The role of a lawyer when a cyber-attack strikes
From 2019 to 2023, ransomware attackers across the globe have received $3.775B.
With each passing day, the spotlight on cyber security grows brighter. In Australia, we’re currently facing unprecedented challenges to both fortify business defences against potential cyber-attacks and navigate the intricate web of legislative requirements governing data protection.
The risks posed by cyber breaches have driven company board directors and senior government executives to play a more active role in their cyber preparedness strategies. With boards and C-suite decision makers now facing personal liability, there is increasing need for these leaders to understand the strategies that are being implemented from a cyber prevention perspective. Organisations need to ensure that their senior leadership and boards are actively engaged on these issues, receiving regular briefings, reviewing risk assessments, participating in testing, and ensuring continuous improvement for their organisations.
Given the legal implications of major cyber breaches, of which there have been several high-profile incidents in Australia in recent years, law firms are increasingly extending service offerings to include cyber capabilities.
Traditionally, businesses would look to instruct their in-house legal team, or an external law firm, once they had fallen victim to an attack. However, given the growing threat landscape, anticipated reform and new legislation within the cyber space, and the potential for company directors to face personal liability, businesses are realising that they have new and very specific cyber security legal demands that need to be in place well before any attack might occur.
Bringing legal support to the table early acknowledges that responsibility for cyber security should no longer be sidelined to the IT department, CISO or third-party technology vendor. Instead, a holistic, cross-organisational approach to prevention, preparation and response is now not only expected but essential. This commands attention, comprehensive understanding and decisions from the top.
Prevention, preparation and compliance
Addressing cyber-attacks and serious data breaches is a team effort. For organisations to be well prepared against attacks, and to demonstrate that their prevention measures were well funded, tested and implemented, they require the support of legal counsel, alongside the organisation’s Risk Officer and CISO (or equivalent cyber security leader), as part of cyber-attack prevention and preparedness activities.
Legal counsel play a critical role in ensuring their organisation or client understands relevant (and ever-changing) regulations, understands the risk profile of the organisation's data holdings, as well as ensuring that their organisation or client has embedded cyber security controls in all outsourcing and supply arrangements.
In the event of a cyber incident, the role of legal counsel also includes participating in the coordination of a forensic technology investigation and establishing privilege where appropriate, advising on regulatory obligations, and advising on steps to mitigate the reputational impact of an incident - all of which are shared responsibilities which require a legal lens and technical legal knowledge to get right.
This requires an understanding of data protection laws, breach notification requirements, industry regulations and contractual obligations to ensure an organisation remains compliant and avoids potential legal repercussions.
For lawyers to be effective in supporting a cyber incident, it ultimately means needing to gain as broad an understanding as possible of the types of incidents impacting their organisation's operations or business, and being able to effectively communicate what needs to be done from a legal perspective.
Compliance alone does not necessarily make organisations secure. Organisations facing a cyber threat or incident need to make risk-based judgements around a range of related issues with legal and reputational implications. These require input beyond an IT risk lens and so lawyers must ensure they have a seat at the table.
Open communication with all parties
In many jurisdictions, organisations or businesses are required to report data breaches to regulatory authorities (such as the OAIC) and affected individuals within a specific timeframe. In-house lawyers serve as the primary point of contact for regulatory agencies, liaising with relevant authorities and ensuring timely and accurate reporting of the breach.
Maintaining open lines of communication with regulatory agencies, and demonstrating proactive compliance efforts, can help mitigate the risk of regulatory penalties and reputational damage. The latter of which can have far-reaching implications on an organisation's brand equity.
Lawyers should also play an important role in advising on public statements, responses to media inquiries, and engagements with stakeholders, to strike the right balance between, on the one hand, transparency and sharing information about the organisation's commitment to addressing the breach and safeguarding sensitive information, while, on the other hand, managing the organisation's legal exposure.
Guiding organisations through the storm
When an organisation has recovered from a cyber-attack, an evaluation should take place to understand the lessons learned to ensure necessary uplifts are undertaken and that the risk is mitigated and will be prevented in the future. Based on the occurred events, both hard and soft controls should be evaluated together with the reaction of the organisation and third parties involved.
To ensure there is follow-up after the lessons learned, a post assessment or legal review can be done with all stakeholders that were involved during the incident to gather feedback and share experiences.
The ability of a business to manage and deal with cyber challenges pivots on the advice they receive encompassing all aspects of a cyber risk or incident, which includes legal elements. As the trusted guardians of legal integrity, lawyers are indispensable to orchestrating a coordinated response that safeguards organisational interest, mitigates legal and regulatory risks, and preserves the organisation's reputation.