For years, companies have been in the crosshairs of cyber criminals. But as geopolitical tensions rise, companies—especially financial institutions, global tech companies, and critical infrastructure—increasingly finding themselves on the front lines of state-sponsored cyber activities, blurring the lines between criminal attacks and warfare.
The difference is not just rhetorical, but legal. It will have huge implications for how companies protect against, prepare for, insure against, and respond to breaches in the near future—and for the role of the in-house lawyer.
Why Your Organization Is at Risk
You are not part of a government; you don’t develop missiles or build tanks. Why would your company be at risk from a nation-state?
Companies make easier targets than hardened military objectives—and companies typically do not strike back. Companies have money, valuable intellectual property, and particularly when part of critical infrastructure, can have an outsized destabilizing effect on a country when struck.
Nations can disguise their impactful malicious activity against private entities while preserving plausible deniability. This plausible deniability helps keep situations from escalating, provides nations with a ready way to adjust adverse activity (a lot harder to do with conventional forces), helps keep them out of international tribunals, and protects against adverse public opinion.
Often companies are not necessarily the targets, but are collateral damage. In 2017, the Russian military developed a malware that was spread by poisoning the software update mechanism of a Ukrainian tax software.
While the attack was intended to disrupt businesses in Ukraine, it spread globally and affected a number of large multinational corporations. Overall, the attack is believed to have caused more than $10 billion in damages.
Certain nations find value in commingling their military and criminal cyber activities. Some nations tolerate or even endorse criminal activities directed at companies outside their borders, thereby creating a cyber-mercenary force.
For example, at the start of the Ukraine invasion, the ransomware gang known as Conti publicly declared its support for Russia, and threatened to attack organizations it deemed hostile to Russia and its war effort.
While defending your organization against a foreign nation seems daunting, organizations can take steps to protect themselves.
Thorough Defenses Needed
So-called perimeter defenses are important, but in-house lawyers and IT professionals should consider assuming that foreign nations can defeat them. Regulators are increasingly taking that realpolitik view as well.
Accordingly, from a practical and regulatory perspective, companies should consider striving to adopt zero-trust architecture, multifactor authentication, robust monitoring solutions, and formalized vendor due diligence.
Organizations that can identify, stop, or slow cyber attacks at every possible stage will give themselves multiple opportunities to prevent a significant disruption and be able to demonstrate sufficient reasonableness before regulators.
Increased Reporting Requirements
The 2021 Colonial Pipeline attack starkly demonstrated how cyber attacks against private entities can have outsized implications on national security, leading to a flurry of new regulatory reporting requirements.
One example is the Cyber Incident Reporting for Critical Infrastructure Act of 2022. When implementing regulations are final, it will require critical infrastructure companies—financial services companies, energy companies and more—to report any substantial cybersecurity incidents or ransom payments to the federal government within 72 and 24 hours, respectively.
Significantly, the new reporting requirements might apply even if the cybersecurity incident doesn’t involve unauthorized access of personal information.
That same month, the Securities and Exchange Commission proposed amendments to certain rules regarding cybersecurity disclosure to standardize and enhance disclosures made by public companies subject to the reporting requirements of the Securities Exchange Act of 1934.
These reporting requirements, designed to help stem systemic attacks by nation states, mean lawyers are increasingly getting involved at the earliest stages of a company’s cyber defense to spot, shape, and execute on regulatory notifications, even when personal data isn’t involved.
Organizations that are part of the cyber supply chain and are thus high-value targets to hostile nations should consider being especially cautious, as government agencies mandated to prevent system-wide attacks are aware that these types of organizations could present a single point of failure for their customers and will likely apply scrutiny accordingly.
Cyber Insurance and Force Majeure Clauses
Cyber insurance can help defray the costs, which can be considerable, that go along with cyberattacks. However, insurers like Lloyd’s of London are now requiring underwriters to exclude coverage for state-backed cyberattacks akin to the exclusion for damages related to war that are commonly part of insurance policies.
Accordingly, it will be important to check your cyber insurance to ensure your company is actually covered from attacks that are—or could be—state-sponsored attacks.
Similarly, it is worth reviewing the force majeure clauses in general contracts, as most contain boilerplate exclusions for acts of war and warlike activities. The pandemic briefly renewed attention on these clauses, and the rising proliferation of state-backed attacks could bring these oft-neglected exclusions back to the forefront.
Lawyers Can Help
Organizations need a robust, well-practiced, and well-coordinated response capability, enabling organizations to recover quickly and mitigate regulatory, litigation, and reputational fallout.
Lawyers should be central to the response effort, particularly to ensure consistent, coordinated, and timely communications to regulators, boards, the media, contractual parties, insurance companies, impacted individuals, and employees.
Lawyers can also help manage the proliferating regulatory timescales and requirements for notifications, and can help with avoiding language that can result in costly lawsuits. In addition, should ransom payments ever be a consideration, lawyers will likely need to engage with law enforcement and conduct sanctions due diligence.
As cyber attacks become more like cyber war, the role of the lawyer is even more important to help private companies protect against, prepare for, insure against, and respond to breaches.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Michael Bahar is a litigation attorney at Eversheds Sutherland and co-lead of the firm’s global cybersecurity and data privacy practice.
Chris Bloomfield is an associate at Eversheds Sutherland who focuses on cybersecurity and data privacy matters.
Write for Us: Author Guidelines