Lawyers take frontline role in business response to cyber attacks
Simply sign up to the Cyber Security myFT Digest -- delivered directly to your inbox.
Last month, tens of thousands of employees at some of Britain’s largest companies learned that their personal data had been compromised by a Russian-speaking criminal gang, in the latest instance of a large-scale cyber hack.
That announcement followed a warning from software giant Microsoft in May that a state-sponsored Chinese hacking group had compromised “critical” infrastructure in the US — targeting organisations spanning communications, manufacturing, utility and construction.
And the frantic work required to respond to these incidents is falling to armies of lawyers, who increasingly find themselves in the vanguard of a battle against corporate blackmail and personal data theft.
“If you look at any survey of general counsel (or, indeed, you ask one), cyber security will always be one of the issues that keeps them awake at night,” says Lawson Caisley, chair of the cyber risk committee at law firm White & Case.
“A big cyber incident is a corporate nightmare because of all the horrible bits it encompasses. [The company has] potential massive liability, immediate adverse PR, assuming that you have to declare it . . . regulatory scrutiny, a potentially falling share price, the need for immediate legal action . . . So it’s one of those things that really crosses all disciplines.”
Cyber security risk has shot to the top of general counsels’ agendas as the sophistication and frequency of attacks has grown. According to security company Sophos’s State of Ransomware 2023 report, 44 per cent of UK businesses surveyed said they had been hit with ransomware in the past year. Of those affected, 33 per cent said their data was encrypted and stolen and a further 6 per cent said that their data was not encrypted but they experienced extortion.
Cyber security company CrowdStrike says there has been a “significant increase in the number of adversaries conducting data theft and extortion campaigns”. The risk is “no longer that of a singular cyber event but, instead, a cyber campaign, whereby a victim can face repeated harm”.
Drew Bagley, vice-president and counsel of privacy and cyber policy at CrowdStrike, says criminals no longer need advanced technical skills, either, as they are able to “buy access to victims and the sophisticated tools to breach them from dark web marketplaces”.
Cyber hacking is big business — according to Sophos, the average ransom payment almost doubled from $812,380 in 2022 to $1.5mn in 2023. And, according to the lawyers combating it, the sector operates as a well-oiled ecosystem. “[The] bad actors are criminals, but criminals with a business model,” explains Eduardo Ustaran, who helps companies deal with cyber attacks in his role as global co-head of the privacy and cyber security practice at law firm Hogan Lovells.
“They’re saying, ‘we have your data and, if you want to get it, this is how much it will cost’. There are companies who we work with whose job is to negotiate a discount on the ransom and a purely financial negotiation goes on.”
Once a price has been agreed, companies engage in a process to retrieve their data, and will even pay more in some cases — for example, if the hackers agree to return the data to where they found it.
“The way these gangs operate, it’s a business model, so it becomes very transactional,” says Caisley. “One of the questions I’ve seen create the most heated discussions around board tables is: should you pay the ransom? You often get people splitting along ideological lines . . . And there is no right answer.”
A report from the UK’s National Cyber Security Centre on risks to the legal sector said it was “increasingly seeing ‘hackers-for-hire’, who earn money through commissions to carry out malicious cyber activities for third-party clients — often involving the theft of information to gain the upper hand in business dealings or legal disputes”.
“If [your systems] are broken into, it’s very emotional,” says Ustaran. But there are a number of “work streams” that kick in straight away: “First, you need to stop whatever is happening . . . It’s like a wound: you need to stop the bleeding. Then, you need to investigate what has actually happened, so you can understand the implications. Then, you need to restore the systems.”
Lawyers say cyber security work is akin to crisis management, with in-house lawyers coordinating forensic investigators, PR professionals, and external lawyers, to tackle a hack.
The same is true of private practice. “A lot of this is what I would call crisis management,” says Ustaran. “There’s a big component in this where it’s all about reassuring the client, and helping them to make the right business decisions that have nothing to do with having a static law and applying the law.”
Caisley says in-house lawyers “have a key role around the boardroom table when dealing with a breach” — including war-gaming and discussing cases in which a company will pay a ransom.
The advent of General Data Protection Regulation (GDPR) legislation in Europe — which demands that businesses hit by a data breach notify a regulator, and the individuals whose data was stolen, or both, depending on certain factors — has led to far greater exposure of cyber incidents. Previously, companies could have tried to deal with them privately.
Companies may soon be forced to make even more detailed disclosures. In the US, the Security and Exchange Commission is introducing rules that require companies to outline their preparedness for cyber attacks and disclose any incidents.
Caisley says: “I wouldn’t be surprised if we were to see a similar move in other countries . . . Like most regulators around the world, the SEC has been banging the drum that this is a boardroom issue, not just an IT issue.”