Cyber security is a board-level risk with major legal implications – it is not simply a technology issue. High-profile cyber and system hacks highlight the serious reputational and financial impact of a cyber incident.
A global shake-up in cyber laws is happening. In the EU, this means potential fines of up to 4% of global revenue for serious breaches, regulators gaining new invasive audit powers, and mandatory reporting of significant cyber incidents. Similar proposals are taking effect around the world.
Legal considerations should be at the core of your cyber risk management strategy. Businesses need commercially-minded legal experts to help navigate the complex and fast-evolving multi-national legal and regulatory framework. Clifford Chance is working with some of the world's leading corporates in this area.
Be clear on cyber security risk
5 questions to ask yourself
How will new laws impact us?
The legal landscape is evolving fast. Core policies (HR / data collection / confidentiality / business continuity / insurance) must be redesigned with cyber in mind. You will need to ensure that your board always pays attention to cyber security risk issues and is able to react quickly. A new approach to risk and compliance is required to protect you against reputational damage and significant fines.
Are we addressing the cyber risk profile of suppliers?
Your data should only be passed to third-party suppliers who have been cyber-vetted. To back this up, new cyber protection clauses need to be integrated into your agreements. Can you be sure that your suppliers will tell you about a cyber attack before your customers read about it in the news? Will suppliers help you manage fall-out and compensate you for any loss?
Is cyber a key part of our M&A due diligence?
When buying any business, cyber due diligence should be at the top of your list. Has the target fallen victim to a cyber attack? What risk mitigation measures are in place? Does the valuation reflect any cyber weaknesses?
What is our cyber disaster response plan?
An hour-by-hour cyber attack response plan is needed across the organisation with business leaders, legal, IT, HR, IR and PR teams working as one. Your plan needs regular testing and review.
If we have a data loss incident, what will we tell regulators and customers?
One or more regulators may need to be notified following a cyber attack, especially if there has been data loss (permanent or temporary). In these circumstances, you will want your legal adviser to have intimate knowledge of your risk mitigation strategy to put forward your best case. You may also need to tell customers – this legal communication process needs careful management.