Cyber risk in sport: practical steps for clubs, governing bodies and sports organisations

Article by Tracey Singlehurst-Ward, Partner in Dispute Resolution and James Harris, Associate in our Dispute Resolution team.

Whilst in the past cyber attacks might have been considered by governing bodies, clubs, rights holders and event organisers to be rare occurrences and bring to mind ticketing scams or isolated data breaches, that is no longer the case. The very real ongoing and evolving threat from cyber attacks must now be considered a top risk management priority by all of these bodies and their stakeholders. A single serious incident can give rise to significant potential liabilities (regulatory and civil claim related), affect ticketing, matchday operations, athlete and member welfare, commercial partnerships and regulatory compliance at the same time.

Cyber risk is no longer a theoretical concern. It is becoming an increasingly significant operational, regulatory and governance challenge. While football has attracted considerable attention in this area, the issues are by no means confined to one sport.

The scale of the issue across all sport is significant. The UK sport industry contributes an estimated £37 billion to the UK economy, making it an increasingly attractive target for cyber criminals. Research by the National Cyber Security Centre found that 70% of sports organisations surveyed had identified at least one cyber security incident or vulnerability, more than double the rate reported across UK businesses generally.

For many organisations, the issue is not simply the risk of a cyber attack itself. It is the volume, sensitivity and complexity of the data now held across the modern sports ecosystem.

Why sport is particularly exposed

Professional clubs and governing bodies now hold extensive volumes of personal data, sensitive personal data and commercially sensitive information across multiple systems and platforms.

This can include (amongst other things):

• participant/member medical and performance data;
• fan and ticketing data;
• safeguarding and disability information;
• financial and payment information;
• biometric and tracking data; and
• commercial partnership and sponsorship information.

Much of this may constitute special category data under UK GDPR, creating additional regulatory and reputational exposure if compromised.

At the same time, many organisations operate across interconnected systems involving third-party providers, analytics platforms, wearable technology, CRM systems and outsourced suppliers. Each additional provider potentially creates another entry point into the organisation’s wider infrastructure.

A ransomware attack during a transfer window, major tournament or live event could now affect not only internal systems, but commercial operations, fan engagement, safeguarding obligations and reputational trust simultaneously.

The issue is therefore not simply about whether an organisation can prevent a cyber incident. Increasingly, it is whether the organisation can demonstrate that it took reasonable and proportionate steps to manage cyber risk in the first place.

The governance gap

Cyber risk is still too often treated as a technical issue by sports organisations. In our experience that approach can create opportunity for the resilience plan to fail, and thus allow cyber attacks to succeed.

In practical terms, cyber risk should not sit solely with the IT team. Boards and senior management should be asking whether the organisation knows what data it holds, where that data sits, who has access to it, which suppliers process it, and what would happen if systems were unavailable on a match day or during a major event.

In practice, many cyber incidents stem from relatively ordinary operational failures and lack of proper resilience planning and testing rather than sophisticated attacks. Common vulnerabilities we have seen include:

• human error;
• inadequate staff training;
• poor internal protocols;
• lack of segmentation between data stores; and
• failure to regularly review and update controls.

These are not purely technical failings. They are governance and risk management issues.

That distinction matters because regulatory scrutiny increasingly focuses not only on the incident itself, but also on the organisation’s preparation, oversight and decision-making before the breach occurred. So too do some civil claims, particularly where a large scale data breach may be involved and vicarious liability may be in issue.

Boards and senior leadership teams are increasingly expected to understand cyber exposure in the same way they would financial, regulatory or safeguarding risk.

Supplier relationships and data ownership

Questions of data ownership have long been an important feature of commercial relationships. However, as sports organisations continue to adopt new technologies and enter into increasingly complex data-sharing arrangements, issues around ownership, control and responsibility have become even more important. There is a growing area of exposure for sports organisations created by the increasing volume of third party providers involved in management of data. It seems to be the commercialisation of data, and the pressure to diversity income, find savings and keep up with the digital world that has driven the growth in opportunity for hackers, alongside the growth in the sporting economy itself. With one comes the other.

As clubs and governing bodies continue to commercialise fan engagement and performance analysis, questions around data ownership and control are becoming more important.

For example:

• who owns the data during the relationship;
• who can access or use it;
• what happens to the data when agreements end;
• whether data must be returned, retained or deleted; and
• who carries responsibility if systems are compromised.

If these issues have found themselves lower down the priority list over time, it is certainly the time to bring them back to the top. Underestimating the impact of proper drafting and planning on this during contracting processes can lead to very significant problems in the event of an attack. When that happens, those provisions may quickly become central to disputes around liability, responsibility and regulatory exposure.

Similarly, organisations are increasingly expected to carry out meaningful due diligence on suppliers and document the reasoning behind their data governance decisions. Data Protection Impact Assessments (DPIAs) should therefore be viewed as part of a wider risk management exercise rather than a compliance afterthought.

For sports organisations, the practical starting point is to understand what data they hold, where it is stored, who has access to it, and which third-party suppliers are involved in processing it. Contracts with suppliers should be reviewed carefully to ensure they deal properly with data ownership, security standards, breach reporting, liability and what happens to data when the relationship ends. Where new technology is being introduced, such as wearable devices, analytics platforms or fan engagement tools, DPIAs should be considered at an early stage rather than treated as a box-ticking exercise.

Preparation matters as much as prevention

The aim of effective cyber resilience planning is, of course, to reduce the likelihood of an incident occurring. However, cyber threats continue to evolve and even well-prepared organisations can find themselves on the receiving end of a malicious attack. If that happens, the first 24 hours following a cyber attack are often critical. Organisations need to quickly establish:

• whether attackers still have system access;
• what data has been compromised;
• whether special category data is involved;
• who is coordinating the response;
• what third parties might be needed for support and who should be liaising with them;
• what channels of communication should and should not be used, internally and externally, and how might that affect risk later down the line (for example legal privilege); and
• what regulatory obligations may arise.

Without a clear response structure, organisations can quickly lose control of communications, decision-making and evidence gathering.

Practically, organisations should also agree well in advance who will keep the central record during an incident. That person or team should record what has happened, what decisions have been made, who made them and why. This can be important later if the incident leads to regulatory questions, complaints or disputes.

Testing incident response plans in advance is critical. Many organisations now have cyber response plans on paper. Far fewer have properly tested whether those plans would work under real operational pressure. Policies and road maps as to what to do are only effective of those required to react at high speed and under pressure already know them. Even what may seem a simple decision, like ‘who should be ‘in the room’ immediately as decision makers upon such an incident can, if not mapped properly in advance, lead to poor crisis management and consequential escalation if liability risk later.

Key takeaways for sports organisations

Cyber risk is not just something for the IT team to worry about. For clubs, governing bodies, event organisers and rights holders, a cyber incident can quickly become a much wider problem, disrupting fixtures or events, exposing sensitive data, affecting fans and commercial partners, and creating legal or regulatory issues.

In practice, resilience planning should be high on the agenda from the very top of the executive and non-executive, and should be put together and prioritised with input from those with the right organisational knowledge, governance knowledge, technical knowledge and legal knowledge. Audits of resilience and response plans are one effective way to ensure this stays at the right level on the agenda. The aim is not just to prevent an attack. It is to be able to respond quickly, protect sensitive data, manage communications and evidence the decisions taken.

The organisations best placed to manage cyber risk are not necessarily those with the most advanced technology. They are often those that know what data they hold, understand their supplier relationships, test their response plans and ensure cyber resilience remains a governance priority.