It has been well documented that the ever-increasing rates of cyber crime have soared since the start of the COVID-19 pandemic.
In May 2020, EasyJet admitted that it had been the target of a “highly sophisticated” attack, in which cyber attackers stole the email addresses and travel details of approximately nine million customers, and the card details of 2,208 customers were “accessed”.
In June 2020, Honda announced that a cyber attack on its internal network had forced its operations in the UK, as well as North America, Turkey, Italy and Japan, to be suspended.
With recent cases highlighting the growing threats posed to businesses, including multinational corporations, there are growing calls for companies to ensure they are "cyber resilient".
Calls for "cyber resilience"
In response to the increase in cyber attacks, Swiss re, the reinsurer, has called on businesses to produce cyber resilience reports.
Maya Bundt, head of cyber and digital solutions at Swiss re, has claimed there is a need for businesses to be more transparent with their cyber security information by producing reports.[1] Ms Bundt has argued that such reports should be as readily available as a company’s financial and sustainability reports.
Cyber resilience reports could include detail on a company’s protective cyber security measures, describe how cyber security is managed and maintained, list any incidents/attacks endured by the company, and outline the company’s response plan to an attack.
Given the huge volumes of personal and confidential data that many businesses hold, the reports would aim to inform customers, suppliers and investors how well prepared a business is for a potential attack.
The "Cyber Resilient Organization Report", a recent annual survey conducted globally by Ponemon Institute and sponsored by IBM Security, examined businesses’ effectiveness in preparing for, and responding to, cyber attacks.[2] The results of the fifth annual survey, published on 30 June 2020 revealed:
- 74% of businesses either have security response plans that are ad-hoc or applied inconsistently or have no plans in place at all
- 26% of businesses have adopted formal, business-wide security response plans (a 44% improvement when compared with the figure of 18% in organisations surveyed in 2015) and
- Businesses with formal security response plans were less likely to experience significant disruption when targeted by a cyber attack (only 39% of businesses, compared to 62% of those with less formal plans in place)
Ultimately, the Report has highlighted that many businesses have a long way to go to prepare for, and mitigate the effects of, cyber attacks and to be able to demonstrate their cyber resilience.
What does "cyber resilience" mean for businesses?
The need to demonstrate cyber resilience would inevitably result in heightened expectations placed on businesses and many businesses would need to pool extra resources into their cyber security systems.
Cyber insurance may also increasingly become more of a necessity rather than a luxury for companies, as another measure which could demonstrate a degree of cyber resilience. Cyber insurance may provide coverage for the business itself (for example, if operations are paralysed by a cyber attack) and/or indemnify a company against losses caused to others (for example, its customers).
If the calls for cyber resilience were to develop into formal requirements, an increase in the regulatory burden on businesses would be inevitable.
If despite putting cyber resilient measures in place, your business is the target of a cyber attack, and particularly a cyber fraud attack in which money is stolen, it is important to act fast and instruct a solicitor to consider whether pursuing a claim to recover any stolen funds would be valuable (see our previous article "COVID-19 and the rise of cyber fraud: what to do and who to pursue"). Allocation of risk in contractual relationships will also be key and should be factored into your negotiations.
Sarah Murray