Publication
Global rules on foreign direct investment (FDI)
Cross-border acquisitions and investments increasingly trigger foreign direct investment (FDI) screening requirements.
Global | Publication | July 2022
Cybersecurity and cyber-resilience risk management and governance is both complicated and technically challenging. The recent judgment of the Federal Court of Australia in ASIC v RI Advice reignited the debate in Australia about cybersecurity and cyber-resilience governance and risk management. Reinforcing this, in an article published on 15 July 2022, ASIC Commissioner Danielle Press wrote:
‘ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience. Failing to do so could cause you to fall foul of your regulatory obligations.’
Directors faced with determining their duties and obligations (in particular under s180 of the Corporations Legislation) in this area are often left to wonder what more they should do to ensure that their organisations are adequately managing these risks. A Court will consider what a reasonable director would do in the circumstances, having regard to the nature and size of the company.
We have posed four questions that we believe a reasonable director could ask about often overlooked aspects of cyber-risk and incident management. The answers to those questions will provide an indication as to the maturity of the organisation’s cybersecurity risk management outside of the usual audit and information reporting that can often overwhelm or obscure the reality of the organisation’s preparedness for protect against, and respond to, a cyber-incident.
In particular, the questions we have posed highlight areas of preparation that, if missing, may indicate that cyber-incident management is perceived as a purely operational and technical response, rather than an organisational risk and governance issue. A cyber-incident should be viewed as parallel investigation, remediation and liability assessments with the potential to identify governance and risk management failures.
This may appear like an obvious question and the answer may be “yes”. At which point, ask to be provided with a copy and move on to Question 2. However, the answer may surprisingly be “no” or, when reviewed, the plan details technical response processes and contains little information regarding the greater organisational response processes – executive and board escalation, regulator notification, public relations and internal communications, and importantly for these purposes, the undertaking of parallel investigations and evidence preservation. The remaining questions delve deeper into some aspects of this broader organisational response, but it is important to ensure that the broad framework is in place first.
An Incident Communications Protocol (ICP) is more than an emergency text alert to affected employees. An ICP should prepare the organisation to be able to appropriately communicate when its core systems are compromised. An ICP should prepare the organisation to be able to communicate when its core systems are compromised by using alternative communication channels (such as when email systems have been compromised) or by engaging vendors that host secure platforms.
An ICP should provide guidance for technical and incident response teams to be trained to communicate appropriate content during the incident and afterwards to ensure opinion, fact and action are appropriately recorded. Without an ICP, organisations are often left trying to text or call each other without clear organisation, and the contents of texts and emails subsequently create issues in downstream regulatory investigation or litigation.The use and application of legal professional privilege (LPP) is a critical issue that arises in every formal investigation into a cybersecurity incident. Confidential communications between a solicitor and a client for the dominant purpose of giving legal advice will be privileged. It is important to ensure that confidentiality is maintained and that the dominant or prevailing purpose is obtaining or giving advice. Ensuring your organisation has an established Incident Privilege Protocol (IPP) in place is an indicator that your organisation has considered the risk of downstream regulatory investigation and litigation, and has a mature understanding of the risk context. An IPP should include pre-defined roles and responsibilities of the organisation’s personnel, provide rules relating to the nature and content of documents and reports, and when the organisation should engage pre-identified service providers, including external legal advisers. Without an IPP, organisations face the risk of reports and documents that would otherwise have been privileged being discovered in subsequent regulatory investigation or litigation.
Payment of ransom demands is by no means a straightforward decision. Aside from ethical considerations, organisations need to assess the legal and regulatory frameworks that they are subject to when doing so. Issues such as proceeds of crime, AML/CTF, and sanctions, as well as regulatory reporting requirements (should the ransomware reporting requirements be introduced into law in Australia), balanced against reputational risks, operational harm and potential risk to stakeholder safety, raise complex considerations.
A Ransomware Payment Policy formalises in advance these complex considerations and relieves the board and executive management of having to do so under the extreme pressures of a cyber-incident.While failure to prepare in these areas may not affect the ability of the organisation to technically respond to the incident, the downstream litigation and regulatory engagement impacts can be significant. These are not silver bullet solutions, but the answers to these questions may be the proverbial canary in the coal mine that should cause directors to dig deeper into the organisation’s preparedness and cybersecurity risk management.
Publication
Cross-border acquisitions and investments increasingly trigger foreign direct investment (FDI) screening requirements.
Publication
On February 2, 2024, the Belgian Presidency of the Council of the European Union confirmed that the Committee of Permanent Representatives had signed the Artificial Intelligence (AI) Regulation, referred to as the AI Act. Approval by the EU Parliament followed on 13 March 2024, and the AI Act is likely to appear in the EU’s Official Journal around May 2024. The AI Act aims to establish a stringent legal framework governing the development, marketing, and utilisation of artificial intelligence within the region, thereby marking a significant advancement in the regulation of this burgeoning domain.
Publication
The private credit market and direct lending have grown and diversified immensely in the past decade, offering alternative sources and terms of debt compared to those historically provided by the syndicated leveraged loan and public issuance markets. Consequently, they are fast becoming pivotal components in the capital ecosystem, so much so that the Bank of England consider that the private credit market is currently responsible for approximately $1.8 trillion of debt issuance, which is four times its size in 2015. This growth has been particularly pronounced in Europe and the US but there has also been significant activity in Asia.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023