A cyber incident is a given, a cyber crisis isn’t. The Cyber Security Coalition enjoys a broad diversity in its membership. International law firm Allen & Overy offers extensive insights in cyber security, as it sits at the cross road of many areas of expertise and operates in over 30 countries around the world. Based in Allen & Overy’s Brussels office, Thomas Declerck deals with both the preventive and incident response aspects of cyber security, with a specific focus on investigating and litigating cybercrime.
Cyber has never been more in the news than it is today. What specific trends and challenges do you see in your practice at Allen & Overy?
With fast evolving technologies and ever more sophisticated cybercrimes, accelerated by new attack surfaces created by the COVID-19 pandemic, cybercriminals are now running and optimizing their outfits as a business in every sense of the word. Examples abound, as voice deepfakes are used to instigate fraudulent fund transfers, or ‘double dip’ ransomware attacks both encrypt and steal information, with the threat of data leaks in case of non-payment. Look at Darkside, the alleged perpetrator of the Colonial Pipeline ransomware attack, being concerned about PR and sending out a press release to say that “they’re only after the money”, not the accompanying hassle. Also expect the continued spread of state sponsored hacking and espionage, opening up backdoors that are exploited by criminals as in the recent MS Exchange and Solarwinds attacks.
Still, no matter how sophisticated the technology, the principal challenge in cybersecurity remains the human factor. It is about awareness, with the right people following the right procedures, and instilling the right culture in a company. You cannot just buy security – much more than about IT, cybersecurity is about a culture of prevention and being prepared for the right response when hit by an incident. That is what makes a company ‘cyber hygienic’ and hopefully also cyber secure.
Luckily, as I see it, much progress has been made, with companies accepting there is no ‘zero risk’ and it is all about maximally mitigating risk, not unlike risks of power outages, natural disasters, etc. Clearly, a cyber incident is a given, a cyber crisis isn’t.
How do you see the cybersecurity challenge for Allen & Overy itself?
Cybersecurity should now be a board-level priority for every business, and that includes law firms. And ultimately, what needs to happen, is adopting a risk-based approach, where you identify and adopt those measures necessary to mitigate the specific risks you are exposed to.
As a law firm, Allen & Overy is above all a people business, with our people as guardians of sensitive client data. So we focus on instilling awareness and culture, putting the right policies, procedures and training in place. Again, that goes beyond just IT security, but is about ensuring the right behaviour, e.g. regarding phishing, but also providing organizational security and ‘role based’, ‘need to know’ access to information.
As a member of the Coalition, which particular insights and competencies do you bring to the community?
As lawyers, we focus on regulation and legal risks, which continue to evolve in ever more cross-border and cross-sectorial ways. That is a complex, constantly evolving and challenging legal field to operate in.
Often, cyber security goes beyond just regulations. Where we come in as advisors, we are sitting on a cross road of many competencies, where regulations, finance, PR and HR aspects meet in the minefield of incident response. That is where we see the do’s and don’ts; get to know what measures work and what measures do not; and understand where the risks and pitfalls are.
As an example, we saw that the majority of cyber scams involve money wired to a Hong Kong bank account. So, in cooperation with our Hong Kong office, we created a free web based tool, guiding victims of cyber scams through the first hours of an incident to automatically generate documents for the Hong Kong police and banks to block accounts, and hopefully prevent the money from disappearing.
What do you see as the main cyber security challenges in the years to come?
Huge technological advances and increased regulatory pressure will challenge companies to live up to their ‘duty of cyber care’, which requires them – from a legal perspective – to act in a cyber responsible manner, as secure as possible. Companies must understand that cyber incidents cast a wide net, and that one incident creates a ‘ripple effect’ affecting many more parties beyond just the initial incident victim. Looking for the culprit is one thing, avoid becoming an offender causing damages and losses down the chain, is another! This ripple effect can result in very real financial and legal risks, due to damages suffered by other parties, severe loss of reputation and customer goodwill and risk of regulatory action and penalties.
In the coming months, it will be particularly interesting to see what stance regulators will take towards the ransomware threat: to pay or not to pay? Insurance companies increasingly start to question the costs involved, and more and more policymakers are advocating to make these payments illegal. Who pays would become a criminal himself! Add the dilemma around encryption, which is both a necessity and a challenge for cybersecurity, and the mindboggling challenges posed by the Internet of Things, and we know that interesting times are ahead.