Newsletter
March – April 2022
SUMMARY
Article
Understanding the cyber threat within the company
In Brief
ARTICLE
Understanding the cyber threat within the company
On March 8, a French TV channel, an online music platform and an instant messaging application stopped working normally, they were victims of cyber-attacks.
This phenomenon is not rare, in 2020, every 39 seconds, a company suffered a cyber-attack. Since the COVID-19 crisis, the cyber risk has increased due to the acceleration of the digitalization of exchanges within the company, caused by the implementation, in the emergency, of generalized telecommuting.
This cyber risk concerns all companies regardless of their size, activity, or reputation. Cyber attackers are looking for a vulnerability to get into an information system to access confidential data for economic gain.
Thus, the most common attack is the ransomware which consists in blocking the access to essential data for the daily functioning of the company. The victim is forced to pay a ransom to be able to access his information system again.
Despite the multiplication of these attacks, there are several tools to prevent cyberattacks and specially to manage the critical consequences they cause.
While it is obviously essential to protect oneself technically by securing the company’s information systems through computer engineering, the company must be aware of the legal risks associated with cybercrime.
As an example, European law encourages Member States “to provide, under their national law, for relevant measures enabling the liability of legal persons to be incurred, where such legal persons have clearly failed to provide a sufficient level of protection against cyber-attacks” (Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems). Thus, a company that has been the victim of a cyber-attack could be liable if it does not demonstrate a sufficient level of protection.
A cyber-attack can affect all the activities of a company and its relations with customers, suppliers, or employees. Beyond the technical and technological means of protection, there are also good reflexes on the legal level to frame and/or reduce the risks in case of a cyber-attack.
In terms of commercial relations, it is strongly recommended to include contractual clauses in contracts and in the company’s general terms and conditions of purchase/sale, to anticipate the consequences that could result from a cyber-attack. For example, it is important to check whether the clauses organizing the consequences of poor performance or non-performance (late delivery, force majeure) or the clauses limiting liability are adapted to the new risks.
In addition, a cyber-attack can be the result of or follow a previous cyber-attack suffered by one of the company’s partners. Very often, companies that suffer a cyber-attack tend not to inform their partners, either inadvertently or because they do not want to publicize the fact that they have suffered a cyber-attack. Clauses obliging the immediate information of its partner in case of a cyber-attack can limit the risk of propagation of the attack and protect the company.
Finally, there are specialized insurance policies to cover cyber risk and in particular to compensate for the loss of data, to cover the cost of recovering stolen data or to pay the ransom. Depending on the activity of the company and the level of risk to which it is exposed, it may be worthwhile to take out insurance. The obligation to take out insurance can also be imposed on a business partner.
In terms of employee relations, it is important to keep in mind that 98% of attacks are related to human error.
Therefore, it is very important to make employees aware of cyber risks. This can be done through training or by adopting a Charter of good practices in the use of digital tools.
A final point of attention concerns the reaction to a cyber-attack. In the event of a cyber-attack, the company may be confronted with different requirements, such as: identifying the origin of the attack, gathering evidence, identifying the nature of the stolen data and, if necessary, the need to notify the personal data breach within 72 hours. It is important for the company to train its teams in the right reflexes in case of a cyber-attack.
In brief
- Firm’s event
Nathalie Cazeau will be speaking at the UIA “fashion law” seminar on the notion of compliance in the international sale of goods, in Barcelona on March 18, 2022.
- Formation
On April 9, Nathalie Cazeau will give her annual course on Corporate Social Responsibility (CSR) to the students of the MBA in Business Law of the University of Paris-Panthéon-ASSAS.