This blog article was prepared in collaboration with Lori Baker, Vice President of Legal and Director of Data Protection in the DIFC, Kevin Wong, cybersecurity consultant in Dubai, and Shiraz Sethi, Regional Head of Employment at Dentons in Dubai.*
Since the start of the pandemic, as organisations moved more and more of their daily operations online, the risks – and indeed instances – of cyberattacks has risen dramatically. The breach of an organisation’s information technology system can create significant commercial, legal, and regulatory risks if a business is not equipped with a robust response plan.
In this blog, we will explore the risks, regulations, and best practices an organisation should consider when addressing a ransomware or phishing cyberattack and we assess how best to maintain cyber investigations preparedness.
What is ransomware and phishing?
Ransomware involves an unauthorised third party using malicious software blocking a victim-organisation from access to its data, effectively holding a company’s data hostage until a ransom is paid.
Phishing occurs when a cybercriminal attempts to lure individuals into providing sensitive data such as personally identifiable information (PII), banking and credit card details, and passwords. Hackers often use emails in phishing attacks however other forms are increasingly common, for example phone calls and SMS messages.
Risks organisations should be thinking about
Ransomware and phishing pose a number of risks that organisations will want to be aware of.
Several laws, including data protection laws applicable in the DIFC and ADGM, regulate an organisation’s duties when a cyberattack occurs. An inadequate response can raise a regulator’s attention. A ransomware or phishing attack could qualify if there is data loss resulting in a risk to a data subject.
Compliance with transparency requirements (eg notifying data subjects) and obligations (eg reporting to regulators) which may be required under the ADGM’s and DIFC’s data protection laws may mitigate the enforcement action that might be taken against a company that has not appropriately prepared for such cyberattacks.
Intentional cyberattacks can differ in their persistence, sophistication, and impact. Therefore, a ‘one-size fits all’ approach may not be appropriate. Failure to respond adequately to a cyberattack can be costly for a corporation, affecting its ability to conduct business, incurring costs to recover or rebuild systems, investigating the incident, regulatory fines, and even reputational damage. Priorities within the first 24 to 48 hours should be focused on containing the cyberattack, eradicating the incident, and recovery of data. A well-rehearsed incident response plan should designate a team to deal with the incident and investigate the attack.
Employees can play a key role in cyberattacks. They can unknowingly spread viruses simply by clicking links or opening unusual files or attachments in emails. As the first line of defence for an organisation, employers should implement company-wide training programs to help employees recognise potential threats and mitigate risks.
When a cyberattack occurs, organisations may face legal risks. For example, organisations may have a duty to report a security breach to the relevant regulator soon after the cyberattack has occurred. The DIFC has published significant guidance on reporting obligations and the ADGM’s data protection guidance also addresses notification requirements. However, organisations must record all breaches concerning personal data and, in some cases, notify regulators or clients.
The US Office of Foreign Assets Control (OFAC) placed several cyber attackers on a sanctions list (SDN list) to discourage companies from paying a ransom. Accordingly, companies must conduct due diligence before considering payment to the cyberattacker by reviewing whether the cyberattacker is on the SDN list. OFAC also strongly recommends that companies make voluntary disclosures to enforcement agencies or regulators. See a blog article from our US colleagues here.
Under applicable data protection laws, among other things, organisations need to maintain adequate security systems to ensure the security of personal data concerning employees, clients, or other third parties. Data protection and privacy is comprised of a patchwork of law. The UAE recently enacted a new federal data protection law which will require many companies to update their policies and procedures to reflect these changes (see our recent blog on the UAE’s new data protection law here). The cybersecurity law, which imposes additional requirements, applies to all companies onshore and in free zones. In addition, the DIFC and ADGM have well-developed data protection laws, guidance and enforcement regimes. In the event of a cyberattack, in accordance with the relevant laws, an organisation must determine the appropriate time to notify employees and clients if a breach of personal data occurs.
Strategies for complying with current regulations
Conducting an impact assessment of processing data can help determine where it is stored, who can and does access it, and how to prevent any accidental or intentional data leakage or loss. Reviewing technical safeguards in place across the organisation, such as password requirements for company issued devices, can help assess risks. Companies should also implement physical safeguards such as employing security cards to access the building.
Staying up to date with regulatory guidance allows companies to stay well-informed on the expectations for managing data breaches, reporting, and appropriate procedures if these issues arise. The DIFC data protection guidance maintains an ‘assessment tools’ section with tips on how to report a breach to the DIFC, other regulators, or to a data subject, as well as important information regulators may inquire about such as physical/emotional/mental/financial harm.
Organisations can be doing several things to prepare for, and mitigate the risk of, ransomware and phishing attacks:
- Develop and rehearse a cyberattack incident response plan including sanctions due diligence procedures to review a cyber-attacker. Know who in the organisation will be responsible for managing risk exposure.
- Consider conducting risk and impact assessments. Analyse potential commercial risks by considering how your business operates, whether financial transactions are conducted, if there is ownership of intellectual property and the consequences of its loss, and whether PII is handled and how it is processed, controlled, and managed. Concurrently, consider potential regulatory issues and reputational risks if a breach were to occur. It is a misconception that a company’s risk is low if it does not hold any customer data or intellectual property because organisations generate invoices and therefore can be susceptible to financial harm.
- Check in with official guidance, such as resources available in the DIFC to see how your how your plans, policies and procedures align or could benefit from the guidance.
- Ensure adequate procedures are in place to mitigate the risk of enforcement action. Implement adequate cyber security policies and procedures (use of strong passwords, multifactor authentication, periodic password change requirements, and regular cybersecurity assessments to test system readiness) to respond to cyberattacks. Update your procedures and employment agreements to reflect the new UAE data protection law.
- Mobilise a cyber-protection culture. Demonstrate the importance of cyber security during meetings, administer effective training programmes and conduct periodic audits of employee knowledge of policies and procedures.
*Freshfields would like to thank former Intern, Eiman Hager, for her research and drafting assistance with this blog article.