Lawyers lead ‘war game’ drills to prepare clients for cyber attacks
We’ll send you a myFT Daily Digest email rounding up the latest Legal services news every morning.
Lawyer James North regularly stages “war game” simulation exercises with clients to test how they would deal with a cyber attack. In the past year, he has gone from doing these exercises typically once a month to almost weekly.
North, who is head of technology, media and telecoms at Australian law firm Corrs Chambers Westgarth, says cyber security has now become a top priority for many companies along with environmental, social and governance matters. “There have been a lot of really significant attacks recently,” he warns. “Preparedness is patchy across the economy.”
Cyber attacks are also growing in complexity. An annual report from the Australian Cyber Security Centre, a government agency, said in November that the country was being exposed to increasingly sophisticated threats and it had received more than 76,000 reports of cyber crime between June 2021 and July 2022 — a 13 per cent increase on the previous year.
Cyber attacks, such as the one that targeted Singapore-owned telecoms company Optus last September and exposed the personal data of millions of customers in Australia, have prompted the Australian government to introduce tougher measures, such as increasing the maximum penalties for serious breaches.
At the same time, public and private organisations are ramping up their own responses and turning to law firms to navigate the fast-evolving regulatory landscape.
Corrs Chambers Westgarth’s cyber service uses a multidisciplinary team that includes IT investigators, lawyers and crisis specialists to manage the legal, regulatory and communications fallout of a cyber attack.
North and his colleagues help clients “war game” their responses to possible cyber attacks using “table-top exercises” — looking at how a realistic scenario might play out.
“A table-top exercise might last two or three hours with a situation designed to represent two to three weeks in the aftermath of an attack,” he says. Clients taking part are typically given a new set of facts each hour — representing different days after the attack — and must consider issues such as what directors need to do to discharge their fiduciary and reporting duties, or whether a ransom should legally be paid to any cyber attackers.
North says a broad-based corporate response to any cyber attack is vital, rather than just leaving any response solely to the IT team.
“Where it’s given over to the IT team, they may not understand broader implications,” he explains. “They might wipe a server that is compromised, so you might deal with a virus but might also wipe all the access logs, which tells what data has been extracted and you might need this to meet regulatory objectives.”
Concerns over cyber attacks and data breaches are becoming more widely held across Asia-Pacific territories. In a report looking at the state of incident response to cyber attacks in the region, published by Kroll, the corporate intelligence group, in October 2022, data loss emerged as the main worry for 70 per cent of business executives questioned.
The report found businesses in the region “are feeling the impact of cyber attacks, but many are yet to build out appropriate response plans or have regular access to relevant cyber expertise”.
Vietnam is in the process of drawing up new data protection legislation while, in Thailand, the Personal Data Protection Act was passed in 2019 and came into force last year, with some in the country expecting regulators to take an increasingly tough line on non-compliance.
The new Thai legislation requires any service that monitors the behaviour of residents to have a local data privacy representative in the country. This has provided an opportunity for south-east Asian law firm Tilleke & Gibbins, which has set up a digital solutions service in Thailand to serve as the local representative for its existing clients, which include Meta Platforms, the owner of Facebook.
Nop Chitranukroh, Thailand-based partner and director of the corporate and commercial department at Tilleke & Gibbins, says the service was designed to help existing clients such as Meta by saving them from having to set up their own representative in Thailand: “We try to help existing clients who we know are compliant and become the local representative for them.”
She believes regulators are taking a tougher line as the legislation beds down. “Last year, when the law was implemented, the regulator’s approach was more educational,” she says. “This year, I would expect the regulator to start imposing fines. They are starting to enforce more strictly.”
GDPR, Europe’s data protection legislation, has been adopted as a global standard by many companies. Chitranukroh says clients with global operations that had already adopted GDPR found it easier to comply with the new regulations: “There were a lot of things [they] needed to go through if they did not have [it].”
In India, a new digital personal data protection bill is in the process of being introduced — six years after a seminal ruling by India’s supreme court in 2017, which upheld that privacy is a fundamental right, in a ruling on the government’s digital ID system. The latest bill follows earlier drafts that were criticised for giving government agencies too much scope to access personal data without users’ consent.
Once the legislation is passed, it is likely that public and private sector bodies will have a transition period of as long as one to two years to comply with the new rules.
Law firm Khaitan & Co was called upon to attend the first consultation that India’s ministry of electronics and information technology held to give feedback on the draft bill.
Supratim Chakraborty, partner at Khaitan & Co, says companies familiar with GDPR are likely to be better prepared for the new legislation. “Lots of firms have interaction with Europe and are more aware of data protection. But some players may sit on the fence and see how it plays out,” he says.
However, as regulators and governments across the Asia-Pacific region are stepping up their game, so are the cyber attackers.
“Companies need to do more even if they are sophisticated — it only takes one person in an organisation to make a mistake and click on a link in an email linked to malware,” says Corrs Chambers Westgarth’s North.