Cyber security was trumpeted as one of the top five global risks at this year’s World Economic Forum in Davos. As the deadline for implementing the EU General Data Protection Regulation looms large, there is growing pressure on businesses worldwide to ensure they are making cyber security a top priority.
Peter Beshar, Executive Vice-President and General Counsel at Marsh & McLennan Companies in New York, attended the summit and says the forum provided an ideal opportunity for the business community and government to present a united front on cyber-attacks.
‘With the cyber threat, we’re all vulnerable and exposed to the threat,’ he says. ‘The question is realistically what can the business community do to partner with the government and enhance our collective resilience? Companies like Microsoft are pushing very hard around digital norms in cyber space – areas which are considered to be off limits – so those are the kinds of provocative concepts that came up at Davos.’
“In my judgement, it’s necessary for somebody who is present regularly in the boardroom – whether that’s the CEO, the CFO or the GC – to become at least conversant with cyber issues
General Counsel at Marsh & McLennan Companies
Despite the growing list of high-profile cyber-attacks, Simon Walker, Chair of the IBA’s Online Services Committee and Co-Chair of the IBA Cyber Security Task Force, says small businesses are still largely ignorant of the risks. ‘One thing about the Panama Papers and subsequent breaches is that they’ve focused on big clients and high-profile people and the danger is that it lulls small businesses into a false sense of security [that they won’t become targets],’ he says.
‘It’s hard to think of many law firms that are not involved in a commercial transaction that would include some sort of confidential information. This information has a value and hackers can access this. Small law firms need to understand that it’s not acceptable to bury their heads in the sand. It’s a big wake-up call that they have to focus on it as [an attack] could happen to anyone.’
Walker says the Task Force is in the process of drafting guidelines to be published later this year that will focus on educating law firms on preparing staff for and helping mitigate cyber security threats. ‘The reality is that you’re never going to be able to protect yourself against every attack, but given that 90% of successful attacks are caused by human error, the key is organisation and training,’ he says. ‘I’m not talking about huge expenditures, but law firms need training and organisation so that they’re aware of the threats, they can organise themselves and train staff and minimise the potential risk.’
A report released by the World Economic Forum in the run-up to Davos concluded that cyber security ranked in the top five biggest risks facing businesses, behind only extreme weather events and natural disasters. Both Beshar and Walker agree the risks posed to businesses cannot be emphasised enough.
‘For business, cyber security is a huge challenge,’ says Beshar. ‘Everybody’s struggling with it. There are inherent limitations that the ‘C-suite’ and board members have in this space. In literally every other financial or operational area that rises to the board level, the C-suite and members of the board have an intuitive feel of what they think the right answer is. This just doesn’t exist to the same extent in the cyber realm and so executives and board members feel uncertain in how best to respond.’
‘If every time a board member asks what’s the latest on a particular cyber issue, it’s not good enough if management responds by saying that the CIO or CISO will brief the board at the next meeting,’ adds Beshar. ‘In my judgement, it’s necessary for somebody who is present regularly in the boardroom – whether that’s the CEO, the CFO or the GC – to become at least conversant with cyber issues. These initial exchanges should then be supplemented by subsequent briefings by IT experts.’
With the onset of the GDPR the EU General Data Protection Regulation on 25 May 2018, Walker believes it will be imperative for law firms to follow suit: ‘As a regulatory matter all law firms will have to do something about cyber security and have to realise that it’s not an optional extra. Law firms need to have someone at the senior level or board level that is responsible for this area.’
Beshar, who already has a group of lawyers sitting within his team at Marsh & McLennan working exclusively on cyber issues, as well as external advisers that assist with simulated attack scenarios, says the GDPR regulation will have far-reaching consequences for his and many other companies with global operations. ‘This sweeping new regulation will involve significant penalties and broad compliance requirements,’ he says. ‘Companies are growing increasingly concerned about its potential ramifications. Really anybody who processes the data of European businesses and residents, wherever that may happen, will be affected.’
Martin Schirmbacher, a partner and specialist in IT law at Härting Rechtsanwälte and Co-Chair of the IBA Technology Law Committee, believes the GDPR regulation will force law firms to up their game on cyber security. ‘In general GDPR will change a lot of things,’ he says. ‘Because of the horrendous fines and the news coverage a lot of firms are actually dealing with data privacy for the first time in a professional way. This mostly leads to compliance projects that focus on client data and PII [Personally identifiable information] of employees. Law firms that only deal with the immediate must-haves will not even look at their security measures, although they should. The GDPR demands a close look at technical and organisational measures taken for ensuring the security of data processing. Thus with firms that do it right, security standards will increase.’