M&S and Co-op cyber incidents – what can businesses learn?

The number of cyber-attacks taking place continues to rise steeply with figures published this year by the Department of Science, Innovation and Technology showing that between 43% and 74% of UK businesses (depending on the size of business) have been subject to a cyber security breach or attack in the last twelve months. Relatively few of those incidents make front page news but the recent attacks on Marks & Spencer and the Co-op demonstrate the vulnerability of even well-established and well-resourced companies.

While the exact nature of the attacks remains undisclosed, a visit to your local Marks & Spencer or Co-op store will tell you a lot about the significant impact on these companies, with shelves empty and orders cancelled or severely delayed. The detrimental impact on turnover is not difficult to imagine and significant costs will inevitably be incurred in the technical exercise to identify the extent of the damage and take remedial steps.

Share prices have dropped and the reputational damage to the businesses affected will be significant. While most of us now accept that no organisation is immune to cyber-attack, attacks with such wide-scale consequences still give most consumers and investors serious pause for thought.

Little detail has been given as to the source of the attacks or the extent of the data accessed or made unavailable, but these incidents also raise serious regulatory issues and it is clear the Information Commissioner’s Office has been involved in both incidents.

UK GDPR imposes an obligation on data controllers processing personal data to ensure that data is processed “in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. The GDPR recognises that what is appropriate will change from case to case and depend on a number of variables, not least, the size of the organisation and the volume and nature of personal data processed. Nonetheless, a number of common features can be identified such as ensuring adequate security and encryption of data and up to date software; establishing and following internal processes and procedures on data security; ensuring staff are trained appropriately; and regular testing of systems and vetting of third-party suppliers.

The ICO has the power to impose significant fines (up to the greater of £17,500,000 and 4% of worldwide annual turnover) on organisations which fail to meet this standard and individuals whose personal data has been comprised in a cyber incident can claim damages for any losses incurred.

In addition to the ICO focus, it is likely that financial crime agencies such as the National Crime Agency, the Serious Fraud Office and / or specialist financial crime police officers will be taking action. Cyber-attacks often constitute criminal conduct, and the UK authorities will be taking steps to gather evidence and identify the source of the attacks. Those steps will involve engagement with the likes of Marks & Spencer and the Co-op who, in turn, will likely take professional legal advice on the level of cooperation to be provided, and on the process for such cooperation. For instance, if staff members are to be interviewed, it would be wise to have legal representatives in attendance.

In addition, organisations should have an incident response system in place allowing them to move quickly with an internal investigation in the event of a cyber incident. One of purposes of the internal investigation will be to identify any internal or supply chain vulnerabilities that require to be remedied. There are several benefits of involving expert legal advisers in the internal investigation team not least because legal professional privilege will attach to the legal advice provided. This means that the instructing organisation cannot be compelled to disclose the findings of the internal investigation. In this way, legal professional privilege provides a layer of protection to organisations who will be attempting to protect reputation as far as possible.

With ongoing economic restraints faced by most businesses, dedicating sufficient resources to cyber security can be challenging and often it will be considered a lower priority than generating income. However, the fall out from incidents such as those currently faced by some of Britain’s best known retailers shows just how devastating cyber attacks can be and the far-reaching consequences for business operations. It is vital that businesses ensure that appropriate security measures are in place, that monitoring and updating of systems and procedures is an ongoing process, and that there is a plan in place in the event of an incident.

BTO’s CyberProtect team can help your business with cyber security compliance and incident response. For further information please contact Lynn Richmond or Ramsay Hall or click here.