Technology failures and cyber events: Prepare for resilience

Recent worldwide events have highlighted the potential vulnerabilities we all face from the fall out of technology failures or a cyber event. By focussing on preparedness and resilience, organisations can put themselves in the best possible position to respond and recover should the worst happen.

Reliance on technology is fundamental to how businesses operate, but with it comes risk – of technology failures, data breaches and cyber-attacks – which could be devasting. We are seeing more and more how inter-connected IT systems, technology and global operations are. Something which impacts on one of these areas can cause widespread damage across your business. It is not just your business that needs to be resilient, but that of third parties or managed service providers you rely on. It is therefore key to be fully prepared and ready to act when required, to make the most of, and survive in the modern technology and cyber environment.

Whilst events can vary in severity and impact, there are some consistent trends that can be mitigated with proper planning. The key to recovering swiftly is to plan ahead and ensure that you have adequate policies and procedures in place.

Readiness and resilience

Preparation is key to boosting your organisation’s resilience and high-profile incidents remind us of the lessons to be learned in terms of preparing for a similar event in the future. 

Advance planning can greatly assist in minimising the impact of an event, including developing effective Business Continuity Plans (BCP) and Incident Response Plans (IRP). Whilst each BCP and IRP will be tailored to your own business, it is essential for all organisations to review the policies and procedures in place and regularly assess them for impact and effectiveness. 

The period following an event is a key time to re-assess, adapt, and implement any changes. Whilst the aim is to get back to business as soon as possible, it is also an excellent opportunity to emerge stronger and more robust by undertaking a thorough post-incident review. Performing a root-cause analysis, quantifying the impact of the incident on your business and reviewing the success (or otherwise) of your policies is important to optimising your preparedness, and ultimately resilience.

Communication of these policies and procedures is key, so ensure your core incident response team is aware of their role and responsibilities. Waiting until an incident occurs is too late, you will need to hit the ground running; having people only just finding out about their role, meeting as a group for the first time, or needing to read up on their responsibilities as an incident is occurring (or after it has occurred) can just lead to greater impact and loss. 

Business interruption

Many technology or cyber events may result in an interruption to business. Whilst this is a cross-industry issue, certain sectors are likely to suffer a greater impact. The retail, leisure and travel industries, for example, may experience material losses from a short period of business interruption and resulting disruption. 

Ensure your policies consider the impact of business interruption, and the potential level of severity.  It is also important to validate any workarounds that you may have in place in the event of a business interruption, so you know what you are falling back on works. In such circumstances, it will be key to know in advance how you will deal with any interruption to business, what steps are to be taken to minimise business interruption and the resulting impact including ensuring the right people are involved and that everyone knows the processes and procedures that are in place. 

Ensure you are up to date with changes in legislation and regulation

Regulation and legislation surrounding technology, data protection and cyber security is constantly changing and adapting around the world today. 

All businesses dealing with data in the UK and EU should be aware of their obligations under the GDPR and UK GDPR. This includes ongoing considerations to ensure that personal data is processed lawfully, fairly and in a transparent manner; collected for specified, legitimate purposes; adequate, relevant and limited to what is necessary; and processed in a manner that ensures appropriate security of the personal data. Should personal data be impacted as a result of an incident, then organisations should be aware of the relevant obligations under the GDPR and UK GDPR. This may include taking steps to address any data breach, informing individuals impacted, and reporting requirements to local regulators. 

In the EU, the Digital Operational Resilience Act (DORA) has entered into force and rules will apply from 17 January 2025. The aim of DORA is to create a harmonised regulatory framework, strengthening the information and communication technology security of financial entities, requiring financial institutions to comply with a number of obligations designed to ensure that their business lines remain operationally resilient. DORA applies to a range of financial institutions regulated within the EU. A full list of applicable entities is set out at Article 2(1) DORA and Article 2(3) lists the entities to which DORA does not apply. It is essential to determine whether DORA applies to your business and, if so, ensure that you are in a position to comply with your obligations. 

Also in the EU, NIS-2 (Network and Information Security) Directive, an EU-wide legislation on cybersecurity, has entered into force, and must be transposed by the Member States by October 2024. NIS-2 expands the scope of the previous NIS Directive, and it is therefore important to check whether your organisation falls within the scope of NIS-2 and consider your information security management systems with sufficient time to prepare. The UK will not be implementing the EU NIS-2 Directive but is planning its own changes to the NIS Directive, which are expected in 2024.

In the UK, a new Government has resulted in current uncertainty as to changes to data and cyber related legislation. With the announcement of two new Bills (yet to be formally introduced to Parliament), reform to data protection and cyber security legislation in the UK may again be on the horizon. 

Following the General Election on 4 July 2024, the State Opening of Parliament and King’s Speech took place on 17 July 2024, setting out the proposed Parliamentary agenda under the new Labour Government. Whilst not directly mentioned in the King’s Speech, the accompanying background briefing notes confirm that two Bills are on the agenda which may bring reform to data protection, privacy and cybersecurity practices in the UK:

• Digital Information and Smart Data Bill
• Cyber Security and Resilience Bill

At the time of writing, the full text of both Bills is awaited.

How we can help

The Clyde & Co cyber team and global One network is a global, locally tailored, cyber risk solution. We can help you manage every aspect of cyber risk, through readiness, to response and recovery. We have one of the largest dedicated cyber teams across our network of offices and offer a “follow-the-sun” model, with our teams in different regions available to assist around the clock.