Norton Rose Fulbright highlights cyber and privacy trends in the Middle East, with an insight on the increasing threat of ransomware in the region.
2020 was a year of rapid business transformation across the world. Companies, across sectors in every region of the world sought to adapt to agile working with the use of technology and underwent digital transformation at quick speed, in response to the COVID-19 pandemic.
2020 also saw the health and pharmaceutical sectors play a crucial role in seeking to combat COVID-19. The data that these sectors generated and held became increasingly valuable and was therefore prone to increased cyber threats.
As companies across sectors faced operational challenges, IT and management teams often took their focus off internal cyber security and focused instead on trying to adapt to the new agile environment and trying to stay operational in challenging times. This created an ideal threat landscape for cyber attackers, who took advantage of businesses focusing elsewhere.
Cyber threats posed by insiders also became an increased area of concern over the last year. In summary, cyber risks and threats against businesses escalated over the last year, both in the Middle East and globally.
Cyber trends specific to this region
Countries in the Middle East region (in particular the UAE and Saudi) have been common targets of cyber-attacks over the last few years. Attacks against financial institutions and state-owned companies have been especially common and well-publicised.
However, the frequency of attacks across all types of businesses in the Middle East has been a specific trend of note over the last 12 months.
The last year saw a significant increase in the frequency and variety of cyber-attacks against companies in the Middle East. Companies across sectors were affected, including professional services firms, shipping/ logistics firms, retail companies, financial institutions and private healthcare groups. Both locally-owned and international businesses operating in the Middle East were targeted – threat actor motivations ranged from causing operational disruption to financial gain to the extraction of sensitive data (including personal data as well as commercial information and intellectual property).
In this piece, we discuss a specific threat for companies in the Middle East which has developed significantly over the last 12-18 months: Ransomware.
In line with global trends, ransomware has become a frequent method of attack against Middle Eastern companies. From our experience, the threat vectors are most usually operating outside of this region and the Middle East region is now increasingly coming under attack by ransom demands.
We have seen a range of ransomware being operated and there are a growing number of highly-skilled threat actors operating in this space.
Ransomware methods often use encryption to block access to a system or file until a ransom payment in cryptocurrency is made. The threat actors tend to select their victims carefully and the most common method of infiltration into a business is usually a spear-phishing attack.
Once the victim’s systems have been accessed, Ryuk ransomware proceeds to encrypt systems or files. From our experience, Ryuk attacks are well thought out over a period of time and specifically targeted to cause maximum disruption over the data that has been impacted.
As well as dropping ransomware onto the target, the threat actors’ usual modus operandi is now to exfiltrate personal and commercial data.
The exfiltration and leaking of this data is often of significant concern to clients given the privacy, commercial and liability risks that can result. We have seen the encryption of selected files within Middle Eastern businesses for example, the selective exfiltration of data and encryption of files containing personal details, such as the company’s HR records or in some cases, the encryption of commercially sensitive files only, for example details of suppliers or customers. Additionally, companies have found that the threat actors have encrypted specific sections of their systems so that their operations are paralysed and the widest disruption possible has been caused.
Once the attackers have encrypted their selected files, a ransom demand is made with payment deadlines typically in the region of 21-30 days. This ransom demand most usually now demands a payment in cryptocurrency in exchange for (i) a decryption key and (ii) a promise not to leak the data that has been exfiltrated.
Even if a business can survive the disruption caused by encryption, for example, by resorting to existing back-ups, it is the theft and potential disclosure / misuse of commercial and personal data that often causes the most concern to businesses. The need to minimise dissemination of that data can lead to businesses having to consider carefully whether they should pay the ransom demand.
Middle Eastern companies that are a victim of cyber-crime are increasingly having to seek advice on whether they can legitimately pay a ransom demand; or whether such a payment would be in breach of laws that prohibit the furthering of crime or terrorist financing or which breach sanctions regulations.
Middle Eastern companies are also having to take urgent advice and steps on managing the commercial and personal risks that arise from the exfiltration of personal and commercial data.
Developing legislation and regulation in middle east
Over the last couple of years, several Middle Eastern countries have introduced new cyber and data privacy laws. We touch on some of these developments below:
Within the onshore UAE regime, whilst there is no federal data privacy law at present (a new draft federal law is currently being considered), there are several UAE laws that enshrine the right to privacy and impose offences of those who breach privacy/ confidentiality.
In the commercial context, company management in the UAE (mirroring legislation across this region) can be held liable for mismanagement. Mismanagement is a wider term and a claim for “mismanagement” could be made if a data breach occurred because the company did not have adequate systems and safeguards in place. Similarly, company management failing to deal with a data breach or cyber incident promptly and properly could result in a claim for mismanagement by affected data subjects.
We have seen in 2020, data breach incidents in this region, leading to notice of claims by affected data subjects. We see this area of legal and regulatory risk developing for companies across this region, including in the UAE.
In 2020, the DIFC introduced a new data protection law (DIFC Law No 5 of 2020) with compulsory notification requirements in the event of a personal data breach. In 2020, the financial services regulator in the DIFC (the DFSA) produced a thematic review paper on cyber risk. Data privacy should therefore be a particular focus of DIFC companies, including those regulated by the DFSA. Since the paper produced by the DFSA and the introduction of the DIFC data protection law, there have been significant data breach incidents suffered by DIFC companies.
From our experience, it has been important for these companies to maintain timely and transparent communication with the data protection commissioner and the regulators, to avoid the risk of criticism and future legal or regulatory liability.
Other Middle Eastern countries
There are broad generic laws and legal principles are relevant across the region. For example, the right to privacy is enshrined in most regional constitutions, as well as Penal Codes and can be relied on in the event of data breach, even where no specific data privacy legislation exists.
We look below however at some other specific laws and regulations that have recently come into force in the region.
In Bahrain, a new data protection law came into force in August 2019. In line with recent and developing global laws, businesses in Bahrain now have stringent conditions upon them to take measures to protect data.
In Oman, in 2020, a new decree was passed to establish a cyber-defence centre with the aim of building up national capabilities connected with cyber security.
In Saudi Arabia, there are laws in existence on the regulation of commercial data with specific regulations connected with data privacy. An E-Commerce law passed in 2019 deals with the protection of consumer data and applies to online service providers, including those who may be based outside of Saudi Arabia but who are offering goods or services to consumers in Saudi Arabia.
Saudi Arabia already has in place specific regulations dealing with healthcare and telecoms data.
Finally, in Egypt, 2020 saw the passing of a national data protection law, which came into force in October 2020. Some of its key provisions are that it applies specific principles and conditions to the processing of personal data. Data subjects are also provided under the law with a number of rights. Importantly, the law requires Controllers and Processors of data to notify a data breach within 72 hours of becoming aware of the breach. The law sets out sanctions, including criminal fines in the event of a breach of the law’s provisions.
The Middle East region is keen to champion the use of emerging technology and to be at the forefront of the world’s digital transformation in the coming years. With that vision, the protection of data and the advancement of cyber security is a clear necessity to build consumer and investor confidence into this region.
We expect to see more legislation being adopted across this region which mirrors stringent laws, such as the EU data protection regulation legislation (the GDPR) which came into force in 2018. We also expect to see the region’s regulators focused on data protection and the measures that companies take in safeguarding data.
We envisage that there will be an increase in liabilities being imposed on businesses in this region, either by data protection regulators or data subjects, following cyber events that lead to an impact on personal or sensitive data. That liability trend is well underway in other jurisdictions such as in Europe and the US.
With the increase in cyber threats in this region, as well as the region’s developing cyber and data protection legislation and regulations, Middle Eastern companies need to be stay alert to their legal and regulatory obligations and responsibilities.