³ÉÈËÓ°Òô

January 2023 saw a series of cyber-attacks on UK companies, notable among them were FTSE 100 members Royal Mail and JD Sports. Earlier in January, which led to severe disruption in sending letters and parcels overseas. They have made several service update announcements since the attack, reporting that they are ‘using alternative solutions and systems, which are not affected by the recent cyber incident’. More recently, the at the end of January resulted in the unauthorised access to a system that contained customer data relating to some online orders placed between November 2018 and October 2020. The sports retailer claims that the affected data is ‘limited’, potentially consisting of the name, billing address, delivery address, phone number, order details and the final four-digit payment cards of approximately 10 million customers.

The recent spate of cyber-security breaches prompts questions about how companies prepare for these risks, whether their mitigation strategies are sufficient to curb such risks and whether their contingency plans are efficacious in the event of security breaches. Both companies’ 2022 Annual Reports confirm that cyber-security breaches are a risk factor, with both companies adopting various mitigating activities to address the nature of the risk. In its annual , Royal Mail deemed cyber-security breaches as a high-risk factor with high potential impact:

‘Given the evolving nature, sophistication and prevalence of these threats, including those presented by the war in Ukraine, the hybrid workforce driven by the pandemic and an increasing reliance on technology and data for operational and strategic purposes, [cyber-security] continues to be a principal risk. We also recognise that in a business with more than 161,000 people and large quantities of documentation, there is a possibility of human error in the protection of data.’

Similarly, described cyber-crime as an increased risk compared to 2021/22, writing that:

‘Cyber-crime is becoming more sophisticated with the risk increasing across all markets. Any cyber-attack or breach of data may result in the short-term loss of revenue and diverted resources, while there is also the risk of a longer-term negative impact on customer confidence and the Group’s reputation. The continued growth of the Group via acquisition leads to a more complex network of IT systems. The Group recognises the importance of maintaining a robust set of cyber security policies, procedures and technical controls across all business areas.'

As part of their mitigation strategies, both companies listed some combination of the following activities:

• Investing in cyber resilience to protect their sites, colleagues, systems, and consumer data
• Increasing the level of cyber security education and promoting good behaviours across the workforce
• Developing strong processes to review and manage security risks quickly
• Regular independent assessments of the company’s security posture
• Ongoing assurance of organisational and technical measures, including disaster recovery and assessment of third-party supplier controls
• Encouraging an open and prompt reporting culture so appropriate remedial action can be taken as soon as possible
• Having a Data Protection Officer who is supported by the Group’s Legal team, Information Security team, HR and Profit Protection team to advise the business and to provide training where available

The description of such mitigating activities seems to focus on the technical resources allocated to implement structural policies within companies. However, market insight from legal practitioners seems to suggest that, outside of the activities listed above, an effective cyber-security strategy should also consider the level of coordination between two key teams during a cyber-attack: namely, the company's legal team and the IT team. According to Suzanne Jopling, a Privacy and Data Protection specialist at ³ÉÈËÓ°Òô UK, well-resourced cyber-security strategies should also be multi-layered with a focus on clear, structured coordination between relevant teams, points of contact and senior leadership. Having a practiced and well-managed approach to an attack can facilitate the timeliness and efficacy of a company's cyber-security response. The exchange of technical knowledge between teams is key, along with a demystification of the jargon that can cloud an effective security response. For global organisations, it can also increase the awareness of any other impacted jurisdiction's reporting requirements and time-critical issues.

Similar points are echoed by Rachel De Souza, a Global Knowledge Lawyer for DLA Piper's Data Protection, Privacy and Security practice. She observes that:

‘In recent years there has been a swathe of headline making cyber-attacks around the world. Ransomware, encryption and data exfiltration remain some of the most popular methods used by adversaries and no sector or business is immune.’

In De Souza’s view, ‘organisations should establish an enterprise-wide incident response team, headed by senior management that can enlist all employees in the mission of cyber-security strategies and can secure adequate budget.’

Once again, communication structures are key as she comments:

‘It is critical to ensure lines of communication between privacy and cyber stakeholders are open and escalation criteria are clear. It is also important to continually review organisational controls, develop and improve incident response plans, conduct internal and external security assessments, and train employees on incident prevention and response.’

Ultimately, resources and budgets are required to animate the potential of cyber-security policies and procedures:

‘While policies and procedures are an essential part of any compliance programme as the ‘paper shield’, without the resources and budgets needed to implement and oversee them effectively, they can become a liability for organisations providing an easy way for data protection supervisory authorities to prove breach. Remediation before a cyber incident is invariably less costly, stressful and damaging to an organisation’s reputation and balance sheet compared to remediation after a cyber incident.'

In light of the above, Market Tracker will continue to monitor the mitigation strategies of companies noting cyber-security as a risk factor in the upcoming AGM season.