Last week, the British government trumpeted news of a planned new court, which will be based in the country's financial district and will focus upon economic offences such as fraud and cybercrime. Some politicians have heralded the new facility, which is currently described as the City of London Judicial Centre, as a sign of how London will, in the era of Brexit, remain at the forefront of legal expertise1. The pace of technological change implicit in cybercrime has challenged courts around the world to apply laws to new technical versions of traditional crimes – a court that regularly focuses on these questions is likely to be more effective over the longer term.
Beyond the headlines, the plan for a new centralized court for cybercrime (and other economic crimes) is a timely reminder of the significant cyber threats faced by those who do business in the UK. Generally, media attention has focused, and continues to focus, upon large-scale losses of personal data, such as the TalkTalk hack in 2015, the Tesco Bank hack in 2016, and the more recent Equifax episode. There are many more cases that go unreported. The Crime Survey for England and Wales, published earlier this year, stated that there were an estimated two million computer misuse offences (or 'cybercrimes'), meaning the unauthorized access to data or the intentional disruption of data systems (e.g. denial-of-service attacks), during 2016. Of course, the very nature of cybercrime means that offending is under-reported, which the National Crime Agency (the NCA) emphasized in its recently published annual threat assessment regarding serious crime2.
As for current trends, a significant issue is proliferation. We have noted a growing sophistication of the methods used by criminal groups and non-state actors. Those players are increasingly using types of malicious software ('malware'), and techniques and tactics previously seen exercised by sovereign states only. For example, business email compromise, also known as 'insider spear-phishing', is a form of economic espionage and electronic surveillance that is used to defraud the target company by causing it to divert funds or make a payment following a misrepresentation3. Secondly, malware-as-a-service is readily available on the Dark Web, and there are credible reports of substantial companies using it or more traditional options such as distributed denial of service attacks to disrupt commercial competitors4.
In each case, victim businesses should carefully consider their recourse to the criminal law and/or through civil litigation. Businesses must also be alive to the growing trend towards specific legislation in this area: the European Union's General Data Protection Regulation, the Network Information Security Directive, and the New York Department of Financial Service's Section 500 rules all impose obligations as to security standards and cyber incident disclosure. At the same time, we have seen the UK's Financial Conduct Authority and the US Securities and Exchange Commission become increasingly engaged in this topic as an issue of systemic risk. The Financial Stability Board (FSB), a coordinating body for national financial agencies and standard setting organizations, noted this week that almost three quarters of the G-20 entities working within the FSB reported planning to issue some type of regulation, guidance or other form of supervisory practice to focus on cybersecurity in the financial sector5.
As publicized last year, the government intends to invest some £2 billion on improving the UK's cybersecurity generally. That is certainly welcome, as is the concept of specialist courts, or judicial lists, for those criminal cases that turn upon cybersecurity issues. It does, however, remain to be seen whether and how the City of London's declared vision for a streamlined judicial centre matches up to the reality of the particular complexities involved in the investigation and identification (attribution being especially difficult) of, and subsequent litigation against, those who perpetrate cyber-enabled crimes.
To discuss these issues, please contact either Anupreet Amole in London, our Cybersecurity practice lead for the EU and UK.
1 Financial Times, 'City of London plans new court to handle cyber and fraud cases', (October 9, 2017).
2 Cabinet Office, HM Treasury, The Rt Hon Ben Gummer, and The Rt Hon Philip Hammond MP 'National Strategic Assessment of Serious and Organised Crime' National Crime Agency (November 1, 2016)
3 Wall Street Journal, 'U.K. Companies Plagued by Payment Diversion Fraud', October 6, 2017.
4 Financial Times, 'Your biggest cyber threat? It's not who you think it is', October 9, 2017
5 Law360, 'Cybersecurity Review Reveals Global Rules Being Drawn Up', October 13, 2017
FOR QUESTIONS OR MORE INFORMATION, PLEASE CONTACT: