Already an IBA member? Sign in for a better website experience
The IBA’s response to the war in Ukraine
Cyber issues are constantly moving up the agenda as technology becomes almost ubiquitous. Matters of cyber risk and cyber security now influence decision-making across government, business and society.
There is an ever-present and sometimes unknowable threat posed by hackers, spyware and ransomware, which makes governments and businesses more cautious about who they work with. It can feel like the bad actors hold all the power, as their weapons evolve quickly, their attacks can go unnoticed and paying a ransom sometimes seems more palatable than losing sensitive data that could be used to devastating effect.
Cyber risk is affecting the legal profession and will continue to do so. Rebecca Cousin, Co-Head of the Data Privacy practice and Head of the Equity Capital Markets practice at Slaughter and May, says cyber issues come through in every facet of the work the firm does. She says, ‘it’s really important to always have that cyber risk backdrop to decisions that are being made’.
In the practice area of M&A, cyber risk is rising up the due diligence agenda. Companies are increasingly aware of the potential consequences of data loss or a denial-of-service attack, in relation to both finances and reputation. Tougher data regulation, such as the EU’s General Data Protection Regulation (GDPR) and more active data regulators, are also a factor. In addition, the public is more aware of how its data is used and stored.
Simon Toms, an M&A and corporate governance partner at Skadden in London, argues that cyber risk due diligence is now relevant to all companies, not just those that are data-heavy, or operate in data-heavy industries. ‘It’s not just a data protection issue on its own’, he says, ‘it’s about business resilience to external challenges or threats’.
A common feature of cyber due diligence is working with IT specialists to take a holistic approach. This could mean working with external IT experts or the IT departments of the companies involved in the deal. ‘As lawyers there’s only so much we can do’, says Cousin, ‘because it’s not really the legal answers that you’re after, what you need [is] your own IT people [to] understand it’.
Head of the Equity Capital Markets practice, Slaughter and May
Cousin says lawyers are trying to determine how much additional work will be sufficient when it comes to cyber due diligence. Often the amount you can do is limited depending on the type of transaction, or the type of company involved. Despite that, she says, ‘we’re definitely seeing companies doing more and more [depending on] what is feasible in the particular circumstances’.
The main questions that M&A lawyers would seek to address during cyber due diligence relate to where and how data is stored. For example, which jurisdictions the data centres are in, or whether data is stored in the cloud. Legal questions flow from here, such as whether there have been any cyber-related problems and what liability there would be if there was an issue. It’s also important to assess how aware employees are of cyber security, for example, looking at whether they have received any training. Often a cyber breach is caused by human error.
‘What is important is if [the target company] at least share if there’s been any past incident’, says Anurag Bana, Senior Project Lawyer in the IBA Legal Policy & Research Unit, ‘because that can make [the buyer] aware of what could have happened and what could happen in the future, when they are evaluating the digital assets of the company’.
It's possible that an acquiring company will identify cyber-related issues at the target company and still proceed with the acquisition. In this event they will probably consider remedial measures they can take post-acquisition. For example, improving the level of compliance or the cyber security measures in place. It could be a case of bringing the newly bought company in line with the overall group’s cyber standards. ‘You definitely see lots of companies have [cyber] on their integration plan as a top item to improve and enhance once they’ve gone through an acquisition’, says Toms.
Cousin argues that lawyers need to think more about what happens if the target company experiences a cyber attack in the time between exchange and completion. She says there are usually provisions put in place relating to what needs to be done or reported during this timeframe and it’s worth including a provision covering a cyber attack on the target as part of this exercise. ‘As a buyer, you want to know about it’, she says. ‘Potentially there is a big liability and a big problem in the business that you are now contractually committed to buy. It’s important as lawyers that we make sure the commercial teams understand that there is a risk there.’
Sajai Singh, Chair of the IBA Technology Committee and Co-Chair of the Corporate Practice of JSA Advocates & Solicitors in India, describes a feeling of never being completely sure that cyber due diligence has mitigated every possible cyber risk. According to Cousin, ‘you can’t eradicate [cyber] as a risk in any situation and you can’t eradicate it as a risk in M&A; it will always be there’. She believes the emphasis should be on trying to mitigate the known risks so that an attack will need to be more sophisticated in order to have an impact. Singh says this sense of uncertainty in cyber due diligence is leading to greater demand for representations and warranties insurance, which in turn creates larger premiums and adds to the overall cost of a deal.
Regulators are beginning to take cyber due diligence more seriously. Bana argues that even non-specialist regulators will eventually look to develop strict guidelines on cyber security. ‘It will only get more structured from a regulatory perspective’, he says, ‘because there is a regulatory attention that [cyber] will command’.
National security is of particular concern for both governments and regulators. As the use of technology becomes integral to the way governments and businesses operate, so too is there growing concern over who has access to, and control of, that technology. This could be viewed as part of a broader inward-looking trend as countries aim to become more self-sufficient.
Singh says, ‘access to sensitive technology with applications in core sectors like banking, finance and defence by a foreign company with indirect government ownership could essentially lead to a foreign government accessing technology used to uphold the pillars of [a country’s] economy’.
In July, former Chief Executive of the UK’s National Cyber Security Centre, Ciaran Martin, argued that the sale of Welsh microchip manufacturer Newport Wafer Fab to Nexperia, a wholly owned subsidiary of Chinese company Wingtech, was a greater threat to British interests than the proposed involvement of Huawei in the country’s 5G network.Marlene Schreiber, Secretary-Treasurer of the IBA Technology Law Committee and specialist IT partner at Härting in Germany, argues that ‘China is a big threat when it comes to cyber security. China is accused [of hacking] into Western companies to manifest influence, power and economic advantages. Experts call the threat of China a low-level cyber war’.
Secretary-Treasurer of the IBA Technology Law Committee
Newport Wafer Fab, now Nexperia Newport, manufactures wafers of semiconductors, which are at the heart of technology that underpins modern life, such as smartphones and data centres. The company was sold to Nexperia against the backdrop of a global shortage of computer chips, which led many to question why the UK would sell its largest manufacturer of semiconducters. In addition, in a UK parliamentary debate on the sale, Chair of the Foreign Affairs Select Committee Tom Tugendhat outlined Newport Wafer Fab’s role as a key partner in the development of ‘RF MMIC high-frequency GaN designs for defence 5G radar systems […] if that does not put Newport Wafer Fab into the national security bracket, I do not know what does’.
Singh argues, ‘from the angle of cyber security, this is a legitimate concern since a takeover of the nature of Newport Wafer Fab will essentially mean that a foreign company could access technology which is going to be actively deployed in a country’s defence system’. UK Prime Minister Boris Johnson has since asked his national security adviser to review the acquisition.
There have been moves in several jurisdictions to extend the scope of national security regimes to give governments more power to review deals on these grounds. In the UK, the National Security and Investment Act 2021 received Royal Assent in April 2021 and came into force on 4 January 2022. It outlines 17 sectors that will fall under its remit, such as advanced materials, which includes semiconductors, computing hardware and data infrastructure. It also expands the types of deals that can be covered by national security reviews. The UK Government has the power to call in deals for review that took place after the original Bill was published in November 2020, which would include the Newport Wafer Fab deal. An acquisition of more than 25 per cent of shares or voting rights in a qualifying entity will trigger a mandatory notification under the Act. Non-compliance carries the risk of fines and criminal liability, as well as the potential for the deal in question to fall through.
In the US, the Committee on Foreign Investment in the United States (CFIUS) is an interagency committee authorised to review certain transactions that involve foreign investment in the US to determine their impact on national security. The Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) broadens the authority of CFIUS to review and address any national security concerns that arise from certain non-controlling investments and real estate transactions involving foreign persons. The regulations that implement these changes became effective on 13 February 2020.
The text of FIRRMA notes, ‘the national security landscape has shifted in recent years, and so has the nature of the investments that pose the greatest potential risk to national security’. It goes on to state that CFIUS may consider, among other factors, ‘whether a covered transaction is likely to have the effect of exacerbating or creating new cybersecurity vulnerabilities in the United States or is likely to result in a foreign government gaining a significant new capability to engage in malicious cyber-enabled activities against the United States’.
Reputation management is a significant area of concern when it comes to cyber security and mitigating cyber risk. The legal profession has experienced reputational damage as a consequence of high-profile leaks from law firms – for example, the Panama Papers, which were leaked by an anonymous source from Panamanian law firm Mossack Fonseca in 2016. The Panama Papers showed how some structures, such as shell companies set up by the firm, had been used in activities like money laundering and tax evasion. Ramón Fonseca, at the time a partner in the firm, said the leak was the result of a hack from servers based abroad. The firm has since closed.
The Paradise Papers were leaked in 2017 from organisations including the law firm Appleby. Coverage of the papers claimed they exposed the secret workings of the offshore world, with many findings centred on the practice of tax avoidance. In its response, Appleby highlighted that, ‘the journalists do not allege, nor could they, that Appleby has done anything unlawful. There is no wrongdoing’. It also pointed out that ‘our firm was not the subject of a leak but of a serious criminal act. This was an illegal computer hack’.
M&A and corporate governance partner, Skadden
Most recently in October 2021, the Pandora Papers – a leak of 2.94 terabytes of data coming from 14 offshore providers in a range of locations – have provoked further scrutiny of the practice of tax avoidance.
Leaks such as these have demonstrated to law firms the serious nature of a cyber security breach. They have shown how hackers can undermine the contract of trust between lawyer and client that is fundamental to the profession by gaining access to confidential information and making it publicly available. This is damaging for the profession because if clients begin to worry that their legal advisers cannot guarantee confidentiality, they may be less willing to share all the facts of a case, which would in turn undermine a lawyer’s ability to do their job.
‘If a client thinks that what it says to a lawyer can be made public it’s not going to be as open or full with its lawyer as it might otherwise be’, argues Richard Harrison, member of the IBA Regulation of Lawyers' Compliance Committee Advisory Board and Head of the Lawyers’ Professional Liability Sub-Group at Clyde & Co, London.
The Panama, Paradise and Pandora Papers leaks have received particular attention because of the information they contain. In addition to breaking lawyer-client confidentiality, these leaks have been damaging because they have given the authorities ammunition to use in their attempts to break down legal professional privilege. Jonathan Goldsmith, Chair of the IBA BIC International Trade in Legal Services Committee and a Consultant in European and International Legal Services argues, ‘the consequence of the leak is not that the client loses trust in the lawyer but that the state and state authorities lose trust in lawyer-client confidentiality because they think that lawyers are hiding dubious activity behind confidentiality’.
Following the publication of the Pandora Papers there have been renewed efforts to address the role of lawyers and others who can act as a go-between in the movement of money across borders. For example, in the US the proposed Establishing New Authorities for Businesses Laundering and Enabling Risks to Security Act, or ENABLERS Act, would ‘amend the Bank Secrecy Act to expand the scope and authorities of anti-money laundering safeguards under such Act’. The Act would subject, among others, ‘an attorney, law firm, or notary involved in financial activity or related administrative activity on behalf of another person’ to US anti-money laundering requirements. The US Department of the Treasury would be required to create new due diligence rules for lawyers and other service providers named in the proposed Act.
It's noteworthy that the practice of tax avoidance, which is legal, has been heavily scrutinised in the coverage of these high-profile leaks and has been given perhaps the same level of attention as criminal activity, such as tax evasion and money laundering. This reflects a broader shift in public mood, which increasingly judges actions in terms of whether they are morally right as well as whether they are legal. The threat of a cyber attack to potentially expose legal action or advice deemed not in the public interest, will no doubt be in the mind of lawyers as they try to balance the interests of their client with the interests of the public in what is a rapidly evolving and nuanced landscape.
Goldsmith adds, ‘lawyers really need to think about how to balance the client’s interests with the public interest’.
Harrison describes how the Solicitors Regulation Authority (SRA) in England and Wales requires lawyers to act with integrity, which is hard to define but which he believes could increasingly include building moral factors into legal advice. Indeed, the SRA states, ‘should the Principles come into conflict, those which safeguard the wider public interest […] take precedence over an individual client's interests’.
These high-profile leaks are not the only ones experienced by law firms. Schreiber maintains, ‘we believe that it is not a question of if a law firm will be the target of an attack, but rather when and which effects that could have for the business’.
Fundamentally the legal profession must do everything it can to secure confidentiality between lawyer and client. It’s critical that law firm leaders assess their cyber risks and have the right systems and procedures in place to mitigate them. They must understand the nature of the latest threats and be prepared to constantly review their cyber strategy to address them.
Harrison argues, ‘it’s really important now that the role of the cybersecurity team is given proper authority and is taken very seriously by law firms’.
Bana is keen to point out that law firm leaders should not be tempted to pay a ransom to retain client confidentiality. He says that doing so sets a precedent for others to follow that complicates the question of how to respond to a breach.
Law firms should not be a weak link in their client’s cyber defences. According to Schreiber, law firms are ‘often considered as an easy target as it seems easier to enter the IT-system of the relatively smaller law firm than of a large company’.
It’s also important for firms to understand their part in a supply chain of service providers and make enquiries about the cyber security measures in place at organisations they partner with.
Cousin contends that law firms should work together to test each other’s cyber security systems so they can ensure they are doing the best they can to protect their clients’ data. ‘We are exposing our clients’ data by working with someone else and therefore it’s really important that all of us, as a group, maintain the appropriate standards because one weak link in the chain can be the undoing of a number of us’, she says.
Rachael Johnson is a freelance journalist and can be contacted at email@example.com