Cybersecurity litigation remains growing concern facing financial institutions

Financial institutions have identified cybersecurity and data protection as the top trend facing them in litigation in 2021, according to the recently released 17^th Annual Litigation Trends Survey by Norton Rose Fulbright, which surveys hundreds of in-house litigation leaders, including general counsel from global corporations.

Financial institutions increasingly feel more vulnerable to cybersecurity-related disputes as compared to other industries, with 79% of financial institution respondents reporting feeling more exposed to Cybersecurity/Data protection disputes versus 2020, compared to 66% on average for all respondents. One general counsel of a financial services firm explained that to the extent the financial industry has a higher cybersecurity risk than other industries, “It is simply because we have access to, and need in order to manage our business, our clients’ most sensitive information: It's their financial information.”

Financial institutions report several factors increased their exposure to cybersecurity disputes, including the storage of large volumes of client data, continued remote work and its impact on IT infrastructure, the growing sophistication of cyber-attackers, and the changing legal/regulatory landscape. The remote workforce and companies’ increased reliance on technology has exacerbated the impact of cybersecurity and data protection issues.

According to one general counsel in the insurance field, COVID and remote work has made everyone “more susceptible to potential cyber-attacks and phishing scams in the home network environment.”

Class actions driven by cybersecurity litigation remain a top concern for financial institutions. For those that have experienced a cybersecurity incident and, where appropriate, notified impacted individuals, they report that plaintiffs’ bars are increasingly aware of data security breaches and that these consumer notifications often spawn class action suits for both larger and smaller incidents.

While financial institutions report cybersecurity issues as presenting a high risk to their organization due to the risk of potential legal disputes, many note that another pressing risk is reputational damage, and the concern that a cyber-attacker could obtain non-public confidential information of third parties or clients that would impact the professional reputation of the company.

Financial institutions also report the increased risks presented by third parties. The majority of respondents reported that they impose high cybersecurity standards on third parties with access to company systems, including restricted access to highly sensitive data. According to the managing director of a large banking and finance firm, there is increased focus to manage litigation risk by engaging in negotiations to limit liability and indemnification in third party agreements.

Survey respondents reported that employee training is one of the most useful tools to reduce cyber risk and prevent phishing attacks. This includes increasing employee awareness of cybersecurity and phishing risks and testing employee engagement by implementing phishing simulations. Respondents across all industries also reported that they are taking steps to implement encryption tools that would better secure sensitive data, and restrict monitoring and access to sensitive information from employees and third parties. According to one banking institution, employee training remains the “number one” tool, followed by “investment in the technology around maintaining the security of our clients’ data and preventing ransomware attack,” including by implementing penetration tests and tabletop exercises to simulate cyber-attacks and test for security vulnerabilities.

Financial institutions also report that the changing legal landscape around cybersecurity is in large part due to increasing regulation both in the United States and abroad, and the increased prevalence and societal focus on cyber-attacks.

Legal counsel continue to play a critical role in decreasing legal risk in this space. Respondents say inside and outside counsel serve as an important bridge between the business and the information technology and security teams. Counsel’s role includes assisting companies with interpreting a growing regulatory landscape, and advising on prioritization of new technology solutions to safeguard data.

To address these issues, financial institutions report spending more resources upgrading their cybersecurity defenses in 2021, a trend that they expect will continue in 2022.

Authors: Andrea D’Ambra and Susana Medeiros at Norton Rose Fulbright US LLP