Repelling the web pirates

In the second part of a special series on technology in the legal sector, Leo Long looks at how governments across Asia are updating cybersecurity and data protection laws in anticipation of the next cyber-attack. Law firms pose a preferred target for the confidential information they hold

While the world was still reeling from the WannaCry ransomware back in May, a newer, nastier and more intelligent virus called Petya broke the following month. Within the Asia Pacific region, the virus did the most amount of damage in India as per cybersecurity provider Symantec.

This pair proved calamitous for many businesses and individuals, but more than that, the events hit home on the need for urgency in both regulation and adequate security of digital information, and nowhere is that more pertinent than with sensitive information banked at law firms and company legal departments.

While the cyber community is still trying to work out where the two attacks came from, for many, once abstract concepts of data protection and cybersecurity are quickly gaining traction. Security firm McAfee in its 2018 Threats Predictions Report warned that cyber-attacks and data breaches are expected to become more disruptive as hackers develop new variations of “cyber-crime business models”.

“[The attacks] add another element of urgency that calls for especially large organizations to beef up their cyber intrusion detection and mitigation strategy – one of the major selling points of the China Cybersecurity Law,” Stephen Yu, a director at AlixPartners in Hong Kong, said recently.

Regarding internal risk management, how businesses can handle personal data without breaches is a challenge. Incidents of data theft around Asia are numerous. A report by security firm ThreatMetrix, which provides online authentication services, found 11.8% of e-commerce transactions in the Asia-Pacific involved fraudulent login attempts, as cyber-criminals leverage patched-together stolen identities to carry out attacks on digital transactions.

Law firms are among the prominent potential targets “because of the confidential and privileged data that they hold, especially relating to M&A activity”, says Paul Jackson, the Asia-Pacific leader of cybersecurity and investigations at Kroll, a global provider of risk solutions.

The international Association of Corporate Counsel in March published data security guidelines for in-house counsel, which among other things set out in-house expectations of external lawyers that have access to sensitive company data.

Improving landscape

New rules and regulations on cybersecurity are expected to have a significant impact on businesses wanting to insure themselves against risks involved with the internet of things (IoT), big data and mobile payments.

For example, Japanese companies are showing great interest in the potential uses of big data and artificial intelligence (AI) in their businesses, according to Christopher Hunt, a Tokyo-based partner of Herbert Smith Freehills. “Japanese companies are increasingly taking an interest in how to insure against cyber risks as their understanding and awareness of the potential exposures grows,” says Hunt.

Jackson adds that, “APAC entities are generally – although not always – lagging behind when it comes to their cybersecurity posture and levels of spending to address this issue, but things are changing as stronger legal and regulatory frameworks are rapidly being implemented across the region, coupled with a greater understanding at a leadership level of the business impacts of data breaches.”

The resolution to change can be seen as notable campaigns are launched by governments, such as Singapore’s Smart Nation initiative, India’s Digital India, and Australia’s Cyber Security Strategy.