In today's interconnected world, cyber incident management is a critical concern for professionals across various fields, from Legal and Compliance to Crisis Management and Incident Response.Â
Our "Cyber and Legal Talks" webinar series brought together experts from these fields across different regions to discuss the ever-evolving landscape of cyber threats, regulatory requirements, and best practices for successfully managing cyber incidents.Â
This article will summarize key takeaways from a series of insightful discussions over the last 12 months, focused on the butterfly effect of SEC Breach Disclosure rules, with leading legal experts from Hong Kong, Madrid, Amsterdam, London, and Chicago. Their combined regional knowledge has been translated into actionable advice to help organizations effectively prepare for incidents and integrate legal and cyber strategies to avoid costly fines, loss of operations, and reputational damage.
NCC Group is proud to have collaborated with K&L Gates, Pérez-Llorca, Kennedy Van der Laan, RPC Legal, and Norton Rose Fulbright to bring these webinars to you.
The butterfly effect of breach disclosures
One of the most recent significant cyber security incidents was the SolarWinds breach. Hackers inserted malicious code into SolarWinds' Orion software, which was then distributed to thousands of customers, including government agencies and large corporations. This breach exposed sensitive data and highlighted the critical need for stringent regulatory compliance and proactive disclosure practices. The SEC's involvement in this case has set a precedent for how such incidents should be managed and reported, emphasizing transparency and accountability.
Our webinar series kicked off in the APAC region to discuss this butterfly effect, where our speakers explored the complexities of regulatory compliance affecting different jurisdictions, stressing the need for cyber and legals teams to stay ahead of these changes.
Our guest from K+L Gates discussed the complexities of regulatory compliance across different jurisdictions in APAC, stressing the need for organizations to stay ahead of these changes.
NCC Group's latest Global Cyber Policy Radar finds that incident reporting requirements have grown considerably in scale and complexity. In response to a perceived underreporting of cyber attacks, governments are implementing new and strengthened incident reporting requirements. While the rationale for these interventions is understandable, the result of these national-level initiatives is a complex web of global incident reporting rules for organizations (of all shapes and sizes) to navigate.
Across these requirements, we see notable differences in which organizations need to make the report, the types of incidents that need to be reported, the body to which the report needs to be made, and the reporting timelines.
"The regulatory landscape is continuously evolving, with increasing pressure on cyber and legal teams to adapt to new requirements. This complexity requires a close collaboration between technical and legal experts to navigate the myriad of regulations and ensure compliance while effectively managing cyber threats."
Global Head of Digital Forensics and Incident Response | NCC Group
Adapting to new trends in cyber security
Cyber threats are evolving faster than regulations, necessitating a shift from mere containment and recovery to comprehensive root cause analysis.Â
Richard Breavington from RPC provided practical guidance on adapting to changing cyber security trends. He stressed the importance of understanding regulatory thresholds and having a comprehensive playbook prepared in advance. He highlighted the role of contracts in managing third-party disputes and the criticality of privilege in protecting communications during an incident.Â
Richard's key advice included knowing the reporting requirements and timeframes for different regulators, preparing a detailed incident response plan that integrates legal and technical aspects, ensuring third-party contracts include clear notification and response obligations, and using privilege to safeguard sensitive communications.
"Having a clear and thought-out plan in advance is crucial for making the right decisions at the right time."
Richard Breavington, Partner and Head of Cyber & Tech Insurance | RPC
The complexities of ransomware payments
During our session with Kennedy Van der Laan in the Netherlands, Rosalie Brand highlighted some of the complexities of Ransomware payments.Â
The University of Maastricht faced a ransomware attack that forced them to make a difficult decision—pay the ransom or risk losing critical data. They chose to pay, and fortunately, law enforcement later recovered some of the funds after catching the threat actors.Â
This example underscores the complexities surrounding ransomware payments, which are set to grow as governments consider banning organizations from making them. It also highlights the importance of having a well-thought-out incident response plan and the role of law enforcement in mitigating the impact of such attacks.
The crackdown on the LockBit ransomware gang provided a temporary respite from the surge in ransomware attacks. However, as cybercriminals regroup and adapt, the threat continues to grow, highlighting the importance of international cooperation in combating cybercrime and the need for continuous vigilance. Organizations must stay updated on the latest threat intelligence and ensure their cyber security measures are robust and adaptable.
"It's not a clear answer whether you should pay a ransom or not; you need to consider all aspects. Sometimes you don't have a choice, especially if lives are at risk or business continuity is severely impacted."
Rosalie Brand, Partner, Privacy and Head of Cyber | Kennedy Van der Laan
Webinar global poll highlight:
If you experienced a ransomware attack on your environment, would you pay, and are you allowed to?
- Majority against paying: Across all regions, most respondents indicated they would not pay ransomware demands.
- Policy restrictions: A significant portion of respondents indicated that their policies prohibit paying ransomware.
- Uncertainty: A notable percentage of respondents were unsure whether they would pay, highlighting the need for clearer policies and guidelines.
Legal-proofing cyber programs
Raúl Rubio from Pérez-Llorca highlighted the challenges of managing internal threats and balancing transparency with liability risks. Effective internal threat management programs are crucial, but they must be designed to comply with data protection regulations to avoid excessive monitoring that could lead to legal repercussions.Â
The use of advanced technologies by cybercriminals necessitates equally advanced detection and prevention measures. For example, Business Email Compromise (BEC) is becoming more sophisticated, where attackers are increasingly using AI-generated emails to deceive employees into changing bank account details or transferring funds.Â
These incidents are not only financially damaging but also pose significant reputational risks.Â
To save time in the event of a breach, Raúl recommended pre-selecting forensic and legal partners. This proactive approach ensures that companies can quickly mobilize the necessary expertise when a cyber incident occurs, thereby minimizing response times and improving the overall effectiveness of the incident management process.
"Legal-proofing cyber programs involves more than just privilege; it requires a comprehensive understanding of cyber security."
Raúl Rubio, Partner | Pérez-Llorca
Forensic preparedness and incident response
Our session with Norton Rose Fulbright in the US underscored the critical role of forensic preparedness in incident response. As cyber threats evolve at an unprecedented pace, the ability to effectively remediate and execute timely responses becomes paramount. The discoverability of incident data should drive robust remediation planning, ensuring that organizations are prepared to act swiftly and decisively.
Digital forensics readiness is essential across all organizations; incident data will increasingly be treated as potential digital evidence. Preserving the chain of custody as a standard practice ensures that all evidence is handled with the utmost integrity and reliability.
"To protect Attorney-Client Privilege, organizations must involve legal counsel early, secure communications, and adhere to best practices, while being mindful of jurisdictional differences in privilege application."
Jim Arnold, Senior Counsel | Norton Rose Fulbright
Conclusion
Our "Cyber and Legal Talks" webinar series provided valuable insights into the challenges of cyber breach disclosures impacting organizations around the globe and the importance of integrating legal and cyber strategies. Business leaders must prioritize incident readiness, forensic preparedness, and continuous improvement to effectively manage cyber threats and regulatory disclosure requirements.
NCC Group would like to extend thanks to all our guest speakers from K&L Gates, Pérez-Llorca, Kennedy Van der Laan, RPC Legal and Norton Rose Fulbright for contributing their expertise throughout the series. Â
Audience feedback:
Throughout the webinar series, audience polls revealed key insights into current Incident Response planning practices and challenges faced by organizations.Â
A significant percentage (67%) of participants indicated they have incident response plans but have not tested them, highlighting the need for regular exercises and simulations. Meanwhile, half of the respondents indicated they have cyber insurance in place, while 38% remain uncertain about their coverage.
Read our FAQ section below to view responses to commonly asked questions throughout the series.
Enhance your cyber security preparedness with NCC Group
Take a look through our Incident Response planning guide and Incident Readiness services to learn more and ensure your organization is ready to tackle cyber threats.
Watch the full webinars on demand:
Cyber and Legal Webinar FAQs
Stakeholders should review the comprehensive plan at least annually, with additional reviews following significant changes in the threat landscape or regulatory requirements.