A cyber breach is one of the most significant threats to businesses in 2024. The threat of a cyber attack is always present, and the methods used to launch them continually change. In our recent article about the impact of AI on the threat landscape, we discussed that now, even unskilled hackers are capable of inflicting damage on businesses. In recent statistics compiled by the UK government, it was found that 50% of companies have reported experiencing some kind of cyber security breach within the last 12 months.
For many businesses, a cyber attack is a matter of "when" rather than "if." Cyber insurance with us is designed with this inevitability in mind. Our robust protection provides Insureds with access to expertise across multiple cyber-security disciplines. For example, our Cyber team work with Kennedys Law LLP, who act as Breach Counsel and help Insureds to manage incidents.
We spoke to a member of the Kennedy’s cyber team to understand how their role as Breach Counsel is pivotal in coordinating all the services provided by Brit’s policies. Here, you can find out why breach response is always best left to the professionals.
Breach Counsel will work closely with clients following a breach. Amongst many other things, Breach Counsel will coordinate the communication and reporting to external parties;
"We are instructed to advise Insureds on the legal and regulatory obligations arising out of a breach. Insurers or brokers will usually instruct us after an Insured has been hit by a cyber attack."
Certain regulatory bodies, such as the Information Commissioner's Office (ICO) and relevant international regulators, may need to be notified. It is also the role of Breach Counsel to make a call on whether data subjects (i.e. a specific individual whose data has been compromised) need to be notified of specific cyber breaches. All conversations and correspondence between Breach Counsel and the Insured are subject to legal privilege.
When the Insured has cyber cover in place, they can be confident that there is a carefully designed process in place that will involve all relevant parties and support networks. Breach Counsel can spring into action from the moment that a breach is identified. Typically, Counsel will work to ensure that a strategy can be put in place promptly:
When the Insured discovers that a breach has taken place, they contact the Brit breach hotline, and the breach response process begins.
Breach Counsel will set up a triage call to take place as soon as possible. Breach Counsel will aim to schedule this call swiftly (within the hour, if possible). The primary purpose of this call is for Breach Counsel to gain an understanding of the incident and advise on the appropriate next steps. The aim at this stage is to understand how the incident happened, whether it has been contained and whether staff or clients have already been notified, amongst other things. At the end of the call, Breach Counsel will recommend a series of steps that each party should take.
Following the triage call, Breach Counsel will work on drafts for the Insured. If the incident is a reportable one, Counsel can assist with the production of the ICO notification. It's crucial that this is done quickly, as there is a 72-hour deadline in place.
Breach Counsel will also consider whether any industry-specific regulators need to be notified. Depending on which industry the Insured operates in, they may be obligated to report the incident to bodies such as the Solicitors Regulation Authority or the Financial Conduct Authority. Breach Counsel will also handle any international reporting obligations and determine whether regulators around the world need to be notified. If so, Breach Counsel from a firm like Kennedys can use a global network to determine if the compromised data is subject to specific international regulatory obligations.
If the nature of the breach requires it, Breach Counsel may also recommend that a forensic firm is appointed so that an independent review of the Insured's IT environment can be conducted. This will help to ensure that the breach is contained by looking out for any indication of a broader compromise. Breach Counsel will work hand in hand with the forensic provider to ensure the process runs smoothly.
If required, Breach Counsel can further assist the Insured by producing draft correspondence for internal or external distribution. Drafts may include a FAQ sheet that the Insured can refer to if they are asked difficult questions, example correspondence to staff or clients, and media statements. Data breaches are a sensitive subject, so Counsel will work to ensure that parties are communicated with carefully and sensitively.
Breach Counsel will remain on hand to assist the Insured throughout the life cycle of the incident. Breach Counsel will assist with various tasks and will often work alongside Insureds for a period of months to ensure that legal and regulatory obligations have been complied with.
This process is only an indicative example. Every breach and client is different, meaning there can be a lot of nuances in the process as a whole.
"The support we provide will depend on the type of incident, but we always do what we can to provide pragmatic advice as swiftly as possible. So much of what we offer revolves around client service and ensuring that Insureds have help available at a stressful time.
The speed of our initial response will depend on the availability of the Insured, and we will do everything possible to ensure a team member is available for the initial triage call at the earliest opportunity. So much of what we offer is about client service and ensuring they have the assistance they need during what can be a stressful time."
A key part of Breach Counsel's involvement is helping Insureds to understand what (if any) notification obligations are triggered. Transparency and a willingness to comply are key to ensuring compliance with regulatory guidelines. Incidents should be reported to the ICO within 72 hours after discovering any impact on personal data. The ICO has clear guidance on breach reporting and the expectations of organisations from the regulator.
Collating information in the aftermath of a breach can be complex. However, Breach Counsel are experienced in this field and can help Insureds to meet the tight deadline. Failing to notify the ICO of a breach when required can result in a heavy fine of up to £8.7 million or 2 per cent of your global turnover.
International reporting obligations may also arise. In the event that the personal data of people from overseas is breached, additional notifications may need to be made to international regulators. If you are dealing with an incident where personal data from across the globe has been compromised, it could be overwhelming to navigate this process. Getting it right is crucial, and this is precisely where Breach Counsel's expertise comes in.
Various parties, such as Breach Counsel, forensic providers and a PR team may be involved throughout the process;
"Breach Counsel will typically act as the navigator of the incident – we work alongside all of the parties involved to progress things smoothly and ensure compliance with local laws.
Vendor involvement will depend on the incident type. If you consider a large ransomware attack, there will be the Insured who suffers the incident, then the broker and the Insurer (i.e. Brit) from whom we also seek instructions.
A forensic team may be involved. They can review the Insured's IT environment to ensure that the incident has been contained. They may also review the dark web to understand what, if any, data has been leaked.
A PR team may also be instructed to manage the messaging surrounding the incident."
A credit monitoring agency may also be involved, particularly if financial data has been impacted.
Working as part of a breach response team can be demanding, as the work involved is dynamic and fast-paced. The lawyer that we spoke with reflected on their own journey to date and said:
"I completed my training contract at Kennedys before qualifying at the firm last year. The Cyber team was the first team that I joined when I started training, and I immediately knew that it was right for me.
Not only do I enjoy the fast-paced nature of the work, but I also enjoy the fact that you need a blend of technical and legal knowledge.
Most importantly, I like the fact that we are genuinely helping people to manage crises; it's always sad to see the stress that these incidents cause, but I enjoy the fact that I work as part of a team that helps to pick up the pieces and be there for people who really need our help."
They also discussed the soft skills required for the role, showing that it’s not just their technical expertise that is needed.
"Whilst a good understanding of the technical and legal landscape is required, it's also good to be people-focused. We work with Insureds who are experiencing a difficult time, all whilst balancing their day jobs. We offer a helping hand whilst working through the incident, and it's important that Insureds trust us to act in their best interests."
With so many new threats on the rise as technology advances, we asked Counsel what they think are the most significant trends within the cyber security space;
These types of attacks are on the rise and typically occur as the result of successful phishing campaigns. If someone accidentally clicks on a malicious link, their email account may become compromised. Data from the UK government noted that 84% of businesses and 83% of charities have experienced a phishing attack in the past 12 months. It's key that people remain vigilant to this specific form of attack.
RaaS is a type of ransomware business model where cybercriminals write clandestine software, and affiliates pay to launch attacks using said software. Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators. This form of outsourced cybercrime has increased in popularity in recent years.
Counsel goes on to share how the evolving landscape means that expert support is more important than ever:
"When I first joined the Cyber team, I was surprised by how quickly incidents progress and evolve. Often, the incidents we see are very front-loaded, in the sense that a lot of work needs to be done right at the start. The work that we handle at the beginning typically involves reporting to regulators, reporting to staff and clients and considering data subject notifications, amongst other things."
It should come as no surprise that dealing with any type of cyber incident, whether it’s a business email compromise, ransomware, or otherwise, can be an incredibly stressful experience. Given that these events could happen to any kind of business at any time, it may be worth considering obtaining a policy that provides access to such a support mechanism.
Remember that losing customer data isn’t the only negative impact your client can experience due to a data breach. Failing to adequately deal with a breach could lead to various consequences, including fines imposed by the ICO, reputational damage and data subject claims.
Counsel summarises why support is vital to those who suffer a cyber breach;
"The impact of these incidents can be huge, and the consequences arising out of breaches range from regulator fines to data subject claims. We work to lift some of the pressure off an Insured’s shoulders by navigating the incident for them. We help to ensure that the correct messages are articulated to internal and external parties, and most importantly, we help Insureds to avoid falling foul of applicable laws or regulations.
Our involvement also means that legal privilege is in place, which is key if data subject claims are likely to arise in the future. Most importantly, Breach Counsel are experts in the field – we see hundreds of incidents each year, and cyber-attacks are only becoming more and more prevalent. External vendors can provide Insureds with an independent perspective and prevent Insureds from being seen by regulators as ‘marking their own homework’. This can, in turn, help Insureds avoid penalties for failing to handle the incident in the required way."
Learn more about Brit and how to ensure you have a support system in place if you are hit by a cyber incident - speak to Brit's Cyber Team today.
Source:
https://www.britinsurance.com/news/ai-in-business
https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-security-breaches-survey-2024
https://kennedyslaw.com/en/
https://ico.org.uk/for-organisations/law-enforcement/guide-to-le-processing/personal-data-breaches/
https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/#whathappensif
https://www.ncsc.gov.uk/blog-post/business-email-compromise-guidance-protect-organisation
https://ico.org.uk/for-the-public/data-protection-and-journalism/taking-your-case-to-court-and-claiming-compensation/
https://www.britinsurance.com/insurance/cyber