Cyber-attack – what to do?
Although companies and government institutions are becoming better prepared for cyber-attacks and internal protection systems are increasingly deploying, internal protection systems, comprehensive protection against the often highly specialized groups of perpetrators on the internet is never 100 per cent guaranteed.
This means that anyone can be affected by cybercrime at any time. There are a few principles that should be observed in the event of a cyber-attack:
- Keep calm in the event of ransomware attacks and do not take any rash action: In ransomware attacks, the perpetrators encrypt and/or delete the accessible company data and demand a ransom for the return/decryption. Affected companies are therefore under great pressure and are confronted with the question of whether and under what conditions a payment of the ransom demand should be arranged. It is important to make such decisions with a cool head and in any case to seek advice from IT experts on the extent of the damage and from criminal law experts on the permissibility of such a payment (risk of criminal liability for embezzlement).
- Respond appropriately to social engineering attacks: In social engineering attacks, perpetrators use psychological manipulation to trick individuals into disclosing confidential information, bypassing security measures or initiating unauthorized payments. To prevent such attacks, it is crucial to raise awareness through regular training and to establish clear guidelines for handling sensitive information. If an attack and the outflow of funds or company data has already occurred, quick and level-headed action is required. IT security experts should be called in to identify and close security gaps. Legal steps should also be examined and the incident reported to the relevant authorities if necessary.
- Create a comprehensive picture of the situation: In order to make concrete decisions about how to proceed, the affected company should acquire a basic foundation of information about the incident. What data is at risk or affected? What would be the consequences of losing the data? Are there secure backups? What is the relationship between the risks and damage of the ransomware attack and the amount of the ransom demanded? All these questions require in-depth knowledge of the specific incident. Only once these circumstances have been clarified is it even possible to make a sensible decision.
- Reporting and information obligations: It must be checked whether contractual partners or authorities must be informed immediately. Depending on the type of company affected and the specific cyberattack, this includes, for example, notifications to the cyber insurance company, the data protection authority, the natural persons affected, Austrian Energy CERT, the Financial Market Authority (FMA), RTR, etc.
- Criminal charges? In Austria, there is no general obligation for private companies to report criminal acts to the public prosecutor’s office or the criminal investigation department. However, there is a right to report. The management must act within the scope of its duty of care to avoid liability risks for the company and liability of the managing director. An obligation to report may or may not arise, which is relevant under liability law. In addition, many insurance conditions of cyber insurance policies stipulate that a potentially punishable attack on the company’s IT system must also be reported to the law enforcement authorities.
The role of law enforcement authorities in cybercrime and internet fraud
If the criminal prosecution authorities act following a report or statement of facts, they initiate a criminal investigation. In this context, they have powers of investigation under criminal law. In addition to the securing (Sec 110 ff of the Austrian Code of Criminal Procedure (StPO) and seizure (Sec 115 StPO) of end devices and data carriers, the power to request disclosure of subscriber and access data (Sec 76a StPO) to investigate the identity of the perpetrator also plays a central role in cybercrimes.
By involving the law enforcement authorities at an early stage, the company concerned can create valuable synergies between internal investigations and criminal prosecution by providing the authorities with records and documents relating to ongoing internal investigations. On this basis, the authorities can exercise their exclusive investigative powers, the results of which in turn facilitate the investigation for the company.
In addition, an attempt can be made to recover the damages incurred from the perpetrators during the criminal proceedings via private participation.
Compliance as a preventive measure against cybercrime
Implementing an effective compliance system is a key preventative measure to protect companies against cyberattacks. Robust compliance includes clear security guidelines, training and workshops for employees, the use of modern security software as well as internal controls and audits to detect potential security gaps. Having a plan in place to deal with potential cyber-attacks increases the chances of a successful defense. Measures and necessary steps can be initiated more quickly, saving the affected company valuable time.
A functioning compliance management system can not only prevent cyberattacks or limit their impact, but also help to minimize liability. Nowadays, cyber insurance policies often require a functioning prevention concept, which means that establishing a compliance system can also be worthwhile from this point of view.
Criminal defense in the context of cybercrime
If you are accused of cybercrime in the area of IT criminal law, it is advisable to consult an experienced criminal defense lawyer .
A central aspect of criminal defense in cybercrime is the proactive approach already in the criminal investigation proceedings. This includes careful preparation for interrogations, the submission of well-founded pleadings and the strategic use of motions for evidence. The aim is to bring proceedings to an early end and avoid a public trial, which is often associated with considerable reputational risks.
