Cybersecurity: Legal Challenges for Businesses in Ukraine
In recent years cybersecurity has become a hot topic in Ukraine, and for good reason. On 27 June 2017 a massive cyberattack known as Petya/NotPetya hit the Ukrainian Government, private and state banks and numerous companies in the space of hours, and then spread to computers worldwide. Eighteen months before this, nearly a quarter of a million people in Western Ukraine lost electricity after the Ukrainian power grid was hacked. These are just two examples of a series of cyberattacks in Ukraine, a country that appears to have become a testing ground for hackers.
However, cyber-incidents are not only about threats from outside a business. More often, they are caused by an action or a failure of someone inside a company.
The risks from cyber-incidents do not only relate to financial exposure. Personal data, trade secrets, business plans, financial information and other sensitive corporate information are also very valuable and can cause considerable damage to a company if leaked or stolen.
In order to stay safe in the face of constantly evolving cyberattacks, most companies focus on implementing new tech solutions, such as firewalls, encryption mechanisms, storing data in the cloud, etc. However, experts say that there is no rock-solid technology that can ensure absolute protection and cybersecurity must go beyond technical measures. We have compiled a list of top legal issues that should be considered in order to manage different aspects of cybersecurity; from preparations to the proper reaction to a cyber-incident.
As regards data, the company should analyse the scope of the data it stores: what data is processed, how it is secured, who has access to it, etc. The risk assessment may also cover an audit of existing contracts in view of, for example, contractual liability for data breaches or the eligibility of cyber-incidents to be classified as force majeure under applicable law.
Although the technical approach in the form of firewalls, multilevel authorisation, password policies and others may ensure a company enjoys a reasonable level of cybersecurity, it can never exclude the “human factor”, such as the unawareness of employees or ignorance of standard security procedures.
In Ukraine, the overall awareness of basic cybersecurity rules is believed to be very poor. It is, therefore, crucial for companies to inform their employees about current, very real cybersecurity risks and how they should behave to mitigate such risks.
Implementing a cybersecurity policy can be an effective step to raise the awareness of employees to such risks and protection against them. Such policy should provide clear and easy to understand the ‘do’s and don’ts’ for employees in their daily cyber hygiene. These rules must be legally binding and effectively enforced in the case of violation. However, a tick-box or an employee’s signature under the policy does not guarantee that they have read it. Companies should ensure their personnel receive regular education and training on cybersecurity. Employees need to know at least the basic rules of installing third-party software, using USB drives, reacting to phishing e-mails, and other trivial matters, even if this may sound very basic and obvious.
A company’s cybersecurity is not only the concern of its IT staff. It should be considered part of core business strategy and there should be a special unit in a company responsible for cybersecurity matters. This can be an in-house group, external people or a mix. The formation of such a team enables the company to bring together people who will be responsible for monitoring potential threats and educating employees. The team should know exactly what to do in the event of a cyber-incident.
Once a cyber-incident starts, every minute counts. It is a good idea to have a plan and instructions for everyone in the company about what to do, rather than just pulling the plug out of the socket in panic.
In Ukraine, businesses have long had emergency plans for hostile takeover attempts or dawn raids. It is now becoming common practice to draw up emergency plans for cyber-incidents. Such plans should include a detailed list of actions, first of all for the cybersecurity team, including how the team should communicate in the event of an incident (via Telegram, Intranet or even Viber), what to do within the first hour and within the next 24 hours, whether to call the Cyber Police / CERT-UA, how to properly inform employees and the market, whether any legal support is required, etc. The reception desk, PR and HR departments should receive separate instructions on notifying clients, employees and office guests.
Cyber-insurance cannot protect a company from cyber-incidents, but it can always be an option to minimise potential material losses. The global cyber-insurance market is rapidly moving forward, but in Ukraine it is still undeveloped, and only a few insurance companies offer such policies. However, insurers will still analyse the status of cyber-security measures taken by a company.
So it is important to implement all possible measures before seeking cyber-insurance. Otherwise, insurance premiums can be very high.
Once a cyber-incident is confirmed, things can start to move very rapidly. It is important to be prepared so as not to waste the ‘golden hour’. Here are several major points to consider when managing and coordinating incident response.
Notification of personnel, clients, suppliers, and the public
When faced with a serious cyber-incident, a company usually does not want the news to spread, and will not release any public statements or warnings to customers and suppliers that their data may have been compromised. While this approach is sometimes justified, complete secrecy may not always be an option. Typically, it is difficult to keep the information from leaking out. And any delay in making an announcement can have monetary and reputational risks.
As regards the company’s employees, it is important to consider how to tell them what has happened without causing panic, what instructions to give them and
whether they should continue working, etc. It is, therefore, vital to put together a detailed emergency plan before an incident happens. PR specialists can be asked to join the cybersecurity team, with the task of preparing announcements ahead of time to personnel, customers and law enforcement authorities. All of those points should be considered in the emergency plan.
Notice to Cyber Police and CERT-UA
If a company experiences a cyberattack, it must consider whether to call the Police. In Ukraine, the National Police established a specialist cyber-crime department only in October 2015. Since then, and with additional equipment and educational support from international donors, the Cyber Police has significantly increased its ability to provide technical support to organisations wishing to detect incidents, recover information and catch criminals.
However, businesses still rarely report cyber-incidents to the authorities.
It is thought that pursuing hackers is often treated as a waste of time, which in most cases, unfortunately, is true, especially in the case of serious incidents. This may also be due to improper preparation and companies reacting too slowly. It may, however, still be important for a company to call the police in order to have a written record that a cyber-incident has occurred, which can then serve as a basis to refer to force majeure circumstances.
Companies may also consider contacting the Computer Emergency Response Team (CERT-UA), which is a special unit of the State Service of Special Communications and Information Protection of Ukraine that assists a company’s IT staff with the technical side of incident response.
When drafting emergency plans and policies, training employees, reacting to cyber-incidents, and communicating with police, the company may require assistance from specialists who have particular experience in responding to a particular type of cyber-incident. This can be members of the company’s cybersecurity team, or external specialists. Such support becomes much more relevant once an incident happens, and may be critical if customers, contractors and others start bombarding the company with claims about the leakage of their confidential data, the company’s performance of contracts, or with court claims.
Recent legislative developments
In response to evolving challenges, Ukraine has recently been developing the legal framework that regulates cybersecurity. In 2016, Ukraine adopted a National Cybersecurity Strategy, a set of best practices and principles on enhancing the country’s cyber-protection, and is now working towards full implementation of the Strategy. As a first step forward, the National Cybersecurity Coordination Center, a supervisory and analytical agency, was established in June 2016.
In October 2017 the Ukrainian Parliament passed the Law On Cybersecurity. This law came into force on 9 May 2018, and will mostly affect state and private “critical infrastructure” companies. These companies are active in certain sectors of the economy (including energy, infrastructure, etc.).
The exact list of companies is still to be drawn up. If a company falls into this category, it will have to follow certain requirements — for example, ensuring cyber-defence of its communication and technological systems, undergoing independent cybersecurity audits, and instantly reporting cyber-incidents to the authorities.
Olga Belyakova, partner at CMS Cameron McKenna Nabarro Olswang
Mykola Heletiy, associate at CMS Cameron McKenna Nabarro Olswang