How to Respond to a Cyber Crisis

The dangers posed by cyber attacks were recently highlighted by the shutdown of foreign exchange firm Travelex by hackers who blocked access to the company’s computer systems and demanded a $6 million ransom to restore them.

Travelex was forced to close its websites across 30 countries and more than 5GB of sensitive customer data was downloaded by the criminals.

The most recent figures available suggest that, in 2018, businesses paid more than $8 billion in ransoms to cyber attackers who had blocked them out of their own computer systems. It would not be surprising if that figure has since risen, having increased eight-fold since 2016.

What should my business do when hit by a cyber attack?

So, what should you do if you get shut out of your systems?

If you’re a European listed company, the first thing you need to think about is the Market Abuse Regulation (MAR). This will require you to make an immediate announcement, unless exceptional circumstances apply.

Your company’s obligations under GDPR will also need to be satisfied if personal data could be affected. The Information Commissioner’s Office must be notified within 72 hours, and the people whose data has been compromised must be advised as soon as possible. The penalties for non-compliance with GDPR can be severe – up to a maximum of 4% of global turnover.

To pay or not to pay?

Putting MAR and GDPR to one side, the immediate commercial issue in the case of a ransom attack is that the business cannot operate. This raises the question of whether to engage with the hackers or set about rebuilding systems from scratch.

There may be legal issues around whether a ransom can be paid. In the U.S. and UK, companies are advised not to pay, but are permitted to do so as long as the criminals are not terrorists.

That raises further issues because it is not usually clear who the attackers are. How much diligence must a business undertake to satisfy itself that it is not passing funds to terrorists?

The UK’s Financial Conduct Authority recommends that companies do not pay ransoms. Among other things, it warns that hackers may not return data or control of systems. And, if companies get a reputation for being ‘payers’, they could be targeted again.

If a business decides to pay a ransom, there are a number of consulting firms and business risk intelligence agencies that can negotiate with hackers on the company’s behalf. Because payments are usually demanded in cryptocurrencies like bitcoin, some companies maintain bitcoin wallets purely for the payment of ransoms. Clearly, if a ransom is made, the payer will not want that information to be widely known.

Once a ransom is paid, it may be extremely difficult to recover the money. To date, only a very small number of companies or insurers have gone to court to try to recover money paid to hackers. The law is however evolving to address the new issues raised by such claims. In a recent UK judgment from January 2020, in which neither the claimants nor the defendants were named, an insurer went to court to try to recover a ransom paid by one of its customers in bitcoin, arguing that its blockchain investigations firm had pinpointed the people responsible. The judge ruled that the cryptocurrencies were a form of property capable of being the subject of a proprietary injunction and ordered the cryptocurrency exchange firm at the heart of the transaction to provide information on the identity and location of the hackers.

Cyber crisis planning

There are many other issues that businesses impacted by cyber crises need to consider.

The second edition of Cleary Gottlieb’s Global Crisis Management Handbook is a unique desk reference for companies looking to prepare for – and react to – all types of crisis situations, and includes advice on forming a well-crafted plan. It has chapters on managing the first response, responding to requests from authorities, conducting an internal investigation, preserving legal privilege, data privacy, employee rights, cooperation and public relations and message management.

While there may be little that a company can do in advance of a ransomware attack to mitigate its impact on the company’s systems, every business should have a plan in place to deal with such situations, including an incident response plan. When hackers hit, management will need to react in a tight timeframe under intense pressure. Having a clear and rehearsed plan, including who will lead the initial response, can be crucial.

Businesses concerned about their cyber exposure should also look carefully at their corporate insurance policies to make sure they understand their coverage and are aware what their insurer’s position is on issues such as the payment of ransoms.

To request a PDF copy of the handbook, please click here.