As the experts say, it is not a question of “if” but “when” a cyber-attack will occur in your organisation. Organisations should be preparing their strategy now in the event of a cyber-attack, given the rise in such events
Data breaches are on the increase, particularly cyber-attacks or hacking. These events can have costly consequences, including damages claims by data subjects - and in due course fines by the Information Regulator (Regulator). But the greatest cost of all is reputational. The reputational issues are what should be keeping CEO's up at night.
The Mimecast Email State of Security Report 2020 showed that in the last 12 months, 53% of South African organisations have reported an increase in phishing attacks, 46% reported an increase in impersonation fraud and 75% of that increase in impersonation fraud occurred in the first 100 days of Covid-19. 29 data breaches were reported to the Regulator’s office between May and September in South Africa, but that was probably only the tip of the iceberg, as organisations are not yet legally obliged to report these.
One of the growing forms of cyber-attack is the use of ransomware to extort money from an organisation to pay either for IT systems to be functional again, or for sensitive data not to be released. A local high-profile case involved Liberty Group in 2018, when an unauthorised hacker demanded payment after illegally obtaining data. According to its public announcements, Liberty became aware of the breach on 14 June 2018, informed customers on 16 June and made a Sens announcement on 18 June. Its shares dropped 4% in that week but by all accounts, it acted swiftly in notifying the public of the breach.
Liberty dealt with the issue well in two key aspects. Firstly, the CEO showed leadership. This is an important aspect of all significant crises, and cyber-attacks are no exception: senior executives should reassure their stakeholders with concrete facts about what they know about what has happened and what is being done about it. All organisations depend on the trust of their employees, suppliers, customers and other stakeholders.
Secondly, Liberty did not wait for the internal investigation to be completed before making a statement, as many companies tend to do. It is sometimes necessary for a company to tell the public that it is busy investigating, and not to wait for absolute certainty. These attacks are hot topics with media and the life cycles of these stories are fairly long. Proactive management of the media and messaging is critical in effectively managing the crisis.
Another high profile example in the international arena is the Marriott hotel chain. It was hit by an attack in 2018, when it reportedly discovered that customer credit card and other personal details, involving 339 million people, had been stolen in a hack of its global reservation database. It also discovered this had been occurring since 2014. A class action suit has recently been launched. And the Information Commissioner’s Office in the UK has given notice that it may fine Marriott GBP 99.2 million.
A further example is British Airways (BA), where 500,000 customer details were breached by hackers. They diverted users to a fraudulent site. BA may face a GBP 183 million fine, equivalent to 1.5% of its global turnover in 2017. These eye-popping numbers are possible in the UK, because under the GDPR, fines can be 1.5% of global turnover.
In South Africa, the cost of data breaches was estimated by Poneman Institute and IBM at ZAR 37 million per breach in 2020. According to this research, it takes about 56 days on average to identify a breach in South Africa, and 175 days to contain it.
Companies may lay criminal charges in the event of unauthorised access of their databases. And they are obliged to lay criminal charges in the event of an attempt to extort them.
Companies will also be required to take certain steps under the Protection of Personal Information Act (POPIA), from 1 July 2021. POPIA requires that if there are reasonable grounds to believe there has been a data breach, the organisation must notify the Regulator and the data subjects as soon as reasonably possible after it occurs. There are certain exemptions to notifying the data subjects. Since POPIA only comes fully into force on 1 July 2021, there is not yet a legal duty to notify the Regulator or data subjects if a data breach occurs before that date. That aside, it often it makes reputational sense to do so. Moreover, it is often important to warn data subjects so that they can take steps to protect themselves - such as changing passwords.
Organisations should take six key steps when faced with a cyber-attack.
- First, have a crisis communications strategy which allows you to swiftly create a task group of senior executives, internal and external legal advisers and your insurer.
- Second, engage forensic investigators to help determine what happened.
- Third, inform law enforcement, particularly when it involves criminal activity (and in a ransomware attack, notifying law enforcement is mandatory).
- Fourth, engage the Regulator and any other applicable industry regulator as soon as possible.
- Fifth, engage the data subjects.
- Sixth, consider issuing a proactive media statement - particularly if the breach is extensive and involves many millions of records. (For listed companies, a Sens announcement will often be mandatory).
