Cyber attacks cannot be avoided! Do you have a communications plan and cyber attack incident response plan for this eventuality? Do they take account of the type of cyber attack and the different stakeholders?
Cyber attacks are unavoidable and there is usually no defence against them – statistics reveal that there are about 80 to 90 million cyber attacks per year worldwide, and two thirds of German companies have already been a target or victim of cyber attacks. With Industry 4.0, the Internet of Things (IoT), big data/data lakes, autonomous driving and smart homes/devices on the rise, the risk of cyber attacks will further increase in the future (about 400 new threats per minute are being released worldwide). In addition to breaches of law and reputational risks, cyber attacks and data incidents in particular cause financial losses. According to current statistics, the average cost of an individual data incident in Germany was EUR 3.42 million in 2017.
If a cyber attack is detected at all, this will trigger an immediate communication requirement for the affected company with and vis-à-vis its stakeholders. The first 30 minutes are crucial. Communication must be at Twitter speed. At the same time, legal notification duties towards authorities, customers, employees, the public/stakeholders must also be met. Under the General Data Protection Regulation, any personal data breach must be notified to the competent supervisory authority without undue delay but not later than 72 hours after it was identified. Fine that could be payable in case of delayed or inaccurate notification: up to EUR 10 million or 2% of consolidated worldwide turnover.
Data is critically important for companies, which is why protection from unauthorised access by both external third parties and the company's own employees is vital. In order to ensure effective data protection management and cyber security, companies must know their respective stakeholders in terms of data protection. In addition to employees and their representative bodies, customers or users as well as suppliers/business partners, stakeholders may also include creditors/capital markets, investors, supervisory/regulatory authorities (e.g. Data Protection Authority, BSI, German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht; BaFin)) or the press/media. These stakeholders and their expectations must be taken into account when structuring the relevant processes and communications (both internally and externally). Contract positions must be secured, and trust must be maintained or rebuilt. So who communicates with whom and when? In this context, it is essential to implement organisational safeguards in order to protect data from unauthorised access, in addition to preventing the loss of data by technical means. A holistic approach has proven successful in this regard, comprising both repressive and preventive action. Any company lacking an integrated Data Incident Response Communication Plan (DIRCP) will have no real chance of success.
Allen & Overy and Hering Schuppener have created an integrated advisory tool that offers legal and communications advice regarding cyber attacks from a single source. We would be glad to support you both in implementing preventive measures and if you have fallen victim to an attack. Your advantage: cooperation that is unique in the market between leading legal and communications firms – you will benefit from just one interface for an entire range of expertise.
Scope of services
- Prevention: Developing strategic and legal communications plans to prepare for unavoidable cyber attacks
- In case of attack: Legal and strategic advice in response to a cyber attack
- Consequences: Managing crisis communication and the additional measures to be taken after a cyber attack