Global enforcement outlook
Most enforcement of corporate crime targets the perpetrators. But when it comes to cyber security, recent developments show that authorities are increasingly willing to take enforcement action against victims too.
For example, even without comprehensive privacy or cyber-security legislation to back them up, US authorities have issued fines in the hundreds of millions against companies that were accused of failing to protect personal data. Authorities in Europe are catching up as they begin issuing the first fines under the EU General Data Protection Regulation (GDPR). You can read more about trends in data-breach fines in our global data risk report.
A number of other trends were notable in 2020, and we expect them to continue into 2021:
- the expansion of ransomware attacks in novel ways;
- increasing ‘wholesale’ attacks against systemic providers of software/security;
- stronger legal tools for enforcement; and
- increasing scrutiny of cyber security as part of M&A deals.
It is essential to be able to take a global view of risk in the context of the particular business – particularly the sector in which it operates and its key markets – to form the basis of a strategic response to cyber crime that causes a data breach.
Ransomware’s unique challenges
In the past few years, ransomware attacks have proliferated and become more sophisticated. In so-called ‘traditional’ attacks, such as the WannaCry and NotPetya incidents, hackers created malware that simply encrypted a victim’s systems, rendering them unusable, until the victim paid a ransom.
More recently, there have been ransomware attacks that exfiltrate an organisation’s data to the attacker’s systems. That means the attacker has, when demanding a ransom, two avenues to monetise their malfeasance: restoring the victim’s systems to usability and destroying the data they took away with them.
Even freezing up a victim’s systems could constitute a ‘data breach’ under some data-protection laws because it affected data’s ‘availability’. But the trends towards absconding with a victim’s data means that ransomware attacks raise much more serious data-protection issues. Companies will have a strong incentive to pay the ransom so that the hackers delete the stolen data.
The notion of data breach has different meanings across jurisdictions and multiple reporting regimes may apply, depending on the nature of the incident. Many companies have solid incident-response processes in place but not everybody appreciates the complexities and exposure that come with large-scale global incidents before the fact.
On the other hand, regulators have severely criticised businesses for paying ransoms in response to attacks. For example, Uber was criticised by the UK’s data protection watchdog, the Information Commissioner’s Office (ICO), for paying a ransom in circumstances that appeared to be aimed at limiting public exposure of a cyber attack. Meanwhile, recent guidance from the US Office of Foreign Assets Control now makes it harder to pay hackers following a ransomware attack.
Payment also poses collateral money-laundering and sanctions risks, with the UK and US proposing reforms that will use anti-money laundering (AML) legislation to bring criminal penalties for pay-outs.
Ransomware is on the rise, and that means companies need to plan what they will do if the unthinkable happens. Recent guidance from AML and sanctions-enforcement authorities highlights the legal risks of paying someone who may well be a terrorist or a sanctioned person, so companies will need to think hard: do they pay the ransom or not?
Also on the rise are planned ‘wholesale’ attacks targeting companies that, in turn, provide services to large numbers of other companies. For example, in 2020 there were prominent:
- hacks of data processors (eg the attack on Blackbaud, a cloud-services provider in the non-profit/education space); and
- attacks on companies that sell widely used software (eg the attack on Texas-based tech company SolarWinds that put 18,000 of its government and corporate clients at risk of exposure).
The attacks are difficult to predict and prevent when the perpetrators operate globally and may be linked to certain states willing to undertake cyber ‘wars’. US security agencies have confirmed that actors in Russia are likely to have been behind the SolarWinds attack.
The regulatory fallout from these sorts of widespread incidents differs in important ways from a hack targeted at a discrete organisation. Data protection authorities may not have time to investigate a thousand data controllers implicated by a single data processor breach. If they do single out a few controllers, their investigation may be less likely to focus on technical and organisational measures, and instead ‘go sideways’ into topics like data retention.
Sharper enforcement tools
Regulatory authorities have developed and are using a wider range of enforcement tools to tackle failures by business to tackle cyber crime.
The EU is a high-risk landscape due to its stringent data-protection rules and turnover-based fining models. The GDPR came into force more than two years ago, and we expect 2021 to be the year its shockwaves are truly felt across the globe.
As an EU regulation, the GDPR no longer applies to the UK. However, the GDPR was incorporated into UK legislation in 2018 – so in practice there is little change to the core data protection principles, rights and obligations applicable in the UK.
This is apparent from recent statistics, which show EU data protection authorities have increased their budgets for the current and future years, with increases averaging around 30-50 per cent and some extreme examples where the authority requires increases close to or beyond 100 per cent. The UK ICO also had an increase in its government grant for 2019-20.
The increasing trend towards enforcement action for breaches of data protection law recognises both strengthened regulation and inclination to enforce, particularly now that EU regulators have significantly increased their annual budgets to prepare for action under the GDPR.
However, the rest of the world should not be underestimated. For example, the UK ICO has proposed extending its enforcement powers, including to allow the recovery of profits from the criminal misuse of data under the UK’s Proceeds of Crime Act.
Both data protection authorities and financial services regulators in the UK have set some of the highest fines in Europe for cyber-security breaches. And with an increasing number of attacks being reported year on year, there is no sign of cyber security slipping down the agenda for the FCA or the ICO, making effective cyber resilience critical for regulated firms and corporations.
Meanwhile, some regulators are talking to each other globally and GDPR copycat laws are now taking hold in some of the most important jurisdictions, including Brazil, China, South Africa and India.
There are similar potential trends in the US, with California’s law inching even closer to EU standards, for example. At the federal level, the US Federal Reserve has been active in this area for several years, and continues to place cyber security as a highest priority for the finance sector.
More recently, President Biden has indicated that his administration will ensure accountability for recent high-profile cyber attacks linked to Russia against US businesses (including major tech companies) and state agencies. ‘We will elevate cybersecurity as an imperative,’ he said in a statement.
In response to inter-state cyber wars, states are getting ready to use sanctions to penalise suspected attacks, with the EU Council establishing a legal framework to impose targeted restrictive measures, including sanctions, to respond to cyber attacks that constitute an external threat to the EU or its member states. The UK is consulting on similar measures.
For businesses, it seems that cyber attacks are making managing the increasing complex sanctions landscape even more of a challenge.
Cyber risk in M&A
The discovery of a cyber attack on an entity transferred to another party following an M&A transaction has also been fertile ground for enforcement action. This is very much a developing area of regulatory intervention, which requires an effective holistic response to data breaches and guidance on completing adequate due diligence as part of a transaction.
It’s important to flag up any data issues early on in a deal, as they can affect the price, or even be a deal-breaker. There are recent examples where historic cyber attacks have significantly reduced the value of a transaction when revealed during the negotiations.
Data law and cyber-security risks arise on almost all deals, but it has become more important recently because:
- more businesses are looking to acquire valuable data sets;
- investors have turned their eyes to cyber-security companies;
- data laws around the world are proliferating;
- fines for breaches of those laws are increasing – most notably under the GDPR; and
- the frequency, scale and cost of cyber-security breaches are increasing.
We are starting to see investors including cyber diligence in their standard due diligence programme in order to pre-empt potential enforcement actions against their portfolio companies.