Marks & Spencer, the Co-op, Harrods, and now the Legal Aid Agency. Each of these organisations has recently fallen victim to cyber-attacks that have had an impact on their operations, reputation, and legal and regulatory exposure.
General counsel and internal legal teams must be clear about their role in the event of an attack and, more importantly, how to prepare an organisation for when hackers strike.
The root cause of an attack is unlikely to be exclusively a technical issue. While hackers will look for technical vulnerabilities to find a way in, they will also prey on vulnerabilities within organisational processes, culture and perception of risk to allow attacks to unfold with maximum impact. From sophisticated social engineering to access login credentials and passwords, to using supply chains as a gateway to infiltrate a business, cyber-attacks are becoming increasingly sophisticated. Generative artificial intelligence is also helping to reshape the landscape of threat. The impact of an attack will rest on the work undertaken before an attack even takes place, and on the decisions made in the critical moments after the attack unfolds.
The CEO of the National Cyber Security Centre said in a recent statement: ‘These incidents should act as a wake-up call to all organisations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively.’
What do GCs and internal legal teams need to understand in response to this call to arms from the NCSC? And what is the GC’s role in crisis preparation and response?
Legal framework
Cyber professionals are advising clients that it is a matter of when and not if cyber criminals try to strike. So GCs must understand the rapidly evolving framework around cyber-resilience to help them identify the specific risks and further support requirements for their organisation.
In addition to existing regulation of personal data by the Information Commissioner’s Office, and sector-specific regulators such as the Financial Conduct Authority, Ofcom, the Pensions Regulator, and the Solicitors Regulation Authority, there is much else to consider.
The EU is leading the way in ensuring key sectors are taking cybersecurity measures seriously. If your organisation works with or in the EU, understanding the implications of NIS2 (for those in ‘critical’ sectors), the EU Cyber Resilience Act (for those involved in the manufacture or distribution of hardware and software products) and DORA (for those involved in the financial services sector) will be a top priority.
In the UK, many organisations are already caught by NIS2’s predecessor, the Network and Information Systems Regulations 2018, and the new Cyber Security and Resilience Bill is also on the government’s agenda. While the full text of the bill is not yet available, we understand that the government wants to put the UK on a broadly equal footing with the EU’s NIS2 regulation. A recent government statement of intent has confirmed that the security and regulation of certain organisations will become more stringent, with regulators having increased powers, targeting risks in supply chains, and shortening reporting obligations to as little as 24 hours.
Plan, prepare, practise, refresh
We know that the GC role extends far beyond black letter law. With a cyber-attack having a potentially catastrophic impact on reputation and the bottom line, the risk falls squarely within the GC remit of protecting key business assets.
Taking M&S as an example, in the wake of the recent attack we have seen an estimated £300m wiped from its profits, an erosion of public trust and questions concerning its recovery. Comparing the impact on M&S with that on the Co-op, it seems an early decision by the Co-op to take several of its systems offline to protect the remainder of its infrastructure from ransomware being deployed may have been a decisive factor. While we do not yet have a detailed picture of the intricacies and complexities of how the two attacks unfolded, the difference in impact underscores the importance of being prepared and understanding, in advance, how an attack might affect your organisation.
Key to this will be preparing and embedding an incident response plan that is framed around the key risks and priorities of an organisation, and which will allow for a quick and efficient response in the critical first 24 hours. The importance of having a response plan and communication strategies in place that are not only up to date but familiar to all key people within the business cannot be overstated. This should be a living document, supplemented by training, desktop simulation or war-room scenarios, to allow incident response to be practised, refined, and refreshed at regular intervals and to be fully prepared when a crisis hits.
To achieve this, cyber-resilience must be billed as an organisation-wide issue and not siloed within information security teams. Cyber-resilience requires top-down leadership to filter through every part of the organisation. Social engineering played a part in the recent attacks. This shows that it is not just technology that can make an organisation vulnerable – it is important to have the right culture and training so that people can spot red flags, raise issues and know how to respond.
This top-down approach is supported by the government’s new Cyber Governance Code of Practice. This sets out the responsibilities of the board in setting strategy and risk appetite, and ensuring that these are effectively filtered through the organisation. While ‘cyber risk’ is often already on the risk registers of many organisations, how that translates into practice is another matter. A recent government survey suggests that while 72% of businesses stated that cybersecurity was a ‘high priority’, only three in 10 businesses had a board member with explicit responsibility for one of their biggest business risks.
With communication routes to each of the key teams, from HR to PR and comms, and procurement to stakeholder engagement, GCs have a unique viewpoint and understanding of teams’ key risks and priorities. This can translate into effective mitigation strategies and processes. The GC team has an integral part to play in steering the conversation to ensure that cyber- resilience is more than just a buzzword.
Incident response
After putting strategies in place to minimise impact, what role does the GC play in the midst of a cyber-attack and in deploying the incident response plan? Put simply, the GC is the linchpin of incident response, with several key functions.
When an attack is discovered, the first few hours in responding will be critical and the skills that GCs can bring to crisis management are crucial.
First, engaging privilege quickly and correctly will be fundamental. Those who consider the critical role of privilege in their incident response plans may be able to provide the wider response team with a safe space to discuss and make appropriate decisions in what will no doubt be a fluid situation. Ensuring that privilege is engaged and communications appropriately protected will be key. Thinking in advance about issues such as who is the ‘client’ for the purposes of giving legal advice, separating legal advice from business or commercial advice, understanding whether external counsel will be brought in and if so what those lines of communication look like, and setting up relevant privilege protocols will stand GCs in good stead to properly protect internal communications at such a volatile time. Regulatory investigations and follow-on litigation from affected individuals are a near certainty in the wake of such attacks, so this upfront work will help to protect the organisation, and mitigate regulatory and reputational risks.
GCs will also be an integral part of the team to advise on risk and ensure that the organisation’s legal and regulatory obligations are met. Where a cyber-attack has taken place, the compromise of personal data or the unavailability of key systems is almost inevitable, which means early assessment of your regulatory position will be needed. Whether notifications are required to the Information Commissioner’s Office, other regulators, or under a range of contractual obligations, it will be important for GCs to lead the risk assessment based on the information that the technical specialists can provide, and feed into the decisions that the board or other senior leaders are being asked to make under intense pressure.
Finally, with several interconnected and fast-moving parts to any incident response, the GC’s ability to bring together different operational teams and project manage the response will be invaluable. GCs and internal legal teams are well-placed to bring the correct internal stakeholders to the table and deploy their skills in reviewing large amounts of information, assessing risk, and actioning next steps swiftly and efficiently.
In times of crisis, decision-making and strategic thought are key. The GC has a fundamental role to play.
Charlotte Clayson is a partner at Trowers & Hamlins LLP, London
No comments yet