Heightened geopolitical global activity can lead to an increase in cyber risk for businesses. “Grey zone” and “hybrid” are two terms relating to cyber attacks that are widely used at the moment. Both terms now typically relate to geopolitical activity; “grey zone” activity is activity by or attributed to a nation state actor which is between normal peacetime relations and traditional kinetic warfare. Hybrid is a reference to the fact that modern warfare is almost always a combination of traditional kinetic action and cyber (or other non-kinetic) activity.
Such action can have a significant impact for businesses. Some sectors may be directly targeted by cyber activity, with infrastructure, energy and logistics among the most likely targets. In the last 18 months, there have been several global-scale supply chain attacks, resulting in significant disruption and remediation activity. These have highlighted the vulnerability of global supply chains to cyber attacks. Malware can get out of control, particularly wormable malware, and can directly impact businesses around the world. In the more medium term, there is also the ‘trickle-down effect’, as highly sophisticated malware is deployed in the wild and is then used by criminal groups engaged in theft, ransom and other cyber attacks for financial gain.
It is important for businesses to assess how the current threat landscape may impact on their ability to operate. Cross-functional teams, including security, legal, compliance and commercial functions, should review incident response and business continuity plans, and assess whether they are still appropriate or should be updated and amended. Threat intelligence capability and operationalisation is crucial in heightened risk situations, particularly as government agencies are currently declassifying and sharing information relevant to the private sector in a way that we have not seen before, with real detail.
Understanding third party risk, and the related contractual position, is a key part of the risk management assessment and management process. Understanding in advance issues like the scope of suppliers to be able to declare force majeure, or suspend performance if they are the victim of a cyber attack is key; similarly for your business to be able to rely on similar provisions if it is the victim. While it may not be possible to consider the provision across all contracts, key supplier and customer relationships should be assessed. Scenario planning across the business, including legal and compliance function, for situations where key suppliers or customers are the victim of crippling cyber attacks is an important part of preparing for the crisis situation that is a major cyber attack.
The current heightened threat situation does not in general change breach notification obligations, either to data protection authorities or under similar legislation relating to cybersecurity and network security. However, one issue which should be considered when considering notifying data protection authorities is the identity of the threat actor and how that may affect the risk of harm to data subject assessments. In addition, where detailed threat intelligence information is being shared by government agencies and law enforcement, if failure to action such intelligence enables a breach, then regulators may take that into account when investigating incidents and considering penalties.
The steps referred to above should also be kept under review and engaged on an ongoing basis, as the risk scenario changes and more information becomes available. If a widespread significant incident does develop, or specific sectors are targeted, quick effective action will be necessary and advance preparation is essential.