Search for:

Cybersecurity from compliance to crisis – With the ever-increasing threat of ransomware and other cybercrime, we offer a bird’s eye view of cybersecurity strategy focused on addressing risks, keeping up with regulatory and compliance issues, and managing a cyber crisis.

In our Deciphering Data Webinar Series, we provide a global perspective of what’s keeping executives awake at night with the world’s threat actors becoming seemingly more sophisticated every day, and give practical guidance on how to address these risks and concerns and prepare companies for challenges ahead.

We share key takeaways from the Not ‘If’ But ‘When’: Global Cybersecurity Update that we believe you will find useful. Note that the webinar was held in two time zones but the content and discussions in both sessions are aligned. Click here to view the recordings.

Key takeaways:

  • Cyber threat landscape: There has been a shift from theft and fraud to ransomware attacks recently. While many people think of these issues as information security issues, many of the most common attack vectors—such as compromised credentials, phishing and cloud misconfigurations—come down to mistakes made by individuals within the organization. A great deal of blurriness and uncertainty has arisen regarding the threat actors, and it has become increasingly difficult to differentiate financially motivated attackers from hacktivist or nation state actors.
  • Increasing risk due to more sophisticated attackers, COVID-19 and digital transformation: The amounts defrauded have increased substantially with the growing sophistication of threat actors. Higher risks are also compounded by COVID-19 as increased remote working raises vulnerability for attacks. Digital transformation further raises the risk for cyberattacks as the increase in the leveraging of data increases the “attack surface area” for attackers.
  • Cybersecurity affects all elements of an organization, not just the IT department: The increase in cybersecurity incidents globally highlights a continuing problem of inadequate internal controls, not only from a technical standpoint but also a people standpoint. Lack of data loss prevention tools or unstructured datasets as well as a lack of effective training across departments can greatly increase a company’s cybersecurity risk. Effective, regular and up-to-date training (for both users and IT team) is essential not only for prevention but also for the response to a cyberattack. Companies should develop cross-functional incident response plans and conduct regular tabletop exercises to plan and prepare for such attacks, as well as mitigate financial risks by taking out cyber insurance policies.
  • Preparation is key: Companies should have appropriate security measures and a cross-functional data security incident response plan in place, and take steps to ensure an attack is minimally disruptive and to mitigate risks of future attacks. These steps include segregation of back-up systems and creation of a business continuity plan as well as the engagement of response providers to create a “break-glass” solution. Companies should also consider the key decision points during pre-attack preparation, such as PR considerations and its overall position on paying ransoms, regulatory considerations, operational considerations, such as insurance requirements and who and how to engage with attackers, as well as the law enforcement notification strategy.
  • Be aware of regulatory requirements when responding to cybersecurity incidents: Companies should keep in mind the legal and regulatory requirements when adopting security measures, developing their cybersecurity policy and responding to cyberattacks. When conducting investigations, regulators will most likely consider these matters. For instance, when determining whether to pay a ransom, companies must carry out due diligence to ensure that the threat actor is not a sanctioned party. Companies should also work with legal counsel to correspond with law enforcement and regulatory bodies such as data protection authorities and cybersecurity agencies, and be aware of their information sharing and the cybersecurity statutes which may result in these communications being utilized in subsequent litigation and/or potential information leakage. Companies may need to meet obligations to notify regulators, enforcement authorities, customers and individuals and there are often timing requirements associated with these, which vary by jurisdiction and type of company affected. Acting in a coordinated way is critical in these circumstances.

The conversation continues

Regional sessions focused on Latin America, North America and Asia Pacific to be announced soon. To receive further details, register your interest here.

Author

Adrian Lawrence is the head of the Firm's Asia Pacific Technology, Media & Telecommunications Group. He is a partner in the Sydney office of Baker McKenzie where he advises on media, intellectual property and information technology, providing advice in relation to major issues relating to the online and offline media interests. He is recognised as a leading Australian media and telecommunications lawyer.

Author

Francesca Gaudino is a member of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology. She has been recognized in Chambers Europe’s individual lawyer rankings from 2011 to 2014. Ms. Gaudino is a regular contributor on international publications such as World Data Protection ReviewDataGuidance, and others. She routinely holds lectures on data privacy and security at post-graduate courses of SDA – Manager Direction School of the Milan Bocconi University and Almaweb – University of Bologna. She regularly speaks at national and international conferences and workshops on the same topics.

Author

Paul is head of cybersecurity in the UK and a key member of our wider data protection team. For 15 years, Paul has guided clients through all types of major data security incidents as well as complex technology and data disputes. Paul pioneered an award-winning data breach and dark web scanning tool which was the first product of its kind in the legal market.

Author

Stephen Reynolds is a member of Baker McKenzie’s North America Intellectual Property & Technology Practice, which provides clients with a full suite of data privacy and cyber services. He frequently advises clients on complex matters involving data privacy and security laws and serves on the board of directors of the International Association of Privacy Professionals (IAPP). Stephen’s expertise adds value to organizations by mitigating cyber threats through proactive preventative measures and navigating complex litigation on behalf of clients in data privacy and security. As a former computer programmer and IT analyst, Stephen is uniquely able to and routinely uses his computer background in cases involving data privacy and security, electronic discovery, social media discovery, and computer forensics. Stephen has given several presentations on data privacy and security, electronic discovery and social media discovery, and is a Certified Information Privacy Professional (CIPP/US). In addition to being a Certified Information Systems Security Professional (CISSP), Stephen teaches CISSP classes as a Direct Instructor with the (ISC)2. Additionally, Stephen teaches a course on Data Security and Privacy Law at Indiana University Robert H. McKinney School of Law.

Author

Michael Egan is a partner at Baker & McKenzie´s Washington D.C. Office. He advises clients across various industries on global privacy and information management, data security and information technology matters. He formerly practiced in the Firm’s Compliance and Investigations group, assisting companies in multi-jurisdictional internal investigations and compliance matters, primarily related to anti-bribery and anti-money laundering compliance, and representing companies before government authorities on compliance matters.

Author

Martín Roth is a partner in the M&A, Real Estate and TMT practice groups in Baker McKenzie's Buenos Aires office. Martín has more than 13 years of extensive transactional domestic and international experience, focusing on the real estate and TMT industries. Prior to joining Baker McKenzie, he worked as a trainee lawyer on the Corporate, Banking/Finance and Litigation areas with a local law firm in Argentina. From 2007 to 2012, he worked in Baker McKenzie's Buenos Aires office. From 2013 to 2016, he worked as an independent attorney at another law firm. Martín rejoined the Buenos Aires office in 2016 and was named partner in July 2019.

Author

Gillian Lam is an associate in Baker McKenzie Hong Kong office.

Write A Comment