Cyber threats put pressure on in-house legal chiefs

When fraudsters stole $25mn from a UK engineering company in Hong Kong using a digitally cloned ‘deepfake’ of a senior manager to order financial transfers on a video call, the scam underlined the growing sophistication of cyber attacks.

Cyber crime is one of the top three issues that keep chief legal officers awake at night, with 37 per cent of them identifying it as their biggest concern, according to a survey of 669 participants in 31 countries by the Association of Corporate Counsel, a global bar association. 

Regulators are concerned that companies are not doing enough to protect themselves. In July, the European Central Bank urged lenders to be better prepared for a cyber attack after its debut cyber stress test found “room for improvement”. Lloyd’s of London, the insurance market, recently warned that a cyber attack on the global payments system could cost the world economy $3.5tn. 

For companies, the stakes are getting higher. The proportion of attacks in financial services that now use ransomware — in which cyber criminals lock a victim’s data or computer system and release it only if a ransom is paid — rose from 55 per cent in 2022 to 64 per cent in 2023, according to a report by cyber security company Sophos. Hackers have attacked high-profile organisations, such as the Royal Mail and the British Library in the UK and the New York arm of the Industrial and Commercial Bank of China.

Chief legal officers are finding themselves in the vanguard of protecting companies against such cyber threats. Many businesses regularly stage war-gaming exercises to prepare for a potential attack, with in-house lawyers playing a critical role.

“War-gaming possible cyber hacking scenarios is an important part of how in-house counsel respond to threats,” says David Dunn, senior managing director and head of Emea cyber security at advisory business FTI Consulting.

In the event of a cyber attack, legal counsel have certain obligations, such as informing regulators within a specific timeframe. If it is a ransomware attack, they will be heavily involved in deciding whether or not to pay the ransom. However, such a scenario should already have been considered during war gaming. 

“In-house counsel needs to be part of ransomware decision-making in playbook scenarios well before an incident happens,” says Dunn. “There can also be a sanctions risk. If a company decides to pay ransom to an entity and they are linked to a sanctioned company or individual, then there is a risk of breaching sanctions by making the payment.”

In addition to scenario planning, legal teams are involved in educating staff, who are often seen as the weak link in cyber attacks. Last year, the ransomware attack on MGM Resorts International, one of the world’s biggest casino operators, was reported to have been made possible by using the stolen but weak log-in credentials of a mid-level IT engineer.

“We have compulsory cyber training for all staff annually,” reports Kari Hietanen, executive vice-president for corporate relations and legal affairs at Helsinki-listed marine and energy technology group Wartsila. “There has been a growing awareness about cyber threats and preventing things like phishing attempts.”

“The legal and cyber security teams are working together more and more,” he adds.

Third-party suppliers present another risk that legal teams have to consider. Hietanen says Wartsila increasingly sets out contractual requirements for the cyber resilience of third-party supplier products.

In the US, you have a huge risk of post-incident litigation . . . I see one potential trend being more [of that] in Germany and France

Meanwhile, there is an ever more complex array of global regulations and compliance governing cyber security. Cyber attacks are usually reportable offences that can result in huge fines by regulators, such as the UK’s Information Commissioner, if there has been a data breach. Companies could also face litigation from customers whose data may have been stolen.

“In the US, for example, you have a huge risk of post-incident litigation from partners and third parties and customers,” says Dunn. “In the UK and Europe there has been less, but I see one potential trend being more post-incident litigation in Germany and France.”

Often, in-house lawyers must also ensure that a business is compliant with cyber resilience measures governing companies’ products and services. As an example, Hietanen points to new regulations regarding energy and maritime products — such as a requirement aimed at protecting ships’ on-board systems and equipment.

In financial services, companies in Europe are preparing for the Digital Operations Resilience Act (Dora), which will take effect in January 2025. It aims to strengthen resilience and ensure finance operations remain uninterrupted during disruption caused by global IT problems, or a cyber attack. 

Raymond Kleijmeer — a former senior policy officer at the central bank of the Netherlands — is now working on implementing Dora at a large financial institution. He was previously involved in the development of international guidance on cyber resilience for the financial sector. He says Dora requires companies to organise their governance and work according to a three-lines-of-defence model: looking at business; risk management; and auditing.

The role of in-house legal counsel has become more significant because of the need to implement the regulation, says Kleijmeer. “Traditionally, the role was considered [by the business] more of an additional regulatory burden. Now, with Dora, it requires a more active, and even proactive, approach.”