Corporate Crime update

Neil Donovan:

Hello, and welcome to the Ashurst Corporate Crime and Investigations Podcast. My name is Neil Donovan, and I'm a partner in our London Corporate Crime and Investigations Team. In this investigations-focused podcast, we will share our insights and lessons learned from carrying out investigations for clients across sectors and across our Global Corporate Crime and Investigations practise. Today I'm delighted to be joined by Julia Spain, a Partner in our Risk Advisory Cyber practise, and Andris Ivanovs, a Counsel in our Corporate Crime and Investigations team in London. Thank you both for joining.

Andris Ivanovs:

Thank you for having us.

Julia Spain:

Thanks.

Neil Donovan:

So in today's episode, we're going to focus on managing cyber threats and investigations. And I'm going to start with you, Julia. We're seeing a real uptick in cyber threats and related investigations across the sectors our clients operate in. What's the key reason for this?

Julia Spain:

I think there are a few key reasons. One of those is post-pandemic, we all had a big shift to working from home. A lot of companies also accelerated their digital strategies, as the way in which we bought and worked and lived changed. And there's also some behavioural changes when you're working from home. It's a different environment and sometimes your guard is down. I think the sophistication of threat actors has also increased, particularly when we see services like ransomware for hire. We are seeing increased instances of fraud as well. So digitally enabled fraud is ever more present and something that the big banks particularly are very focused on at the moment. And then finally, there's more regulatory complexity to respond to the ever-increasing levels of digital we're seeing. So that's something that firms need to be very conscious of in terms of how they're going to manage their risks and their compliance.

Neil Donovan:

That's great. Thanks. Thanks, Julia. And Andris, against this backdrop of heightened threats, what are the legal and regulatory risks that we're seeing?

Andris Ivanovs:

Yeah. Well, as Julia mentioned, this area is a particularly heightened focus for the regulators, particularly with the shift to working from home, major focus for the FCA and PRA on a firm's responses to cyber incidents and the effectiveness of their overall systems and controls. This of course, fits into the broader operational resilience theme that the FCA and PRA have been drumming on about for the last few years. And that of course, means the ability of firms to absorb and adapt to shocks and disruptions, including those arising from cyber attacks.

In case anybody is in need of a reminder, the October enforcement action from last year, the 11 million pound fine on Equifax Ltd is a salient reminder of the FCA's and PRA's focus on this area. So in 2017, Equifax US was subject to a major cybersecurity breach between Equifax UK and Equifax US. Equifax UK was outsourcing the storage and processing of 13.8 million UK customers' data to Equifax US. In the FCA's view, the cyber attack was entirely preventable. Why? The FCA considered that Equifax UK did not treat the relationship with its parent company, Equifax US, as outsourcing. And although it was aware of security patching problems, it failed to take remediative actions.

There were other complicated factors in this case. Equifax UK found out about the incident five minutes before Equifax US announced it to the market, and really six weeks after the incident actually occurred. According to the FCA as well, Equifax UK could not cope with the complaints that then arose in the UK and made some statements that were arguably incorrect with respect to the magnitude of the issue. And that led to several breaches of the FCA principles and the imposition of the 1 million pound fine, so a major priority for the FCA and PRA.
But looking at the broader financial crime landscape of course, cyber attacks, particularly those that involve ransomware, can lead to wider legal and regulatory issues, including money laundering, terrorist financing, and risk of sanctions violations. Finally, of course, the emergence of the Information Commissioner's Office as an active investigative and enforcement agency means companies both within and outside the regulatory sector need to investigate cyber incidents that involve personal data, which they frequently do, in a timely manner so that they can safeguard any personal data, identify the root cause, and remediate weaknesses and deficiencies. Perhaps unsurprisingly, in our experience, firms that demonstrate to the regulators and enforcement authorities that they get it, conduct a thorough investigation and implement a credible remediation plan can significantly mitigate those risks.

Neil Donovan:

That's great. Thanks very much, Andris. Julia, coming back to you, from a risk management perspective, what are the key considerations for companies when responding to and investigating a cyber attack?

Julia Spain:

It is very easy for me to say, the readiness, if you are ready to respond. So in an ideal world, there would've already been effective preparedness. So that would be things like ensuring your policy suite is up to date for cyber response, ensuring that you've run executive exercises so that you've practised before it becomes a cold response. Nobody likes surprises. So the readiness, absolutely critical, the response recovery remediation.

But the other that I would particularly flag is the resilience piece. So when I've had to deal with response scenarios, two things if you look at the root causes are perhaps lack of resilience mapping, so what are that company's critical services and how does that map through the people, process, tech, facilities, data? Because only in that way can you really focus your efforts on protecting the right things and being ready. But it also gives the exec importantly, I think, an idea of where they need to prioritise their focus in light of the response. And I think all the regulatory components that Andris flagged, really important. Clearly, there will be operational teams with the Seiso focused on the technology and recovering in that way, but it's about much more than the technology. We have to deal with all of the regulatory, but also things like customers, suppliers, your insurance policy, et cetera, which I think Andris will be touching on.

Neil Donovan:

That's great, thank you. And Andros, obviously then quite a complex arrangement in terms of third party involvement and a number of different stakeholders. What are the key legal considerations that a company needs to keep in mind in these situations?

Andris Ivanovs:

Well, yeah. Thanks. I guess the first one, quite obvious, don't panic. There is a way through. The first thing I think even before you consider notifications that you need to make is really take 15 minutes to think about legal privilege. As Julia mentioned, you want to figure out who your incident response team is going to be, what external consultants and advisors will be involved, and how information between them will flow through the course of your investigation and the incident response, how you're going to brief the board and other relevant stakeholders. And all of that is really to manage legal professional privilege over any information, communication, and reports that will be circulated. Cyber incidents can lead to claims from affected persons, data subjects, regulatory and law enforcement investigations, securities related class actions, or even data privacy related class actions in some jurisdictions. So you'd really want to ensure that documents that are produced in the days and weeks following the incident, you can make sure that you can claim privilege over them to the extent that is possible.
Now, moving on to notifications to stakeholders. There is a myriad of stakeholders that you potentially might need to consider. Of course, if the incident involves personal data, you would need to think about data protection authorities and data subjects. So in the UK, a data controller must notify the ICO without undue delay, and within 72 hours of becoming aware of a breach, if that breach is likely to result in a risk to the rights and freedoms of individuals. There is a requirement to inform the data subjects in case that risk is a high one. So that is a higher bar. It might involve an identity theft type of issue, but that is where you might need to involve the data subjects. So the key bit here is to track the timing once you become aware of the cyber incident, because delays might need to be explained or you might need to report on a periodic basis to the Information Commissioner's Office.

If no personal data is involved, you might want to consider contractual obligations to your suppliers or customers whose data is affected, compromised, or lost in the breach. Insurance notifications are also quite important, especially if you have cyber-related insurance policies. A timely notification will mitigate the risk of forfeiture of the policy. So you do want to check your policy terms pretty quickly after a cyber incident has emerged. Notifications to regulators, as we discussed, this is a priority area for the FCA and PRA. So if you are regulated, you want to make sure that you tick that off. Any market notifications, of course, if you have listed securities. And finally, any other contractual notifications like notifications to lenders.
Aside from those notifications, you should be considering engagement with law enforcement, particularly informing the National Cybersecurity Centre that might help investigate the incident and identify the perpetrator. As part of this response process, a key issue will be briefing the board on their legal duties and their response to the incident.

Finally, perhaps the last resort, the ransomware payment if one needs to be made, that will probably involve quite a complex legal analysis of potential sanctions, money laundering, and terrorism financing risks. In the UK, if I can add a bit on the position of the Office of Financial Sanctions Implementation, it is unlikely that a licence would be granted for the payment of a ransomware payment. So there is that technical risk of breaching sanctions if the perpetrator and the one who is demanding the payment is a sanctioned entity somewhere outside of the UK. That being said, an early engagement with obviously a voluntary self-disclosure, appropriate due diligence measures, including if you can backing up and being able to restore your data from that backup, will all mitigate any potential enforcement from OFSI.

Neil Donovan:

Okay. So lots to be thinking about for legal and compliance professionals. If I could ask you both as a final question, what should be top of their minds when it comes to mitigating cyber threats over the coming months?

Julia Spain:

I'll start, if I may. So I think I'll boil it down to three things. I think the first, which we touched on already, was resilience. So that maps to the identification of risk in the NIST framework, for example, largely. And that is very much about your readiness. And there's already the FCA and DORA requirements for resilience. But I would encourage any company, whether they're caught by FCA and DORA requirements to think carefully about their resilience, because that is absolutely critical to the recovery in the event of a cyber instant, which generally is a if unfortunately; sorry, a when rather than an if, wrong way around. And that really is about understanding your critical services and making sure you've done that mapping, because I've always had client comments like, "Well, we had no idea that critical service X was mapped to legacy cloud platform Yeah.." And it is just that awareness. And if you have that awareness, you can be much better prepared.

I think the other two things I would flag are having a really good cyber instant response plan and playbook so that when the moment does hit, you have a proper point of reference that gives you a racy with who is doing what, when, how, why, and then practising that. The shelfware of itself, good to have. But if it's a dead document that hasn't lived, breathed, and been practised, it's not going to get you to where you need to be.

Andris Ivanovs:

Yeah. And I can only echo what Julie just said. Fundamentally, from a cyber incident response plan, you would want to make sure that legal and compliance is in the room if, or rather when the cyber incident hits, and that there is appropriate training and escalation protocols to legal and compliance in the event of a cyber incident. In fact, if you have not heard from your cyber colleagues in the last six months, probably good time to schedule a catch-up and figure out what's going on to make sure that the communication channels are open.

Neil Donovan:

Brilliant. That's great advice. Thank you very much, both of you. That's all we've got time for today. Thank you very much to Julia and Andris for joining me on this episode. If any of our listeners would like to get in touch with us, then you'll find all our details on the Ashurst website. And if you'd like to learn more, then please look out for the next Investigations Podcast in this series. Please also keep an eye out for our Investigations Focus Webinar Series, which will be returning after the summer break. Until then, thank you for listening.