DeMarco Law | Legal Implications of Cyber War in Ukraine

With Russia’s military invasion of Ukraine, the “Theatre of Operations” has already included the Cyber Domain, with cyber-attacks launched in recent days against Ukrainian government websites, banks, corporations, and other organizations. Given the interconnected and open nature of the Internet, it is therefore prudent to consider the possibility that either direct or collateral cyber-damages could affect businesses around the world, among them those in Europe and the United States.  In light of recent events, therefore, we recommend reviewing the following considerations:

Cyber Incident Response Plan (IRP):

• Locate your organization’s Cyber Incident Response Plan (IRP) and confirm that it is distributed and available (electronically and, as appropriate, in hard copy) to relevant members of the Incident Response Team (IRT).
• Make sure that your IRP is up-to-date and that it does not contain outdated roles and responsibilities, or outdated contact information for IRT members.
• Include alternate contact information and communications protocols in addition to your corporate communications networks.  Make sure that key members of the IRT are available in the immediate and near term.

Infrastructure Disruption:

• Consider what a disruption of critical infrastructure could mean for you and your organization. For example, disruptions to the electrical grid, train and subway lines, telecommunications systems, and potentially even water and fuel providers (recall the Colonial Pipeline hack in May 2021).

Backups:

• Make sure you have air-gapped backups of critical data and that all ransomware protections are maximized.

Network Surveillance:

• Ensure that all intrusion detection, anti-virus, and other cyber-security technical measures are in place, up-to-date, and properly configured and deployed. As appropriate, ensure that logging functionality is maximized and that relevant activity logs are preserved.

Patch Management:

• Ensure that patches are up-to-date and current. (Patch management refers to the process of distributing and applying revisions to operating systems and application software codes.)

Contractual:

• Review contractual obligations to notify third-parties of any security incident on your networks and, correspondingly, understand the obligations that your critical suppliers and vendors have to notify you in the event of incidents on their networks.
• Regulatory:
• Understand any regulatory reporting obligations that you may have and be sure that you are aware of what types of incidents (at your Company or at vendors, including third parties) will and will not trigger those notification obligations.
• More broadly, stay attuned to relevant advisories issued by your regulators.
• Among others, the European Central Bank (ECB) have issued guidance on the potential impact of war in the Ukraine to entities they cover. Even if you are not regulated by a particular regulator, these types of advisories can be informative.

Insurance:

• Check your insurance coverage for notification requirements and any potential War Exclusions. This includes, but is not limited to, cyber coverage.

Internal and External Communications:

• As appropriate, alert relevant C-suite management and Board members to the issues above so that they can discharge their fiduciary and oversight obligations, among others, to be informed and prepared.
• Be ready to address employee questions or customer and client inquiries concerning any issues affecting your Company or third parties on whom you depend.

Disinformation:

• Be aware that Russian cyber tactics include disinformation. Be cognizant of the source of news and advisories upon which you might base organizational decisions.

Beyond direct cyber-attacks to critical infrastructure, it is extremely difficult to predict how the Russian invasion of Ukraine might escalate and affect your business or third parties upon whom you depend. And while many of the above points may simply seem like common sense, experience teaches us that many are often overlooked once the “bits” and “bytes” start flying. 

Author:

• Joseph V. DeMarco is founding partner of DeMarco Law, PLLC, a boutique law firm focused on the law of data privacy and security and cybercrime prevention and response | jvd@demarcolaw.com

Compliments of DeMarco Law PLLC – a member of the EACCNY.