Strategies that make the most of technology bring significant efficiencies and growth opportunities, but also a range of risks.
Our global cyber security team has an unrivalled breadth and depth of expertise and includes specialists from our data privacy, financial services regulatory, corporate crime & investigations, insurance and employment practices, amongst others.
As a global full service firm, we are able to advise on cyber security issues wherever they may arise, and simultaneously across multiple jurisdictions where an incident requires it.
Our team advises across the full cyber security lifecycle, including before-the-event cyber risk management, incident response and non-contentious transactional and project work.
Our practice covers three main areas:
Before-the-event cyber risk management and advisory
Understanding, planning for and mitigating cyber risk is crucial to reduce the impact of any future cyber security incident, as well as to reduce the risk and consequences of regulatory enforcement.
We assist clients in such areas as drafting policies and procedures, contractual review, data protection compliance and policies, regulatory compliance, procurement (such as contractor vetting and contractual protections), data retention and insurance.
Depending upon the nature of an incident and your requirements, we can manage incident response for you, or advise on discrete elements as required. We often act as primary point of contact, investigating and coordinating the response in conjunction with internal or third party technical incident response teams.
A number of our lawyers have technical backgrounds and so are able to understand the technical causes and implications of cyber issues. As such, we can work quickly and effectively with other advisers and stakeholders as required.
We can advise on and manage regulatory notifications and reporting (internationally where necessary), liaising with data protection authorities and with law enforcement as appropriate, as well as managing communications with affected third parties and the media. Our top tier dispute resolution practice is well placed to handle any ensuing litigation. Please see our cyber security hotline page for more information.
Transactional and project work
Cyber security issues also permeate many other fields of legal advice. We frequently advise on cyber security issues as part of, for example, transactional work, joint ventures, projects work and outsourcing.
This includes, for example, ensuring cyber security is adequately addressed as part of due diligence and contractual negotiations in a corporate transaction and, in relation to projects, ensuring that the contractual framework put in place reinforces security by design and engenders the right behaviours amongst the various contractors.
Many of the incidents we have advised on have involved supply chain issues, for example where third party providers have been compromised. We leverage this experience also to advise before-the-event on appropriate contractual provisions to reduce and manage risk.
“Very good at advising on the cutting-edge developments in this area”
Data Protection and Cyber security
A global financial services company
We are appointed as the sole APAC and EMEA cyber security counsel to a global financial services company to assist in managing cyber security risks and incidents across 26 countries, and as preferred cyber security legal counsel to an energy multinational, advising globally.
a global company
We acted for a global company in relation to incident response following the inadvertent disclosure of the entirety of its global HR database to an unrelated third party by one of its cloud service providers. The incident affected employees in multiple jurisdictions across Australasia, Europe and the Americas. Herbert Smith Freehills London coordinated the global response (engaging local counsel where required).
a global investment bank
We are advising a global investment bank in relation to a cyber security incident which saw US$40 million taken from a number of accounts, including reporting to and subsequent liaison with the relevant regulators, and on litigation by the account holders seeking to recover their losses from the bank.
We advised Telstra in relation to a state-sponsored advanced persistent threat (APT) cyber security event which was detected during its acquisition of data centre and subsea cable capacity provider Pacnet, and resulted in customer data being exfiltrated. This included advising on data protection compliance issues and how to deal with the liability for the incident in the context of the corporate transaction.
a rail company
We advised a rail company in relation to the cyber security aspects of the procurement and roll-out of a digital train control and signalling system.
a Russian subsidiary of Kerama Marazzi
We advised a Russian subsidiary of Kerama Marazzi on various issues arising in connection with system failure caused by NotPetya, including issues on force majeure, notifications to counter parties, whether the client could continue retail trading with inoperable cash registers, and liaison with law enforcement.