Cyber Attacks: A Global Rising Threat

Despite companies' best efforts, the frequency and sophistication of cyber-attacks are increasing. According to Microsoft's global head of security in a recent interview with Sky News, "Cybercrime is costing the world $9.2 trillion." In the event of cyber-attacks, both the impacted organizations and their clients endure substantial consequences.

The most recent reported cyber incident in the local scene occurred just before the Easter period. On the 18th of April 2025, Saint James Hospital experienced a cyber-attack. The hospital confirmed that containment protocols were implemented, and all systems were physically secluded from external networks to prevent access. An investigation with the local law enforcement authorities was also conducted.

In recent years, financial institutions such as Bank of Valletta plc and APS Bank plc have experienced cybersecurity breaches, resulting in allegations of unauthorized transactions. Consequently, several cases were brought before the Arbiter for Financial Services, who has consistently awarded compensation for the losses incurred. Due to the volume of cases, the Arbiter established a model to allocate responsibility between consumers and financial institutions, thereby determining the extent of losses each party would bear.

The Arbiter’s model adheres to the Second Payment Services Directive (‘PSD2’), which stipulates that consumers are liable for unauthorized payment transactions only if it is proven that they acted with gross negligence. In the absence of evidence of gross negligence, financial institutions, are required to refund the full amount of the transaction. When the distinction between ordinary and gross negligence is ambiguous, as observed in most cases brought before the Arbiter, liability is determined based on the specific circumstances of each case.

Over the Easter weekend, the second busiest holiday period in the UK after Christmas, Marks and Spencer (‘M&S’) reported a cyber-incident on the social media platform ‘X’ (formerly known as Twitter). Due to the incident, M&S had to take several services offline as a precaution, including the ‘Click and Collect’ service. Additionally, clients had to pay either in cash or use the chip-and-pin method when paying by card because contactless payment services were not operational because of the cyber-incident.

Within the same week, Co-Op Group also suffered an attack, which resulted in a leak of information of its current and past members, including personal data. Most recently, Harrods, a well-known UK luxury department store, reported that following an unauthorized attempt to accessits systems, the company had ”restricted internet access” to its sites. All incidents were reported to the UK’s National Cyber Security Centre.

These were not the first major cyber-incidents in the UK over the past few months. In January and February, Barclays Bank and Lloyds Bank experienced significant IT issues and outages on critical payroll days for many businesses. These incidents led to substantial disruptions for their clients and could potentially result in compensation payments amounting to millions of pounds.

Due to the abovementioned attacks, and cybersecurity attacks on other UK companies, the British government is warning companies to treat cybersecurity as an “absolute priority”.

As cybersecurity grows crucial for businesses, understanding its legal implications is vital to protect assets and reputations.

Liability

When a breach occurs, determining who is at fault and who should bear the financial burden can become a complex and contentious issue. Companies may face multiple forms of liability, including:

• Direct Liability: This occurs when a company is directly responsible for failing to implement adequate cybersecurity measures, leading to a breach. In such cases, the company may be held liable for damages resulting from the incident.
• Indirect Liability: Even if a breach is caused by a third-party vendor or contractor, the primary company can still be held liable for not ensuring that their partners had sufficient cybersecurity protocols in place.
• Vicarious Liability: This type of liability arises when employees act negligently or maliciously, causing a breach. The company can be held responsible for the actions of its employees if it is shown that the company did not provide adequate training or oversight.
• Regulatory Fines: Companies may face fines from regulatory bodies if they are found to be in violation of data protection laws and regulations. These fines can be substantial and are designed to enforce compliance with legal standards.

Addressing liability involves not only mitigating the immediate impacts of a breach but also implementing robust cybersecurity policies and practices to prevent future incidents. Companies must engage in continuous risk assessment, employee training, and the regular updating of security protocols to reduce their exposure to potential liabilities. In Malta, instances of cases brought before the Arbiter against financial institutions following cybersecurity breaches illustrate the allocation of responsibility between consumers and financial institutions.

Regulatory Compliance

Regulatory compliance is essential for cybersecurity, requiring adherence to laws and standards that protect personal data. In Malta, businesses must follow the Data Protection Act and the EU’s GDPR. Companies must implement comprehensive cybersecurity measures, including regular audits, transparent data practices, and secure handling of personal information

Non-compliance can lead to severe penalties, such as fines and reputational damage. For example, following a data breach of the NHS IT systems in 2022, Advance Computer Software Group was fined £3m by the UK ICO for lacking multi-factor authentication and suitable security measures.

Regulatory compliance also includes incident response protocols. Organizations must report data breaches to authorities within specified timeframes, inform affected individuals, and take immediate steps to mitigate the impact. Implementing robust policies for incident management is crucial to demonstrate compliance and protect stakeholders.

Companies operating internationally must navigate varying cybersecurity standards across jurisdictions, requiring a holistic approach to compliance. Regulatory compliance fosters trust by protecting customer data responsibly, requiring ongoing vigilance and adaptation to new threats.

Consumer Protection

Consumer protection in cybersecurity is crucial. It involves safeguarding consumers' personal and financial information from cyber threats through advanced encryption, regular security audits, and continuous monitoring. Companies must educate customers on safe online practices, such as recognizing phishing attempts, using strong passwords, and enabling two-factor authentication.

In case of a breach, swift action is essential, including notifying affected consumers, mitigating further damage, and offering support. This approach minimizes the impact of cyber-attacks and builds consumer trust. Legislation like the revised Payment Services Directive outlines the responsibilities and liabilities of financial institutions in the EU. Prioritizing consumer protection enhances credibility and fosters a safer digital environment.

Our cybersecurity legal and technical expertise allows us to help private individuals, family offices and businesses prevent cybersecurity breaches and act fast and effectively in remediating, asset tracing and recovery, prosecution and litigation when cybersecurity breaches do happen. Our cybersecurity reach is truly international through our partnership with cybersecurity law firms around the globe.