharing information with the incident response team.

31.5 Forensic investigation, recovery and impacts analysis

Under the protection of legal privilege, specialist cyber incident forensic investigators are instructed by lawyers acting for the victim business and engaged to drive the technical, ‘boots on the ground’ investigation of the affected network and systems of the victim business. This workflow commences on ‘day zero’ as a matter of urgency and will be critical for subsequent objectives, ranging from containment and remediation, risk mapping, ransom negotiation and public communications. All actions are informed by the facts and evidence as discovered by the forensic investigation, and accordingly this phase of work is central to immediate response efforts. Working with in-house IT and information security teams, the forensic investigator’s primary role is to uncover the who, what, when, where and how of the incident, all while collaborating seamlessly with business continuity and recovery efforts, and feeding developments back to the operational command team for swift decision-making. This process is multifaceted and requires a meticulous approach, often with very limited time available. Although the forensic investigation will look different in each case, the following broad objectives are typically part of the investigator’s mandate:

  • Containment and business recovery: The priority will always be to contain any active threat and create a forensically clean environment, and to identify business functions that need recovering. Often this work will be split between recovery specialists and forensic investigators (because the core goals are slightly different and must run in parallel) but the providers may be the same organisation. Containment involves rapidly identifying compromised attack surfaces,[50] systems, networks and endpoints, isolating them to prevent further damage, and removing the threat actor’s presence. The key here is to strike a balance between halting the attacker and preserving evidence for investigation. While the forensic process is progressing, there is also a pressing need to restore regular business operations. This might involve cleaning and restoring backups, rebuilding compromised systems or even migrating to new platforms. The aim is to ensure business continuity with minimal disruption, all while bolstering defences against future attacks.
  • Determining the root cause, vulnerability exploited or initial compromise: It is crucial to identify the attacker’s method of intrusion and how access was gained so as to remediate any weakness in the security perimeter, but also to start to trace the attacker’s activity through the corporate network and systems. A threat actor might use different methodologies to gain initial access to a network: phishing attacks,[51] watering-hole attacks,[52] ‘zero-day’ exploits,[53] supply chain attacks,[54] credential-stuffing[55] or use of leaked passwords.[56] By pinpointing the breach’s origin, organisations can not only patch the specific vulnerability but also refine their broader security protocols.
  • Mapping lateral movement and threat actor activity: Once the immediate threat is contained, the investigator traces the attacker’s path within the system. This involves identifying which systems were accessed, any administrator-level accounts that were compromised or access privileges that were escalated[57] and any other malicious activities. Once initial network intrusion has been achieved, threat actors will typically attempt to maintain a foothold and persistence in the network, erase activity logging to cover their tracks and establish remote access with command and control servers.[58] By mapping this movement, looking for indicators of compromise[59] and suspicious beaconing,[60] investigators can understand the full scope of the breach and identify other potential vulnerabilities.
  • Analysis of impacted systems and data: This involves a comprehensive review of all systems and data accessed by the threat actor. The goal is to determine the extent of the damage, any alterations or unauthorised access to data and any malware[61] or ‘back doors’[62] left behind. In the case of ransomware, the investigator will be seeking to map out the extent of encrypted systems and data so that the business can understand what it might have lost, what could be recovered and, therefore, precisely how much harm has been inflicted.
  • Data staging and exfiltration: Threat actors often compile (or stage) the data they intend to steal in specific locations before extracting it within a compromised network, often hidden among regular network traffic. Identifying these staging areas and monitoring inbound and outbound traffic as well as data compression activity can provide insights into the scale and nature of the data exposed. Understanding precisely what data has been accessed and exfiltrated will be relevant to the nature of any regulatory obligations, as well as litigation, contractual or reputational risk analysis.
  • Information flow and reporting: Expert investigators will keep operational command up to date with all discoveries and developments, often through a regular cadence of updates supplemented by immediate circulation of critical findings. This information flow is crucial to the agile decision-making of operation command. The investigation will collaborate closely with expert legal advisers to maintain a ‘single source of truth’ or evidential record of the investigation. This centralised repository of information, typically drafted by lawyers and held under legal privilege, will document what has been determined and when, what is being investigated, and what decisions are being made.[63] The forensic investigators may ultimately be required to produce a report of their findings, detailing the technical output of their investigation.[64] This report may be useful in many ways, such as in regulatory engagement or future due diligence exercises as proof of a robust and complete response effort. Furthermore, the report may helpfully inform any programme of remediations and improvements by identifying shortfalls or lessons learned as a result of the incident.[65]

31.6 Communications

Cyberattacks can badly affect a company’s reputation. Even if the company is a victim and bears no obvious fault, there are significant risks of adverse publicity or a loss of trust with customers, suppliers or other third parties. The threat actor’s goal is sometimes to cause irreparable reputational harm to a business or organisation; for example, when perpetrated by hacktivists.[66] Communications must be carefully managed to tread a path between preservation of sensitive facts and details, and the openness expected by the public, the regulators and the markets. Serious cyberattacks rarely go unnoticed by the world at large. For online businesses, there may be very obvious service outages, but even businesses without a significant online presence are likely to need to deal with adverse public scrutiny and media enquiries.[67] This attention is occasionally driven by threat actors hoping to increase the pressure on the victim to respond to a ransom demand.

Companies will often instruct public relations experts who know how to handle crises and can help reduce this damage. These experts will work alongside the organisation’s own communications team, expert cybersecurity lawyers and the incident response team to carefully curate information released by the business. Outward messaging is critically important for positioning the victim business appropriately and mitigating legal risk. Further, there are clear consequences for poor or misleading communication.[68] These experts should be onboarded quickly because media attention focuses on the immediate aftermath of the attack, when business is likely to be reeling from the impact and the facts are still elusive.

Communication challenges are not limited to external messaging, and it is similarly important to take care of all information shared internally within the victim organisation, whether to employees, shareholders or board-level executives. Cyberattacks can be extremely disruptive, so to avoid wild and unhelpful speculation, as well as to treat employees with respect and transparency, sharing curated updates within the organisation may be appropriate. The potential audiences are markedly different, and so businesses must be careful to provide information that is tailored and appropriate for the recipients. Communications offer a strategic opportunity for victim businesses to control the narrative, demonstrate transparency, reassure customers and signal to regulators that they are appropriately managing the incident.

Given the immediacy of communication requirements following an incident, one of the first deliverables from communications professionals (working with legal advisers) will be a ‘comms pack’, covering pre-approved information, holding statements, FAQ responses and other communications tailored for different audiences. Having this comms pack available rapidly can serve to alleviate pressure on company spokespeople and avoid critical misstatements. It may also be important to set up a system whereby external enquiries can be addressed via a single channel, perhaps through a dedicated call centre or enquiries inbox. Inbound communications should be equally carefully monitored, as any potentially affected and aggrieved parties may often seek to obtain information through existing communication channels, which they may then seek to leverage to their own benefit. In particular, in the wake of a widely publicised data breach, organisations commonly receive ‘data subject access requests’ from individuals seeking to understand whether and how their personal data may have been affected in the incident. Response to these requests should be carefully managed, but it is equally important not to miss any such requests in the ensuing chaos of an attack, given that failure to respond within statutory time limits may precipitate further unwanted regulatory scrutiny or litigation.

31.7 Ransom negotiation

Ransomware attacks have surged in the past few years, emerging as one of the top cybersecurity threats.[69] Given the economic incentives, new threat actor groups continue to emerge and escalate persistent attacks against infrastructure and business organisations.[70] Accordingly, ransomware is a key risk for all organisations of a significant scale.

According to the UK government’s ‘Cyber Security Breaches Survey 2023’,[71] 57 per cent of businesses have a stated rule or policy to not pay ransom;[72] however, if a victim has no ability to restore operations from backups or otherwise recover its lost data, and especially when the alternative might mean a complete system overhaul, significant data loss or the public release of sensitive data stolen by the attacker, the company will be faced with a simple question: pay the ransom or lose the business.[73] The question of whether or not to pay a ransom is fraught with uncertainty and legal risk. It must be carefully considered, with the benefit of expert advice, and deliberated only in extremely clandestine circles. In the United Kingdom, the United States and the European Union, paying a ransom is not illegal in principle, but businesses must carefully assess the application of anti-terrorist financing, anti-money laundering and sanctions rules.[74]

Many victims will seek expert guidance from ransomware negotiation specialists. These experts have extensive experience in dealing with various threat actor groups. They will be acutely aware of their behavioural patterns, their propensity to make good on their promises if paid, and relationships or affiliations with various other threat actor groups or nation states.[75] The expert negotiators will be aware of which threat actor groups may be subject to sanctions, and which pose a very real risk in circumstances where many ransomware threat actor groups have links with sanctioned entities, individuals or nations.

Upon detecting a ransomware attack, the victim commonly finds a ransom note left by the attackers that, typically, will have been propagated through all encrypted systems and devices. This note generally provides instructions about how to communicate with the threat actor and a demand for payment in return for a decryption key[76] or in return for a promise from the threat actor group not to publish exfiltrated data. Ransom demands are often accelerated with a threat that the company will be ‘named and shamed’ by the threat actor on a public forum, which would increase pressure and accelerate any reputational damage to be suffered.

If the victim business decides to negotiate with the threat actor, negotiation experts will reach out to the threat actor group via the method of communication prescribed in the ransom note. This is commonly done through the dark web[77] to access particular chat sites or message boards. The negotiator will typically engage the threat actor covertly, representing themselves as a low-level employee of the victim business,[78] and may use other tactics to extract valuable intelligence from the threat actor, such as the method of entry or the data obtained. In general, the primary goals are to buy time for the investigation and recovery efforts, and to negotiate a lower ransom demand. Much of this negotiation depends on what the threat actor was able to achieve through encryption or exfiltration of data – neither of which may be clear in the initial negotiation.

The negotiator will communicate with the threat actor to obtain important information about what the threat actor wants and is willing to give in return. The negotiator will seek evidence from the threat actor group that they do actually have a functional decryptor that can reverse the encryption, and that the threat actor has exfiltrated the data, as it claims to have done. The negotiator is seeking ‘proof of life’, a process that often involves the threat actor providing a ‘file tree’[79] from which the business will select a number of sample files for review.[80] Once the threat actor has appropriately demonstrated that it can decrypt the selected files, thus proving it has a functioning decryptor, the business will need to assess its options and consider the relative risks of paying the ransom.

Cryptocurrencies are the mode of payment preferred by ransomware attackers primarily because of the anonymity, the lack of third-party financial institutions involved (such as banks) and the ease with which funds can be dispersed and made untraceable. Payment may sometimes be made through intermediaries on behalf of the victim business. Once payment has been effected, decryption keys are released and can be circulated throughout the organisation for deployment on affected systems and devices.[81]

31.8 Legal risk analysis and reporting obligations

The investigation into the incident aims to determine the various legal risks to the organisation, beyond the immediate risk of containing the incident and recovering from it. The factors that play into that analysis vary by incident and victim, and evolve hour by hour as the incident progresses. Aside from the type of attack (see above), the key factors that influence the risk analysis fall into three broad categories: (1) the nature of the victim business; (2) the jurisdictions affected, whether directly or indirectly; and (3) the systems, capabilities or data that the incident affected.

31.8.1 Nature of the business

Publicly traded companies,[82] those that operate in regulated sectors or those that provide critical infrastructure or digital services will be subject to different (albeit often overlapping) legal and regulatory regimes. As described above, regulated financial service entities are subject to additional security and governance obligations that can relate to cybersecurity and may create additional legal obligations in the event of an incident. Likewise, the United Kingdom’s Product Security and Telecommunications Infrastructure Act 2022 (once fully implemented) will place cybersecurity and reporting requirements on manufacturers and distributors of internet-connected consumer products.[83] Many jurisdictions have specific reporting requirements for the providers of critical infrastructure services. Understanding the full suite of industry-specific or sector-specific laws with which the victim business must comply will define the possible range of notifications and obligations that might conceivably arise in the case of a cyber incident or data breach.

31.8.2 Affected jurisdictions

Given the deeply interconnected digital world in which businesses operate and cyber incidents occur, incidents are very likely to implicate more than one legal jurisdiction. Determining all relevant geographies, whether by virtue of the physical location of systems or devices, or by location of affected individuals, will be important in mapping the laws that apply and the extent of legal risk. Expert legal advisers may need to provide specific local law advice in relevant jurisdictions. With multiple sets of applicable laws and regulations, this risk analysis can become very complex.

31.8.3 Specific impacts to systems or data

Depending on the discoveries in the forensic investigation, a deeper data-mining analysis may be required to fully understand the type of data that the threat actor may have illegally accessed, destroyed or obtained. The data-mining exercise is typically led by external legal experts and will involve use of a document review platform to ingest, process and filter large quantities of information to understand what was contained in any files or folders impacted in the attack. The data-mining exercise will be looking primarily to identify any personal data[84] or commercially sensitive information.[85] In the United States, for example, it may be necessary to consider whether affected systems or data included health information, which could trigger reporting obligations under the Health Insurance Portability and Accountability Act of 1996. In addition, it will be important to determine whether data belonging to third parties was affected as that may give rise to regulatory or contractual notification obligations.

31.8.4 Legal obligations

The largest and most impactful cyber incidents reported in the media almost always have some component involving adverse effects on personal data or personally identifiable information. Multiple laws aim to protect these types of data, including the GDPR in the European Union and the UK GDPR, and the California Consumer Privacy Act (and various other state and federal laws in the United States). These laws carry particular obligations with respect to notifications and disclosures required from affected companies in certain circumstances.

31.8.5 Data breach reporting under GDPR and UK GDPR

Considering whether a personal data breach has occurred is important in the event of a cyber incident or cyberattack because some element of security has almost certainly been compromised. Given the strict statutory timelines for reporting a personal data breach to relevant regulators and individuals, the investigation should focus on understanding the involvement of any personal data and the extent to which it may have been affected in the incident. This can often be laborious and difficult, particularly if systems have been affected by the attack, but privacy regulators will expect to see meaningful effort. As detailed above, a core pillar of the investigation, and the data mining exercise, focuses on mapping these effects to data for the primary purpose of understanding and discharging legal and regulatory obligations. The central questions for this element of the investigation are: what personal data has been affected, and how?

Under the UK GDPR and GDPR, a ‘personal data breach’ means a ‘breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’.[86] What constitutes a breach of security has been the subject of much academic debate, but for the purposes of this chapter, it is most relevant to consider the possible effects on personal data. According to the European Data Protection Board’s (EDPB) Guidelines 9/2022,[87] breaches can be conceptualised under three broad categories: confidentiality breach, which involves an unauthorised or accidental disclosure of, or access to, personal data; integrity breach, which involves an unauthorised or accidental alteration of personal data; and availability breach, which involves an accidental or unauthorised loss of access to, or destruction of, personal data.

The test for a personal data breach is likely to be met in a cyber incident or cyberattack when the business holds personal data or personally identifiable data that the threat actor has accessed, manipulated in some manner, encrypted (and rendered inaccessible), exfiltrated or deleted.

The UK GDPR requires that, in the case of a personal data breach, the data controller must notify the data protection regulator[88] ‘unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons’.[89] Accordingly, the threshold for notification to the regulator is very low since it does not consider the relative severity of risk, and merely requires that there be a risk that is not unlikely. In the case of a cyber incident or cyberattack that affects personal data (especially given the involvement of a threat actor), data protection regulators are likely to consider there to be a risk. When there is a ‘high risk to the rights and freedoms of natural persons’, the data controller must also notify affected data subjects.[90]

Once the threshold test for a personal data breach is met, the data controller must notify the regulator of the breach ‘without undue delay and, where feasible, not later than 72 hours after having become aware of it’.[91] These provisions of the UK GDPR have often caused considerable pressure and panic within affected organisations, who perceive that they are immediately placed under incredible time pressures in the event of a cyber incident or breach.[92] This pressure is commonly to blame for premature and hurried notifications, in circumstances in which the facts are unsubstantiated and subject to change. Notification of regulators without a proper grip of the facts can bring unwanted scrutiny, increase pressure on the business under attack and produce misstatements that lead to coordination and communication failures between the victim company and the regulator. The EDPB has stated that it considers a controller has become aware when that controller has a ‘reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised’.[93] Since investigation, data mining and analysis can all take considerable time to progress and reach any defensible conclusion, the EDPB accepts that ‘it may take some time to establish if personal data have been compromised’.[94] As such, controllers pursuing a reasonable and expeditious investigation are afforded some degree of latitude, but this will depend on the size of the breach and the type of data affected.

Victim businesses should carefully consider the progress of their investigation and the degree of factual understanding when calculating statutory deadlines and determining whether the statutory clock has started to tick. To avoid exposure to retrospective criticism from regulators for failure to notify when required, businesses should fully document the investigative findings and decisions, frequently revisiting the analysis to determine whether relevant statutory thresholds have been met on the facts now available.

31.8.6 Other notification obligations

Other non-European jurisdictions are likely to have their own data protection or information security law, which should be examined as the circumstances require. In the United States, a patchwork of state and federal laws may apply in certain circumstances, requiring a complex legal analysis. Commonly, US state attorneys general must be notified of a data breach that affects certain categories of data, the rules for which vary from state to state. The Securities and Exchange Commission now requires disclosure of information within four days of discovering a material cybersecurity incident[95] in the new Form 8K or Form 6K.[96] Regulated industries, such as financial services, pension funds, critical infrastructure and telecommunications, may also be subject to particular requirements under specific regulatory frameworks governing those industries.[97] Given the complex picture across these jurisdictions and regulatory frameworks, businesses should fully map out the landscape of potentially relevant rules so that the particular requirements can be anticipated and monitored as the investigation develops.

Aside from regulatory notifications, businesses must assess any contractual responsibilities with vendors, service providers, partners or customers that require notification about the incident or attack. Recent examples of serious supply chain cyberattacks[98] have shown how security failures in one organisation can lead to a cascade of effects downstream. Contractual obligations requiring prompt disclosure of information in the aftermath of an incident typically reflect the regulatory requirements on each of the parties. Affected businesses commonly hold data that is controlled or owned by other organisations and process that data on their behalf.


Footnotes

[1] James Lloyd and Tony Kim are partners and Sami Martin Qureshi is an associate at Latham & Watkins.

[2] Data from Comparitech finds that: ‘In the long term, breached companies underperformed the market. After 1 year, Share price fell -8.6% on average, and underperformed the NASDAQ by -8.6%. After 2 years, average share price fell -11.3%, and underperformed the NASDAQ by -11.9%. And after three years, average share price is down by -15.6% and down against the NASDAQ by -15.6%.’ – report available at www.comparitech.com/blog/information-security/data-breach-share-price-analysis.

[3] eSentire, Inc, 2022 Official Cybercrime Report by Cybersecurity Ventures, www.esentire.com/resources/library/2022-official-cybercrime-report.

[4] In recent cases against Uber (5 Oct. 2022) and Drizly (24 Oct. 2022), the Federal Trade Commission (FTC) has taken steps to ensure executive level accountability by bringing federal charges against chief executive officers (CEOs) for concealment of information (obstruction of FTC investigation) in the wake of a data breach and for failing to implement appropriate information security measures, respectively. Notably, the FTC’s order (requiring maintenance of a rigorous information security programme) continues to apply personally to the CEO of Drizly, as well as to any future entity where the CEO is owner, CEO or senior officer with security responsibilities.

[6] The latest IBM Data Breach Report puts this figure even higher, and found that 83 per cent of organisations experienced more than one data breach during 2022; available at www.ibm.com/reports/data-breach.

[7] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (GDPR) is the EU regulation that provides rules around information privacy and processing of personal data. It has been retained in domestic law in the United Kingdom as the UK GDPR and the Data Protection Act 2018.

[8] In 2020, the UK Information Commissioner’s Office (ICO) fined British Airways £20 million following a 2018 data breach in which cyberattackers exploited vulnerabilities in its website, leading to the exposure of around 500,000 customers’ details, including payment data. Similarly, the ICO took action against Marriott International: the hotel chain was fined £18.4 million after a 2014 cyberattack on the Starwood hotels group. The breach, which came to light in 2018 (four years after the incident), compromised the data of approximately 339 million guests. Marriott had acquired Starwood in 2016 and the breach was discovered post-acquisition. These cases show that flawed security measures, which open the door to attack, can result in heavy regulatory penalties.

[9] In March 2023, the US Securities and Exchange Commission (SEC) charged Blackbaud, a cloud software service provider, for delaying and failing to disclose material information concerning a cyberattack affecting its customers, including that credit card information, bank account information and social security numbers had been accessed by the attacker.

[10] Aside from the UK GDPR and the Network and Information Security Regulations 2018 (NIS Regulations), other UK laws that may have relevance in cyber incidents or data breaches include the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), the Communications Act 2003, the Computer Misuse Act 1990 and the Official Secrets Act 1989. Additionally, the Product Security and Telecommunications Infrastructure Act 2022 will, once implemented, place cybersecurity requirements on manufacturers and distributors of internet-connected consumer products.

[11] Aside from the NIS Regulations, businesses should be cognisant of Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2 Directive), which came into force in January 2023 and must be implemented by EU Member States from October 2024. The NIS2 Directive expands the reach of the NIS Regulations in terms of sector and industry reach, and prescribes specific compliance measures.

[12] For example, the Payment Card Industry Data Security Standard prescribes certain security standards for organisations that handle credit card transactions to ensure that cardholder data is kept secure. Financial services providers such as banks, insurance companies, credit unions and financial advisers are regulated under the Financial Services and Markets Act 2000 by the Financial Conduct Authority (FCA) (and some also by the Prudential Regulation Authority (PRA)) and are subject to additional security and governance obligations, which can directly or indirectly relate to cybersecurity. Some of these are contained in the FCA Handbook and the PRA Rulebook. Under the NIS Regulations, cybersecurity and incident reporting requirements are imposed on certain operators of essential services and relevant digital service providers (RDSPs). Under the Communications Act 2003, telecommunications providers are subject to obligations to maintain secure networks and services, including rules on how to prevent security breaches and what to do when security has been breached; for example, in relation to any unauthorised release of personal data.

[13] See GDPR and UK GDPR, Article 4(7); a ‘data controller’ is any entity that ‘determines the purposes and means of the processing of personal data’. All organisations are likely to operate as a data controller over some volume of personal data, whether it is customer data or employee data.

[14] See Id., Article 4(1); ‘“personal data” means any information relating to an identified or identifiable natural person (“data subject”)’.

[15] See Id., Articles 32 and Article 5(1)(f).

[16] Under GDPR and UK GDPR, Article 83, fines for infringement of the regulations can reach as high as 4 per cent of worldwide annual turnover or €20 million, whichever is higher.

[17] GDPR and UK GDPR, Article 9, sets out requirements around the processing of ‘special category’ data, which includes ‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’. Processing of such data is prohibited unless an exception under Article 9(2) applies.

[18] For example, the ICO publishes ‘A guide to data security’, available at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/a-guide-to-data-security.

[19] This presents a challenge for businesses in that there are no specific and well-defined steps that, if taken, will conclusively demonstrate that ‘appropriate technical and organisational measures’ were implemented. With the benefit of hindsight, regulators can identify what countermeasures could have been in place and would have prevented a cyberattack or data breach, and then criticise the controller for not having taken those steps. It falls on the data controller to argue that, notwithstanding the fact of the attack or breach, the security (while demonstrably flawed) was nevertheless ‘appropriate’ in light of the relevant factors required for consideration.

[20] The primary obligation on RDSPs is to ‘identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems’. Under the NIS Regulations, Regulation 12(2)(c), these security measures should consider ‘the security of systems and facilities; . . . incident handling; . . . business continuity management; . . . monitoring, auditing and testing; and . . . compliance with international standards’. Some of these security obligations also flow from the Commission Implementing Regulation (EU) 2018/151 laying down rules for application of Directive (EU) 2016/1148 as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact.

[21] This guidance can be found at www.ncsc.gov.uk/collection/caf.

[22] According to the National Cyber Security Centre (NCSC): ‘Cyber Essentials is an effective, Government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyberattacks. Cyberattacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Our advice is designed to prevent these attacks.’ More information can be found at www.ncsc.gov.uk/cyberessentials/overview.

[23] ISO/IEC 27001 is an international standard for managing information security. It provides a framework for establishing, implementing, maintaining and continually improving an ‘information security management system’. ISO standards are compiled and published by the International Organization for Standardization, which is an international, independent and non-governmental body that aggregates and defines international standards of practice across a series of technical and non-technical fields. Accordingly, ISO standards are a recognised benchmark for industry good practice.

[24] The National Institute of Standards and Technology (NIST) is a US federal agency that produces standards across a variety of areas, including cybersecurity. Its standards and guidelines are influential both within the US government and across various sectors of industry. Although voluntary, this framework is widely recognised and adopted by both public and private sectors as a guideline for best practices in cybersecurity. NIST maintains a cybersecurity framework, of which the latest version 2.0 (published in draft on 8 August 2023 and subject to review) is available at https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-20/ipd. The cybersecurity framework and NIST’s SP 800 series provide detailed guidelines on many cybersecurity topics, including how to ‘architect, design, develop, maintain, and sustain the trustworthiness of systems with the capability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises that use or are enabled by cyber resources’.

[25] Including, for example, CSA Cloud Controls Matrix, COBIT 2019, CBEST, CREST STAR-FS and ETSI EN 303 645.

[26] Legislators are moving towards the development of harmonised standards: see, e.g., ETSI EN 303 645 and the Product Security Telecoms Act 2023 in the United Kingdom, or the Cybersecurity Act and related certification schemes in the European Union.

[27] This concept is endorsed in most industry guidance, including NCSC and NIST standards.

[28] Published in draft form (the wording may ultimately change) at https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.ipd.pdf.

[29] A firewall is a network security measure that monitors network traffic (meaning inbound and outbound information sent between internal and external networks – such as a company’s systems and the wider internet) and determines whether to allow or block specific traffic based on a set of configurable security rules.

[30] Password policies will require certain password complexity or strength by enforcing requirements such as that ‘passwords must be at least 12 characters long, must be a combination of upper and lowercase letters, with at least one number and one symbol’. Poor password strength, and reuse of passwords across multiple accounts, are common factors in many cyber incidents.

[31] Intrusion detection systems monitor network traffic to detect suspicious activity, policy violations and malicious transactions and generate an alert upon detection.

[32] Endpoints are physical devices that connect to a network system. These can include mobile devices, computers, virtual machines, embedded devices and servers. Endpoint security, or endpoint protection, is crucial as it aims to protect these endpoints from malicious actors and exploits that could, if unprotected, allow threat actors an initial point of access into a network infrastructure. Cybercriminals often target endpoints because they serve as doorways to corporate data and are inherently vulnerable to attack. They are outside multi-layered network security and dependent on human users to comply with security measures, thus leaving room for error. Endpoint security involves a range of processes, services and solutions to protect against threats. These may include traditional antivirus and anti-malware software, as well as more advanced end-point detection and response (EDR) solutions, which are comprehensive solutions that help detect threats, investigate and respond to threats and manage apps, devices and users.

[33] Logs are a detailed and time-stamped repository of events that occur within a computer system, including elements such as user activity, application information and system performance.

[34] Security information and event management systems aggregate event management and information management functions within one holistic system designed to organise, detect and respond to security threats.

[35] Incident response plans are crucial to an organisation’s ability to react to an attack. Incident response plans will typically cover at least the following broad areas: management, triage, escalation and decision-making, roles and responsibilities, expert contacts, legal or regulatory considerations and post-incident recovery.

[36] The importance of personnel training cannot be understated. Given that most cyberattacks and incidents involve some measure of human error (whether it is falling victim to social engineering by the attacker, or having poor information hygiene practices), giving staff members proper training is a strong countermeasure.

[37] Cyber insurance markets are rapidly evolving as businesses increasingly fear the consequences of attack and seek to offset exposure. Insurance policies will be important in incident response and will need to be navigated in the context of vendor selection and accrual of response and remediation costs. Consequently, insurers should be engaged and kept informed of these costs in real time (where possible and advantageous to do so), so that businesses are not caught without coverage.

[38] Encryption is the process of encoding information in a cryptographically secure and non-human readable format so that no one can decipher the information without having a specific decryption key. Information stored in an encrypted form (whether this is Advanced Encryption Standard 256 or another cryptographic standard of encryption) poses less risk because (1) it is not internally accessible except by those with a decryption key, and (2) even if leaked, this data is strongly encrypted and cannot be read by recipients.

[39] Multi-factor authentication (MFA) is an authentication method that requires the user to present two or more pieces of evidence to verify their identity before being granted access. MFA typically requires any two or more of (1) something you know (such as passwords or personal identification numbers (PINs)), (2) something you are (including biometrics, such as fingerprints or facial recognition) and (3) something you have (such as a mobile device or USB-key).

[40] NCSC defines a cyber incident as ‘a breach of a system’s security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems’, in line with the Computer Misuse Act (1990). It also states: ‘In general, types of activity that are commonly recognised as being breaches of a typical security policy are: 1. Attempts to gain unauthorised access to a system and/or to data. 2. The unauthorised use of systems for the processing or storing of data. 3. Changes to a system’s firmware, software or hardware without the system owners [sic] consent. 4. Malicious disruption and/or denial of service.’ In a similar manner, NIST (in Special Publication 800-160 Vol. 2) defines ‘cyber incident’ as ‘[a]ctions taken through the use of an information system or network that result in an actual or potentially adverse effect on an information system, network, and/or the information residing therein’.

[41] For example, in 2017, the credit reference agency Equifax was hit by a cyberattack in which records for approximately 150 million people were compromised. It was suspected that this data would be sold on the dark web and could lead to identity theft. This breach led to serious regulatory consequences, including settlement costs of approximately US$575 million for victim compensation and regulatory fines.

[42] ‘Exfiltration’ means the unauthorised transfer of information from a system or network.

[43] As part of the continuing Russia–Ukraine war, in 2015 the Ukrainian national power grid was attacked by a Russia-backed threat actor group known as Sandworm, causing power outage for hundreds of thousands of people.

[44] In 2017, the North Korean-backed Lazarus Group conducted a large-scale ransomware attack known as WannaCry, which is estimated to have affected around 300,000 computers across 150 nations. In 2021, the Colonial Pipeline Ransomware Attack caused critical US fuel pipelines to temporarily shut down, leading to widespread fuel shortages and highlighting the real-world implications of these digital threats.

[45] Denial of service (DoS) and distributed denial of service (DDoS) attacks aim to flood a system, service or network with excessive requests to overwhelm it and make it unavailable to users; for example, an attacker may use a botnet to flood a website with network traffic until it crashes and cannot operate.

[46] ICO data suggests 76 per cent of reported personal data breaches were non-cyber incident related – see www.ico.org.uk/action-weve-taken/data-security-incident-trends.

[47] For example, non-cyber incidents such as email ‘CC’ errors or other more trivial data breaches.

[48] This will often be senior executives (C-suite), given the seriousness of many cyber incidents, and the need for high-level decision-making. Whether or not C-suite members are involved, part of operational command’s role will be about communicating and seeking input as needed from the executive. Ideally decision makers will be part of operational command for reasons of agility, but this is not always feasible.

[49] Given that vendors and experts will often be covered costs under a cyber incident insurance policy, it is prudent to engage insurers early on and ensure that all instructed parties have been appropriately approved by the insurer.

[50] According to NIST, an attack surface is ‘the set of points on the boundary of a system, a system component, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, component, or environment’ – see https://csrc.nist.gov/glossary/term/attack_surface.

[51] Phishing attacks are a type of social engineering in which attackers send deceptive emails (or, in smishing attacks, SMS text messages), pretending to be from trustworthy sources, to trick recipients into revealing sensitive information, such as passwords or financial data.

[52] ‘Watering hole’ attacks (or ‘drive-by download’ attacks) occur when unsuspecting users visit a website and, without their knowledge, malware is downloaded and installed on their device. The attackers often profile their targets to find out which websites they frequent, then exploit a vulnerability in the websites to inject malicious code. The code may redirect the users to a spoofed website that hosts the attacker’s malware, or it may download and install malware on the users’ devices without their knowledge. The attacker’s goal is to gain access to the users’ computers and networks, and steal sensitive data or cause damage.

[53] A zero-day vulnerability refers to a security flaw in software or hardware that is unknown to developers or those responsible for patching or fixing the flaw. The term ‘zero-day’ alludes to the fact that developers are not aware and have no opportunity to fix the issue before it can be exploited by attackers.

[54] A supply chain cyberattack targets vulnerabilities in an organisation’s supply chain network rather than directly targeting the organisation’s own systems. The aim is to exploit weak links in the chain to compromise or damage the primary target or a range of connected entities. Given the interconnected nature of modern business, supply chains often involve a variety of partners, vendors and suppliers, each with its own cyber defences, which can vary in strength and sophistication. The SolarWinds attack in 2020 was a sophisticated supply chain attack in which malicious code was inserted into a software update, which was spread and propagated to customers, affecting global companies and government agencies.

[55] In credential stuffing or password attacks, an attacker attempts to gain access to systems by cracking user passwords. This can be done through brute force (making huge volumes of attempts in rapid succession), guessing or using software tools.

[56] Leaked credentials (username and password) that may have been exposed in previous or unconnected data breaches may be obtained and used by threat actors in cyberattacks, thus pointing to the importance of password rotation and post-breach remediation measures.

[57] Threat actors will seek to expand their access to different areas of the breached network by finding user accounts that have special privileges (i.e., they have permission to access certain areas or conduct particular operations, such as software installation). Threat actors will seek to increase the privileges of the accounts that they are able to compromise, so that they are free to conduct their attack covertly and without restriction.

[58] A command-and-control (C2 or C&C) server is a machine or a group of machines controlled by the threat actor. It is the central point from which the threat actors remotely send commands to, and receive data from, compromised systems within the victim businesses network.

[59] Indicators of compromise (IoCs) are a key feature in investigations and are pieces of digital forensic evidence that can be used to identify intrusion or malicious activity on a network. They can include detection of specific intellectual property addresses known to be malicious, unusual outbound traffic, odd geographical irregularities (i.e., access from unexpected locations) and anomalies in user account activity. IoCs are important intelligence in the case of an attack and can be shared with victims, experts and law enforcement to facilitate detection and response.

[60] ‘Beaconing’ refers to a periodic check-in from the compromised system to the threat actor’s C2 server. The compromised system sends small bits of data, or beacons, at regular intervals to signal its online presence and readiness to receive commands or transmit data. Regular beaconing can be a strong indicator of a compromised system. Network monitoring solutions such as EDR tools can often detect these outgoing communications.

[61] Malware is malicious software, such as viruses, worms and trojans, that is installed on a user’s device to disrupt operations, steal information or gain system access.

[62] A ‘back door’ refers to a method of bypassing normal authentication or securing unauthorised remote access to a computer, while attempting to remain undetected. Investigators must be cautious to ensure that threat actors have not created any back doors that would facilitate renewed access to the network at a later stage.

[63] Aside from the immediate usefulness of tracking evidence, information, decisions and dependencies, maintaining a chronology of events and decisions will serve as a corporate memory of the incident response, allow the business to diagnose failures and friction in the response process and will be helpful in the future in the event of regulatory action or litigation.

[64] The report will typically be a technical document, merely reporting the evidential findings in a neutral voice. If information is unknown, the report may offer hypotheses, but these will necessarily have caveats and be limited.

[65] Part of any robust cybersecurity programme will be a cycle of processes: identify, protect, detect, respond and recover. Each phase informs the next, and accordingly things learned from an incident should inform future security measures.

[66] Among many others, perhaps the most notorious hacktivist group is Anonymous.

[67] Additionally, the obvious criminal element of a cyberattack might mean that law enforcement authorities are alerted. Businesses may need to consider the possibility for proactive outreach in the case of a cyber incident, and may look for support or guidance (e.g., by receiving a list of known IoCs) if under attack from a known threat actor group.

[68] See in particular the Blackbaud example, supra note 9. Additionally, businesses should take extreme caution around communications while forensic investigations are not complete. The SEC has previously challenged the use of the word ‘may’ in connection with data affected in a cyberattack on grounds that it was potentially misleading or deceptive to investors.

[69] A report from Malwarebytes published in 2023 suggests that 1,900 known ransomware attacks occurred within just four countries – the United States, Germany, France and the United Kingdom — in one year. These attacks were perpetrated by at least 48 separate ransomware groups: see further at https://try.malwarebytes.com/2023-state-of-malware.

[70] LockBit, a threat actor group that claims to have 100 affiliates, has recently been the most prevalent form of ‘ransomware-as-a-service’ in the United States, with about 24 attacks per month. But following the exploit of separate zero-day vulnerabilities in GoAnywhere MFT and MOVEit Transfer software, CL0P (a Russian threat actor group) has been able to launch a large volume of attacks in quick succession.

[72] This is a typical policy position advocated by governments and law enforcement authorities. The payment of ransom further incentivises criminal behaviour, so committing up front to a position of ‘non-payment’ reduces the frequency of attacks. This position was endorsed in a joint letter from the ICO and NCSC to the Law Society of England and Wales (7 July 2022).

[73] Sophisticated threat actors will tailor their ransom demands to the affordability level of the victim business, as well as other factors like magnitude of reputational consequence. The threat actor will aim to maximise the ransom demand while still making the payment a strategically viable option for the victim business.

[74] For example, under the UK Terrorism Act 2000, a company may commit an offence by making a ransomware payment if it knew or had reasonable cause to suspect that the funds would or may be used for terrorism. Under the Economic Crime (Transparency and Enforcement) Act 2022, there is now a strict liability offence for which the UK Office of Financial Sanctions Implementation can impose monetary penalties for payment to a sanctioned individual or entity, irrespective of their actual knowledge.

[75] Ransomware experts aggregate intelligence about various threat actor groups so that they can advise on the relative probability of advantageous outcomes from negotiations. Perversely, despite their criminal action, once a threat actor has successfully encrypted or exfiltrated data, they are incentivised to act in an outwardly reliable and trustworthy manner so that businesses believe they have a good chance of recovering data if they pay the ransom.

[76] A functional decryption key is almost certainly the only way to restore access to the encrypted data, if the business has not otherwise backed up that data elsewhere.

[77] The dark web is the area of the internet that is not indexed, is inaccessible to normal web browsers, and requires specific software or authorisations to access. Threat actors and other criminal enterprises use the dark web because traffic is encrypted and anonymous.

[78] This creates the perception of low decision-making authority, which can be useful for delaying the process of negotiation while the business pursues all other possible measures to recover operations. Further, posing as an employee avoids the adversarial scenario (and weakened bargaining position) that is likely to be created if the threat actor knows it is engaging with a professional negotiator.

[79] A file tree is simply an index of folders, subfolders and their contents broken down item by item.

[80] Selection of test files from the file tree can be a strategic opportunity to gather further information about the nature and extent of the data that the threat actor may have obtained.

[81] It may occasionally be possible to follow and seize assets from these criminal enterprises. Following a cyberattack and ransom paid in bitcoin by Colonial Pipeline, US law enforcement was able to recover approximately US$2.3 million from the attackers.

[82] On 26 July 2023, the SEC adopted rules requiring companies ‘to disclose material cybersecurity incidents’ they experience and ‘to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance’. These requirements are effective as of December 2023 and affected companies will be obliged to disclose ‘material aspects of the nature, scope and timing’ and the ‘material impact or reasonably likely impact’ of the cyber incident on the business within a time frame of four business days after the business has determined that it has suffered a ‘material cybersecurity incident’. See further at www.sec.gov/news/press-release/2023-139.

[83] These will sit alongside PECR (supra note 10), which also apply to organisations that provide a public electronic communications network or service, and organisations that market by phone, email, text or fax, or use cookies or similar technologies on their websites. Among other things (such as regulating use of direct marketing), PECR create breach reporting requirements for service providers (e.g., telecommunications providers or internet service providers) that take the place of other reporting obligations under the UK GDPR.

[84] Different regulatory frameworks may have different approaches to the concept of personal data, or personally identifiable information, and these differences should be kept in mind during the data-mining and legal risk analysis processes.

[85] Commercially sensitive information could include intellectual property, proprietary information, confidential records, financial records or other information that could cause risk or harm to the company if publicised.

[86] GDPR and UK GDPR, Article 4(12).

[88] In the United Kingdom, the relevant regulator is the ICO. Under the GDPR in the European Union, companies have the benefit of the ‘one-stop-shop’ mechanism: rather than potentially engaging with multiple EU Member State regulators at once (if, for example, they are engaged in cross-border processing that involves multiple Member States), data controllers can notify their ‘lead supervisory authority’. Given that the UK GDPR and GDPR are mirrored but separate regimes, both sets of regulations may apply and create parallel obligations if companies operate in both jurisdictions.

[89] See GDPR and UK GDPR, Article 33.

[90] See Id., Article 34.

[91] See Id., Article 33

[92] Some breach reporting obligations have even shorter deadlines, including for example under PECR where ‘communications service provider[s]’ must notify the ICO of any ‘personal data breach’ within 24 hours. Other jurisdictions may have even shorter timelines, thus highlighting the importance of pre-incident jurisdictional awareness and planning.

[93] European Data Protection Board, Guidelines 09/22, at page 11.

[94] Many data protection regulators recognise this fact and provide an option to submit an interim personal data breach notification that identifies that a breach may have occurred but that the facts are still being investigated. Regulators will expect to be updated as to the progress of the investigation in a timely manner.

[95] The definition of ‘material’ is aligned with historic securities case law in the United States about information available to shareholders. Accordingly, a ‘material’ cybersecurity incident is one in which ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision or it would have ‘significantly altered the “total mix” of information made available’ (see US Supreme Court in TSC Industries v. Northway, 426 U.S. 438, 449 (1976))

[96] See supra note 81.

[97] See supra note 12.

[98] See supra note 54.

Unlock unlimited access to all Global Investigations Review content