What are the Responsibilities of an Organisation Victim of a Cyber-Attack?

Cybersecurity experts always say that companies should not ask themselves if they are going to suffer a cyberattack, but when.

And it doesn’t have to be large corporations; any company, no matter how small, is exposed to this risk. In fact, SMEs are a favourite target for cybercriminals, with 70% of cyberattacks being directed at companies of this size, according to data from Google’s ‘Current cybersecurity landscape in Spain: challenges and opportunities for the public and private sector’ study.

Therefore, all organisations should be prepared to respond in the event of an incident of this type, as it is not only them who become victims, but also their customers, suppliers, partners, employees, etc., to whom they have certain responsibilities.

Panda gives the example of the cyber-attack suffered by the CC.OO. trade union earlier this month. Although it is not a company, it helps us to see the responsibilities that any organisation has in these circumstances.

In this case, CC.OO. was involved in a ransomware attack that led to the encryption and leakage of part of the personal data it handled, leaving relevant information of almost 700,000 files exposed on the Darkweb. The union has been unable to recover them, refusing to pay the ransom demanded by the hackers.

‘This is a risk that all companies and organisations have to deal with on a daily basis, and which they must confront with certain measures established by the regulations in force to mitigate, as far as possible, the serious damage caused by these incidents. Failure to comply with cybersecurity rules can lead to significant financial penalties and compensation claims from individuals whose data has been leaked,’ warns the cybersecurity company.

In this case, CC.OO. says it has complied with all the guidelines set out in current regulations and has inaugurated an internal investigation to clarify what happened. ‘According to the union, it has been working from the outset to resolve the vulnerability that caused this incident and has informed all those affected by email,’ says Panda.

‘Regardless of the blow to its prestige and the reputational consequences of this attack, the organisation assures that it has fulfilled its responsibilities under the NIS2 directive, which obliges essential services companies and important entities to establish measures to prevent and minimise the impact of incidents should they occur, and to notify within 24 to 72 hours of any serious incidents they have suffered,’ it adds.

It also reminds that this standard ‘also influences the cybersecurity providers of these organisations, which must comply with its rules’.

The cybersecurity company also recalls that the NIS2 includes other obligations, such as the use of end-to-end encryption or the attendance of training by employees and management members of companies in essential sectors.

‘CC.OO., in its case and according to its account, has complied with the guidelines of the standard and has a Data Protection officer in each of its member organisations, as well as a team of cybersecurity experts. In addition, they have also reported the security breach to the Spanish Data Protection Agency and the Institute of Cybersecurity (INCIBE),’ says Panda.

The cybersecurity company stresses the importance of responding to these requirements, since organisations that are victims of a cyberattack are exposed to penalties that can reach up to 7 million euros or 1.4% of the total annual worldwide turnover of the previous financial year in the case of important entities; and up to 10 million euros or a maximum of 2% of their turnover in the case of essential entities.

It also stresses that ‘it is just as important to have security measures in place to prevent a possible cyber attack or minimise its consequences as it is to adopt an appropriate policy for the use of the data an organisation holds’, in order to avoid possible claims from individuals affected by the misuse of their data or by a leak of their information.

‘Cybercriminals can use this information to make fraudulent purchases or apply for credit in your name, to give just a couple of examples. For this very reason, these users have the right to claim damages. And they should know what they can do when they are informed that their data has been exposed on the dark web,’ he stresses.

However, he explains that not all claims will result in compensation. ‘This type of compensation will only be given when the security breach suffered by a company has occurred as a result of a breach by the company, or the user’s data is already being used by cyber criminals,’ he says.