Governments and companies alike are facing a thrilling yet increasingly daunting cyber world today. Particularly in Asia, businesses are struggling to keep up with the fast-evolving threat of cybercrime. Kanishk Verghese reports

As the world increasingly embraces cutting-edge technology and hastens its expansion into the digital realm, individuals and institutions alike are more exposed than ever to cybersecurity threats. The aftermath of cyber attacks are often messy, and can cause great financial – and arguably more importantly – reputational damage, transforming cybersecurity into a major business risk in 2015. And this is only likely to continue into 2016 and beyond.

“2015 was considered the year of the data breach,” says Nimrod Kozlovski, a partner and cybersecurity specialist at Herzog Fox & Neeman (HFN), a full-service law firm based in Tel Aviv, Israel. “One of the clearest trends is that cybersecurity is no longer the exclusive concern for governments and critical infrastructure organisations, but rather for each and every company that holds personal data of customers or sensitive data of the business. Nowadays, it is possible to penetrate the systems of every company that is connected to the Internet, not only by directly attacking the company, but also through the company’s point-of-sales and third-party vendors,” he adds.

The lion’s share of cybersecurity incidents (about 50 percent) are malicious and criminal attacks, in which an organisation’s customer data is stolen and then sold, says Kozlovski, citing the recent security breaches of Target and Wyndham Hotels where tens of millions of personal and financial information of customers were illegally accessed. “In some cases, the company and its customers were extorted following the cyber attack. Some of these attacks – and this is a growing and very disturbing recent trend – include using ‘ransomware’, which is a type of malware that restricts access to the computer system that it infects until the company pays the attacker the required ransom, usually in digital and anonymous currency,” he says.

THE NEED FOR SPEED

Furthermore, research shows that the average time it takes for an organisation to find out about a cyber breach is almost seven months, and it takes about two and a half additional months until the completion of the response to such event, says Gilad Majerowicz, a technology and intellectual property partner, and co-head of the Asia practice at HFN. This is a worrying statistic as speed is often a pivotal factor in responding effectively to cyber breaches. The challenge is exacerbated by the increasing cross-border nature of cybersecurity incidents, causing further headaches for governments and businesses.

“Most of the cybersecurity work we handle has a cross-border element, especially in cases of extortion or ransomware,” notes Kozlovski. “The attacker knows it is almost impossible to identify them, and even if they could be identified, in many cases they are located in one of the many jurisdictions in which there are no specific cyber-crime laws or cooperation with other governments,” he adds.

“Like many aspects of the information age, the cybersecurity threat does not respect geographic boundaries or country specific legal regimes,” says Scott Thiel, a partner at DLA Piper in Hong Kong. “Typically, our analysis of data flows and storage architecture with our clients’ businesses reveals surprises about the geographic scope of their operations. Understanding this complexity is the first step in starting to mitigate the risks. Informed decisions about rationalisation, localisation and contractual risk transfer can then be taken,” says Thiel.

For his part, Majerowicz says that many cyber experts argue that there is no single technical solution that would prevent the risk, and therefore cybersecurity is becoming more of a legal and corporate governance issue. “We should look at it in the same way as ongoing compliance actions are taken. Proper preparation must include an entire range of compliance actions, which address all applicable aspects that include incident management and response policy, user education, training and awareness, management and policies concerning user privileges, home and mobile working and removable media controls, service providers’ due diligence, malware and breach protection, ongoing monitoring and intelligence, secure configuration and network security policy and cybersecurity insurance,” he says.

LAGGING BEHIND

This is especially important in Asia, where companies are nearly twice as likely to be targeted as companies elsewhere, according to data from a survey by U.S. network security company FireEye in 2014. “It is vital that companies seek to protect themselves, and develop internal processes and protocols to ensure that where possible cybersecurity is secure,” says Thiel.

Meanwhile, several jurisdictions in Asia have made positive strides towards combating cybersecurity threats. In 2015, Indonesia and Singapore each introduced cyber agencies, while Japan enacted the Cyber Security Basic Act. “There are numerous discussions, guidelines, and legislation drafts in many countries around the world, says Ariel Yosefi, head of the adtech and technology compliance practice at HFN. “However, the problem is that no jurisdiction has yet reached a point where it has one exhaustive regulatory framework that addresses all applicable issues,” he says.

“The countries in Asia have different perspectives on cybersecurity, and I believe Asia needs a comprehensive framework, with information sharing and a joint security approach where you can share data and investigate matters. I think that coordinated approach is still missing in Asia,” says Kozlovski.

PARADIGM SHIFT

Kozlovski adds that the need for governments and companies to change their way of tackling cybersecurity issues is due to a paradigm shift resulting from the prevalence in cloud computing and “bring your own device” concepts, as well as the way in which IT systems are now being created and interconnected.

Furthermore, Majerowicz stresses that as the threat, challenges and potential risk varies between organisations, solutions to tackle cybersecurity issues must be tailor made. “It is essential to build a coherent and overall compliance policy, which includes the corporate governance procedures and policies, together with all other technical, security and financial solutions, and assist the company with the ongoing implementation and updating of this compliance cycle,” advises Majerowicz.

The role of the in-house counsel is becoming more important than ever in safeguarding the business, as well as implementing suitable policies and procedures to minimise the legal, economic and reputational risks arising from internal threats. “The internal threats are too easily overlooked. While the foreign malicious hacker easily springs to mind, it can be the rogue or untrained employees who represent a major risk factor,” says DLA Piper’s Thiel. “Another internal challenge our client’s face is identifying appropriate internal ownership of the issue. In our experience, relevant stakeholders need to include risk, legal, compliance, IT, HR and finance all being supported by C-Suite level engagement and investment,” he says.

There is definitely a growing interest among corporate executives in investing in proper training for employees and to examine how to manage and address cybersecurity risks, both internal and external, says Kozlovski. “Until recently, in many cases cybersecurity issues used to be a technical matter handled by the company’s technical team. Now the board of directors and management at large corporates increasingly want to understand this risk, ensure that there is a detailed procedure in place to analyse and mitigate this risk, and make sure that someone is accountable for managing this risk within the organisation.”

An analytical approach

As companies become increasingly embroiled in cross-border commercial disputes, modern technology and analytics are coming to their rescue by helping them resolve disputes in a timely and cost-effective manner, finds Kanishk Verghese

Technology is both the cause of and solution to how we approach today’s disputes and investigations, says Karen Chon, director of business development at FTI Consulting. “We are observing a greater number of corporations replacing corporate IT infrastructure with cloud- based services and we are working with a far more mobile yet connected workforce. It’s very well known that data volumes have been increasing for many years, but the diversity among data formats is also growing rapidly,” says Chon. As a response, technology itself is enabling a deeper understanding of the matter at a much faster rate, which in turn allows organisations to develop better strategies for handling today’s evolving corporate data landscape, she adds.

And this is where analytics technology takes centre stage. While the use of analytics in disputes is by no means a new phenomenon, service providers like FTI Consulting are fashioning cutting-edge solutions that can help mitigate risk, unearth information speedily, and reduce legal costs at the same time. FTI’s two software platforms, Radiance and Ringtail, serve as great examples. “Radiance is a great tool for what we refer to as ‘prediscovery’. If you have massive amounts of data stored across various repositories, from Exchange servers to cloud-based collaboration tools, Radiance can connect with these applications, enrich the data, and provide powerful and dynamic analytics to key in on important data quickly,” says Michael Mo, managing director at FTI Consulting in Hong Kong. “If the investigation progresses to a legal matter that follows the traditional process of review, redaction, coding, productions, and so forth, we offer Ringtail software. Ringtail provides the most comprehensive set of legal review and analytics features so that legal teams can quickly find, review and produce documents for a matter,” adds Mo.

However, some legal technology solutions have led some in the industry to voice concerns over the security of client data and other sensitive information, particularly in relation to cloud-stored data. For his part, Mo says that over the past three years, he has seen the industry grow more accepting of cloud-based technology for legal matters. “Recent and well-publicised data breaches, whether targeting retail companies or government organisations, have taught us that data stored on-premise and behind the firewall is not necessarily safer than data in the cloud. In many cases, the cloud is perhaps more secure because cloud providers are thinking about data security 24/7,” he says. That said, for clients that are worried about data security in the cloud, FTI can provide a security assessment of their current data environment as well as develop and implement a data security framework that helps an organisation protect its most valuable IP, from employee health records to customer credit card data, notes Mo.

Nonetheless, as the volume and variety of business data continues to grow at a rapid rate, legal teams are under mounting pressure to collect and understand data as fast as possible. While companies and their in-house teams in the U.S. and UK are embracing new technology and analytics solutions to more effectively handle disputes cases, some have argued that the legal industry in Asia has been slow to catch on to this trend.

While Asia is a few years behind North America and Europe when it comes to the use of legal technology in disputes and investigations, clients are gradually adopting the use of tools – such as analytics technology and predictive coding (or technology-assisted review) – that have been used in those jurisdictions for a while, claims Mo. “With business data growing at its current speed and more complex global disputes and investigations impacting the region, legal teams will feel more pressure to incorporate such technology to do more with less,” he says. “As we see more – and larger – cross-border disputes and investigations impacting many companies in Asia, clients have begun to realise and understand that the use of this technology can significantly reduce cost and generate efficiency.”