Hitting the moving target: cyber, data privacy and artificial intelligence (AI) compliance and governance

Friday 14 April 2023

Session Co-Chairs

Jan Willem Hoevers, De Brauw Blackstone Westbroek, Amsterdam

Francisco (Chico) Antunes Maciel Müssnich, BMA Advogados, Rio de Janeiro

Panellists

Adam Cottini, CrowdStrike, New York

Andrea Marçon Bocabello, Grupo Fleury, São Paulo

Kurtis Minder, GroupSense, Virginia

Reporter

Arthur Davis

Addisons, Sydney

arthur.davis@addisons.com

Monday 31 October 2022

Introduction

Cybersecurity, data privacy and artificial intelligence (AI) issues are endemic. Almost daily, the press reports on the hacking by yet another ransomware attack of an institution that holds significant amounts of sensitive personal data. Apart from those that are reported, incidents are frequent and the regulatory response is evolving rapidly. 
Some immediate questions are:

  • How should businesses operating across borders track developments?
  • What is the organisational and compliance standard that stakeholders expect?  
  • Is compliance with specific legal obligations sufficient to avoid reputational harm and, if not, how should it be dealt with?

This panel of industry leaders reviewed and discussed practical insights on how global organisations should structure their governance programmes in order to:

  • ensure legal compliance;
  • deal with incidents; and
  • incorporate operational governance and compliance systems directed towards reducing reputational risk.

A stellar panel assembled by the hard-working session chairs resulted in a lively session. The weather outside was warm and sultry. Correction, it was hot, very hot; in fact, it was boiling. The temperature in the street was in direct contrast to the coolness of the panel.

As Brutus rightly said in Shakespeare’s Julius Caesar:

‘There is a tide in the affairs of men.
Which, taken at the flood, leads on to fortune;
Omitted, all the voyage of their life
Is bound in shallows and in miseries.
On such a full sea are we now afloat,
And we must take the current when it serves,
Or lose our ventures.’

The consensus among the panel was that we are currently experiencing the fourth industrial revolution. Broadly speaking, there is significant technological innovation in:

  • physical (eg, autonomous vehicles, robotics, 3D printing, new materials);
  • biological (eg, genomic diagnostics, treatment, engineering); and
  • digital, blockchain, disruptive business models.

AI is becoming more useful as a result of the combination of high computational power analysing vast amounts of data. However, this creates significant business risks as there are greater opportunities for criminals and competitors to access the data held by the organisation.

Preparing for an attack

The huge impact of a ransomware attack was discussed. The damage suffered can include:

  • reputational and brand damage;
  • a loss or diversion of financial resources. In extreme cases where accounts are frozen, questions include how employees and suppliers are to be paid; and
  • the effect on institutional morale and the diversion of internal resources away from more productive uses.

One of the issues discussed was how a breach should be disclosed to the market? For listed groups, there will be a clear obligation to disclose price sensitive information and to consider trading halts. For businesses with lower levels of reporting obligations, the disclosure process will depend on how they interact with the hacker. It is critical to have a response plan in place prior to such an incident happening. 

Before an attack occurs, it is prudent for a company’s response plan to deal with such things as:

  • the availability of cyber insurance in all the relevant jurisdictions;
  • a response plan that includes what is permitted by law in each jurisdiction, for example, is payment of a ransom illegal in a certain jurisdiction;
  • details on who is responsible for coordinating the business response and who should be part of the response team;
  • whether legal experts should be engaged early to ensure, as far as practicable, that legal professional privilege is maintained regarding any correspondence; and
  • in what circumstances law enforcement agencies should be engaged.

The panel explained that it is now critical to understand the motive of the hacker, as well as who is behind the attack and why. For example, are state-backed actors involved looking to disrupt operations or are criminal syndicates trying to extort money? In the case of criminal syndicates, it was observed that their organisations are typically structured like a business enterprise with targets, budgets etc. The use of experienced consultants (such as the panellists) can help an organisation understand the motivation for an attack and the appropriate response.

An appropriate response to a cyberattack will include consideration of such things as:

  • should anything be paid to a hacker, and if so, how much;
  • if the actors are known, have they been involved in similar attacks in the past;
  • should negotiators be engaged that have experience in dealing with ransom demands; and
  • what regulatory and other responses are required under the relevant data privacy legislation.

Conclusion

The panel believes that the law is ultimately a social science, which involves the interaction of people with all their foibles and differences. Ultimately, it is important to have appropriate response plans in place long before an incident occurs.  

All in all, it was a well-structured and interesting session!