We’re pleased to present the launch of “Decrypted,” a podcast hosted by Skadden’s Cybersecurity and Data Privacy Practice. Each episode will track how cyber, privacy and AI risks show up in real life — inside incident response calls, board discussions, regulator interactions and litigation strategies.
In our inaugural episode, William Ridgway and David Simon walk through a realistic triple-extortion ransomware incident scenario, focusing on the critical first 72 hours after a ransomware attack. From escalation and documentation to regulatory notifications and ransom decisions, they break down how early actions shape everything that follows.
Whether you’re a legal professional, in-house counsel or just someone who is interested in how cyber and privacy risks play out in practice, “Decrypted” is your go-to resource for scenario-based discussions, regulatory and enforcement deep dives, and interviews with experienced practitioners and thought leaders.
Episode Summary
Cybersecurity is a team sport — and in the first 72 hours of a ransomware attack, every decision counts. In this inaugural episode of “Decrypted,” David Simon and William Ridgway, co-heads of Skadden’s Cybersecurity and Data Privacy Practice, walk listeners through a realistic triple-extortion ransomware incident scenario — from the moment a security operations center flags unusual outbound traffic and ransom notes start appearing to the legal, regulatory and communications decisions that follow. Tune in for their insights about what separates companies that weather these crises from those that don’t.
“Decrypted” is your go-to resource for scenario-based discussions, regulatory and enforcement deep dives, and interviews with experienced practitioners and thought leaders in the cybersecurity and data privacy space. Each episode will track how cyber, privacy and AI risks show up in real life — inside incident response calls, board discussions, regulator interactions and litigation strategies.
Voiceover (00:01):
From Skadden, Decrypted is a podcast exploring the latest developments in cybersecurity and data privacy strategies, risks, and regulations.
David Simon (00:10):
Hi everyone, and welcome to Decrypted, Skadden’s podcast on how cybersecurity and data privacy law actually operates in practice, where we talk about the view from the front lines and in the trenches, inside companies under pressure, often with imperfect information. I’m David Simon. I co-head the cybersecurity and data privacy practice at Skadden, and I used to work in the Pentagon, the Cyberspace Solarium Commission, and practice in Brussels in the European Union for a time.
William Ridgway (00:36):
And I’m Bill Ridgway. I’m also co-head of the cybersecurity, the data privacy practice, and I came to Skadden after spending about a decade at the Department of Justice focused on cybercrime and national security threats. So I know, David, we’ve got a lot to cover, so let’s jump in. To set the table for the audience. Decrypted is about how cyber and privacy risk actually shows up in real life, inside incident response calls, board discussions, regulator interactions, and litigation strategy.
(01:05):
The goal here of the podcast is to have a practical conversation about real world cyber privacy challenges, a fair bit of AI as well, and to translate those fast-moving legal requirements into operational judgment.
David Simon (01:18):
Episodes of Decrypted will take different forms, scenario-based discussions like today, regulatory and enforcement deep dives, and interviews with experienced practitioners and thought leaders covering a range of topics from cybersecurity and data privacy and AI to what’s happening in government around the world. A recurring theme will be where companies unintentionally create exposure through process gaps, documentation missteps, or governance breakdowns, often without realizing it at the time.
(01:48):
Before we go any further, we should note that this podcast is for educational and information purposes only and is not legal advice, and it does not represent the views of myself, my co-host, our firm or anyone that we are close to.
William Ridgway (02:03):
Thanks. For the first episode, David and I thought it’d be useful to really focus on the foundational, and have a view from the trenches, and we want to walk through a realistic cyber incident scenario and focus on those first 72 hours because everything that comes later, and there usually is a lot that comes after from ransom decisions to disclosures, regulatory investigations, litigation, is shaped by what happens at the very beginning. So we’ll talk about escalation, privilege, documentation, some of the regulatory notification timelines that we have to manage and deal with.
(02:40):
Managing ransom decisions and why preparation in this space, it makes all the difference. So with that framing, I want to turn to how this incident is going to unfold today. So let’s start off. It’s 9:00 AM on a Monday. Your security operation center flags unusual outbound traffic from a critical server. 30 minutes later, employees start calling the help desk because they can’t log in and ransom notes start appearing on screens.
(03:06):
At this point, the issue is no longer hypothetical. And the first question really here is this incident still active and are we losing ground by the minute? Over you, David.
David Simon (03:16):
That’s right. I mean, at the beginning of one of these, you really just have to get your arms around the facts. So just like you said, what we have to do and we see over and over again is work with the IT and security teams who are already sprinting. They’re getting their arms around that story, isolating systems, pulling logs, triaging, trying to understand the scope and obviously mitigate the consequences while the legal folks are still figuring out whether they’re officially being pulled in or not.
(03:40):
That gap really matters. And it’s something that we really seek to try to bridge systems, that they can be encrypted in just seconds or minutes, entire global attacks have spread in just hours, and we’re working on several incidents like that right now. And so, one of the things we want to do is think through, how do we make it through those first moments?
William Ridgway (03:56):
And from the legal side, I mean, one of the most important decisions is pretty straightforward, who gets the call first? And really making sure you know who you’re going to be calling in terms of having an incident response vendor, having your outside counsel engage that vendor, because that decision really is going to help determine whether these sensitive forensic findings are privileged or whether they later show up in litigation or in regulatory requests.
(04:21):
And just to say it, we have seen often circumstances in which well-meaning people, kind of get ahead of things and may not involve the lawyers at that point and really create privilege risks for the organization.
David Simon (04:33):
That’s right. Cybersecurity is a team sport. And when these things happen and they do to almost every company and organization, you want to make sure that you’re not taking steps right now. They’re going to expose you to significant risk later, and there’s some best practices. So obviously some companies is willing ... really commence that investigation themself. We want to make sure that we’re doing what we can to put a shield of legal privilege around it as best we can.
(04:57):
And think about those early messages, emails, Slack messages, text messages, whatever initial analysis, often that ends up being very different than what the story ends up being at the end of the day. And we’ve spent months trying to contain that damage once regulators and plaintiffs start asking for documents, but it’s not all about what the legal story is supposed to be. It’s also about making sure that operational teams can do their job.
(05:18):
We do our part by trying to shield them and protect them. And we have to think about how we can do that in a way that’s going to be commercial and make sure that they’re not exposing themselves to amplified risk. So we’ve had these group chats produced later in discovery and offhand comments, speculation about what’s happened often get taken out of context. But one of the most interesting things early on we ask about is that ransom note. What’s your take on that, Bill?
William Ridgway (05:42):
Yeah, it’s a great question. And it’s one that gets usually raised very early on, particularly in the scenario we just discussed where employees are receiving this request. And one of the big questions is, what do we do? Do we engage with a threat actor? How do we think about that? Who engages with the threat actor? So yeah, David, how will you think about that?
David Simon (05:58):
It’s a great question. In the last day or so, actually, a couple of clients shared with us the ransom note, and it’s different now than it was weeks or months or years ago. Often the first outreach from the threat actor is not a note saying, “We’ve done all these things to your systems and you have a certain amount of time to get back to us in exchange for this amount of money.” It’s a text message or an email or text message referring to an email saying, “If 72 hours, check your email and you’ll see and there’ll be a link to a place to go.”
(06:25):
But I think the key considerations for clients really depend, but if you’re locked up and you really need to get back to business, there’s a lot more urgency and sometimes clients in that situation have very little choice and flexibility. A second consideration though is what are your core objectives? Maybe at this time, you have very little information available to you, you have some initial indications, maybe your Salesforce data has been compromised or you have an impression that certain parts of your environment are vulnerable, but you don’t know exactly what data could be at risk.
(06:56):
So you may think of engaging with a threat actor, of course, through outside counsel and a negotiation firm that’s trusted to gather valuable threat intelligence to help you assess the situation. You may also want to do it to play for time because this is all about speed. And if your systems are down or you know you’ve been compromised, it is about getting your lights on in your IT castle, really figuring out what doors and windows have been open, where if anywhere has a threat actor put malware back doors.
(07:23):
And making sure they’re out so that you have confidence that by the time you’ve gotten to a containment stage that you’re ready to sort of speak with confidence about what’s happened and move on. And if you don’t do that, it’s possible. The threat actor may take steps before you’ve really gotten them out on your environment. So that they don’t play for time is valuable, even if a company doesn’t think that they would ever consider paying the ransom.
William Ridgway (07:45):
And do you think ... it’s a good point. And I guess you did mention something important, which is organizations shouldn’t themselves be reaching out to these threat actors and so be mindful of that. And you mentioned kind of the credible negotiators. I mean, there is a discreet number of firms that are really active in this space and it is important to feel like you have the right resource when you’re dealing with these threat actors. They will have good thoughts on strategy, good data on how to handle this.
(08:08):
And so that’s something that is an important part of your incident response plan for sure, is to map that out as well.
David Simon (08:14):
And just one point on that, Bill, I think for folks who are listening in, you think I’ve never talked to someone who does threat actor negotiation. Both of us worked in the national security components to the US government and advise on intelligence matters. And one of the things that I think is really striking about this is understanding how can you assess with confidence that someone is who they say they are and that they have the experience.
(08:34):
And this is a challenge for organizations right now. And so there are in the world a relatively small number of companies that do this under extortion negotiation work. And we’re not going to go through the specifics, but we’d emphasize that it is a very risk embracing area of work. And so it not only is important to shield yourself with counsel, but there are certain organizations that are really under scrutiny by government authorities.
(08:56):
So it is important to check with us or check with your counsel before you do engage. Earlier today, a forensics firm said, “Oh, here’s the three different companies we use.” I’ve never heard of them before. If a client asked me, “Would you work with us?” I said, “Well, this is a very risky activity.” I think it would focus on people that I know. It’s a bit of a trust-based activity. So that’s important.
(09:14):
And of course, as everyone knows, if you’re engaging in communication with a threat actor through the appropriate channels and a negotiation firm, there are all sorts of risks, obviously, sanctions, risk, issues around criminal liability. And so those are important things that you should be advised on as you think about it. But back to you, Bill, on the initial access.
William Ridgway (09:32):
Yeah, exactly. Let’s get back to this scenario. And let’s say in this scenario, which is actually quite common, is that this one didn’t start with some sort of exotic technical exploit, some zero day that maybe ... that folks were not aware of. This one in this scenario started with the help desk, voice phishing, social engineering, MFA fatigue. Somebody convinces a tired employee to push a token and suddenly the threat actor has credentials and lateral access.
(09:59):
And just to say it, this has been certainly in the last six months, all of it enabled by AI. And with these technologies, the threat actors have become quite effective at making the sound and video of company executives, mining the dark web for convincing information to specifically arm and make those attacks credible. And David, I know we have several incidents right now, where we unfortunately have had executives or people in the finance department or people within just employees who have been tricked by very convincing AI impersonation attacks involving fake outside lawyers.
(10:33):
Involving people mimicking the executives. This is all coming at companies quite a lot right now, and it is very challenging to keep up with these technologies.
David Simon (10:41):
That’s right. And look, this is not about technical controls. At this moment in time, the attackers have much more sophistication and capability to not only compromise any target they want, but to do it at scale. And so I mean, even since the holiday season hit, I think we’ve seen just a huge spike in incidents where the fact pattern that Bill just described is exactly what happened.
(11:04):
Somebody pretends to be IT help desk, they voice phish and a person eventually does go to the wrong website, introduces their credentials into an untrusted environment, boom. And even if the scope of compromise isn’t so broad and they don’t have moving up privilege escalation or lateral movement across, a lot of individuals at the company have access to a lot. They may have access to many different share platforms, cloud environments.
(11:25):
The threat actor can be operating from their phone and the Maldives doing that and it doesn’t have to involve a very sophisticated set of activities. So that’s one of the things that we keep in mind. And I think what follows is often very familiar, there’s that harvesting of credentials, the ability to move through different cloud environments, privilege escalation, they’re really focused on a target. And then encryption, right after they will exfiltrate data and then, they’ll come at you with some extortion.
(11:53):
It could be extortion to get paid for preventing the data from leaking. Extortion, wanting to get paid to make sure that you want to get that decryption key to unlock your systems. And we’ve also seen a number of other types of extortion harassing of employees, harassing of executives. And then more recently, we’ve seen some cases where threat actors will engage in DDoS attacks on a company and engage in swatting, where they will call police or law enforcement and basically lie and say that one of the members of the victim organization was engaged in misconduct.
(12:24):
And that person ... except to see that the police or the SWAT team is outside their house, that’s really alarming. Those kinds of physical type threats have contributed to this pressure campaign to try to get companies to do what they may be unthinkable to them the day before.
William Ridgway (12:37):
Yeah. And it’s a good point because it’s helpful for executives or people who may be the source of these types of attacks, just to be aware of the risks that they face in these situations. It’s an unfortunate development for a lot of our clients and the people who are coming under pressure in the crisis, but that’s a reality, is that the threat actors are doing everything they can to pressure the organization. One thing I will flag too, as we deal with these kind of new trends, and at this point, some of these AI trends are now pretty well-developed.
(13:07):
One of the things I get worried about, and I know you do as well, David, is the more this kind of happens, and then regulators have such strong hindsight bias that they tend to think, “Well, this has been happening in the market for six months, what have you done to prevent this from happening? What sort of training controls, governance, oversight have you put in place?” And so, I always say, you probably can’t necessarily prevent an attack, but you certainly can at this point, prepare a story and a good narrative that you can tell to ... in litigation or to regulators by really focusing on these issues and trends.
(13:39):
So that you can demonstrate reasonable measures that were taken and real resources that were devoted to these issues before the attack happens.
David Simon (13:48):
That’s right. And really the story ends up being about how is your response? Because why is it that a company was compromised however sophisticated? Often, the answer is fairly simple. Something was missing. There was an open window, an open door, but it is important to have that response seem really strong. And those early moments matter. So if you think about the first 24 hours, often organizations, they want to figure out what they can know with confidence.
(14:10):
And the reality is often there’s very little. So what you want to do is establish an incident response process, hopefully follows your incident response plan if you have a playbook, and that you get the right stakeholders involved because it is a multi-stakeholder team sport, legal, IT, perhaps compliance, your comms team. And then, if you have outside advisors, you may have outside counsel come in as breach coach and incident commander bringing in your forensics firm, your counterextortion negotiation firm, crisis communications firm.
(14:36):
But you got to really lock down the information flow. Sometimes there’s not trust in the email environment. Threat actors destroy active directory, domain controllers, and there’s a judgment call, do we keep using email? Do we move to shared platforms by the law firm? You start operating on Signal or WhatsApp. None of this is ideal, but often it’s necessary to keep coordination occurring in the right way and often to make sure that communications are not on the client’s network, not just to manage discovery risk, but just as a practical matter, the threat actor could see it.
(15:05):
We think it’s important that legal is involved from the get go. Perfect is absolutely the enemy of the good, but we want to make sure that the process is set out by legal, that you have a legal hold early, that you do this in a way that doesn’t slow things down, which is so much easier said than done. So the trick is practicing this. And I think that’s one of the tricks about having operational lawyers on call.
William Ridgway (15:25):
Yeah. And the communications piece is an important one. That could be the thing that is most operationally important right at the outset. If you do not have trust that your emails have not been compromised or frankly, the systems are down and you have no means to communicate. So finding ahead on that and whatever communication channels you may use, oftentimes site counsel, your IR vendors can help you set up with that as well, but that’s going to be something that’s important to map out.
(15:49):
We both have had scenarios where threat actors have continued to be in the environment. And while our threat actor negotiator is receiving information saying, “We know what your strategy is when it comes to trying to bring the price down because we’ve actually been monitoring the emails.” And so once you have a sign that there’s a threat actor still in the environment, obviously, that’s something where you want to be very careful about continuing to use any email, company email until you have confidence that it has not been compromised.
(16:18):
And similarly, one other situation that creates some discovery issues is just to flag. A lot of times, sometimes people pivot to their personal email accounts and whatnot. Generally speaking, we really prefer to have some other separate communications channel. There’s nothing worse than having to ... which I’ve had to do, is to go collect executives’ personal Gmail accounts for discovery and litigation because they use those communication channels for the incident.
(16:42):
And it’s hard to parse out that from the other personal communications. So just a practical point to keep that in mind as you consider communication channels.
David Simon (16:50):
It’s a good call-out. And when we were in government, obviously, communication security, operational security is a watchword. And in the work we do now in incident response for our clients globally, this is also really key, but we are a global practice. And I was thinking about some of the cases without going into anything we can’t, of course, where in some parts of the world, everything does operate on WhatsApp. And the way that businesses interact and expect to operate is just culturally different.
(17:15):
So part of the challenge as lawyers is to figure out how to do that. And I think privilege is something that really isn’t just about the technical legal dimensions. It’s really a risk management tool. And we’re fortunate that we have the benefit of this shield of privilege that is pretty powerful, relatively speaking, for outside counsel based in the United States. And so during an incident, you’re making decisions that will definitely be second guess later.
(17:37):
And we spend so much of our time with CSOs and security executives. We know from watching closely and the cases we’ve handled, how the judgment calls early to protect the business can be looked at from a totally different perspective and held against, security leaders held against management team. So the trick is making sure that you’ve got a good structure bookended at the beginning with the right paper, but also the right process so that later regulators and plaintiffs and investors, the shareholders is not in a position to really undermine the good judgments you made in the heat of the moment, in the engine room.
(18:10):
And this goes for companies that are global. For clients that are based all over the world, particularly in countries where there’s no ability to create legal privilege for in-house counsel, it’s especially important that you have outside counsel from say the US especially or the UK where the privilege is much stronger to be able to assert that. And I think that’s one of the things that you’ll be thankful for if you find yourself hearing about a court case that’s proceeding in connect with your incident and you’re wondering, will those emails or those documents ever really see the light of day?
William Ridgway (18:37):
Yeah. And here, this is an area where we’ve observed sometimes people not being as careful as they ought to be when it comes to privilege. It really has to be ... it’s not just a matter of form. The substance of the investigation is really important. Counsel is meant to direct this investigation and the vendor engagements should be done through outside counsel in a way that helps our structure because ultimately that investigation is collecting information that’s going to inform genuine legal advice.
(19:04):
And it’s important to do that in reality because I think judges sometimes can see through it and they can see the circumstance where counsel really wasn’t directing the investigation and it was just a little bit of a tag they put on their emails, privileged and confidential, as opposed to a genuine privileged investigation led by counsel. And so, we certainly are mindful of that and we’re structuring our engagements and having it.
(19:26):
We’re only going to have a privilege engagement when it’s going to be a genuine one that can be defended before in litigation and with regulators.
David Simon (19:34):
And again, perfect is the enemy of the good, but there’s some practical ways to think about this. And as you think about it, if you’re a CSO or a CTO or on a security team or a legal or compliance, you may think, okay, I know emails and Teams chats and the stuff that I’m writing out thinking, should I say that or not? Those are the documents that are core. But also, it’s the security ticketing system. The security team is working on a response as it’s alerting, they’re getting an alert, they’re responding, it could be a JIRA ticket.
(20:02):
All of that stuff is highly relevant to what a company did in the moment. So maybe later in time, you want to be able to understand that very effectively. We want to do an investigation as to how that’s done. That will help us to establish why the company was taking steps it was taking into inform legal advice. That could be core evidence. No one is suggesting that every little piece of factual information could be defensible as privileged, but there is a way to conduct an investigation so that later in time you can establish a pretty strong layer shield around it.
(20:31):
And enable the company to move ahead without having as much of a worry about being seen as mishandling the information that’s there. And the last thing I’ll say is often companies have multiple different security firms and advisors in the mix. And so often we’ll step in and bring in an additional firm over an umbrella organization that’s kind of the lead forensics from the lead crisis comms firm so that at least at the top end you have a bit of structure because nothing is again, starting off exactly the way you want it to.
William Ridgway (20:55):
Yeah. And there’s a few other just points on the basics for privilege that are worth mentioning. Obviously, marketing things appropriately and involving counsel being very important. But still, even within those communications, we are always encouraging folks to really stick to the facts, avoiding speculation, avoiding some of the finger-pointing that sometimes can happen in the wake of these types of crises, limiting distribution to need to know. Those are the types of things that the courts have looked to in deciding whether to find that a particular investigation was truly privileged.
(21:26):
And so we are focused on doing the basic things, don’t have the footfalls just because you’re in a crisis, sometimes it’s hard to remember these things, but they’re just as important, certainly down the line when you’re dealing with the regulatory inquiries and litigation.
David Simon (21:38):
So if you fast-forward, imagine you’re ... past the first 24 hours, now it’s 24 to 48 hours in, everyone is getting a little exhausted, folks are getting greater awareness as to what’s happening and the pressure is ramping up. Senior leadership wants answers and the board is looking for updates. So someone asked the question ... and actually yesterday, a client asked the question, “Is this material? Is it material now?” Someone asked the question, “Are regulators going to come after us?” And the reality is you still don’t have any more information. In fact, some of the information you had yesterday, you may have deep questions about.
William Ridgway (22:10):
Yeah. And this is certainly where the governance is critical. And we often see boards certainly want to be informed, engaged early throughout the process, but important too as well, and David, we’ve seen this as well, making sure we don’t let the incident response turn into a board meeting where you have the board doing the blocking and tackling of the incident response. It is a temptation we sometimes see with certain boards, and that’s something to be able to ... It actually creates legal risk for the board.
(22:36):
So it’s something that we are mindful of. And it can also just slow down the pace of responding to the incident. So important to keep these updates, the board structured, consistent, controlled, all of that, but to allow management to be running point on the actual response.
David Simon (22:52):
That’s right. You don’t want a board to be too operational. And the way I think we think about it is in a case involving, say, extortion or ransom, the company is giving any thought to payment support that you get in front of the board or a relevant committee before the decision is made. Your governance may say the board’s supposed to make that decision and vote. Some jurisdictions, actually, that protects the business, but in many it doesn’t. So it’s just about the management committee making that call, getting in front of them and having a record that they did it, privileged briefing.
(23:18):
But often, if they’re a public company, if we make that materiality call, we want them to get their disclosure committee together, get that disclosure committee charter, get the right members there, make sure it’s not just the security folks and the lawyers. You want to have the CFO, maybe the comms person, someone who knows about the product and a judge, does this affect the financial situation in a material way, business operations, reputational, and document that because ongoing assessment really matters for regulators, especially the SEC.
(23:43):
But as you think about even foreign issuers, so that assessment is really important and you want to show your homework on it because the controls are the ones that will get questioned. And I think from a comms perspective, this matters too because we have all these work streams going. Everyone wants to show that they’re on top of it. And there’s some things you’re going to want to be able to say. We notified law enforcement, we got a team in place. The talking points, the story seems pretty similar for most of them, but don’t forget about your internal messaging.
(24:05):
What if you say internally, “Oh, this is nothing. It’s an outage.” You’re saying publicly in 24 hours, it’s a ransomware talk. That can seem a little bit misleading, particularly if you have a lot of employees, their data is at issue. So you want to also be clear about who is doing the communicating, right? So you have one set of talking points, one voice, one message, you don’t want to lean too far over your skis. And again, for any organization, this is tough, even if you’re in one location, but if you’re global with different structures of authority, different cultural approaches, this is especially difficult.
(24:34):
So it does take discipline. Hopefully you have a comms playbook, but if not, you’ve got a strong team in place to help you to do it. And I’ll just give you a couple examples. There’s a few incidents we’ve handled not too long ago where all of this seems to be going well. And the next thing, someone just puts a banner on the website of the company, big red banner, cyber incident, everyone wakes up and says, “What just happened?” And of course, now they’re just flooded with communications. A lot of the regulatory and litigation risk to a company will be related closely to how significant the press narrative is.
(25:06):
Is it a local one? Is it a regional one? Is it an international one? That can really draw the interest. That’s when regulators reach out. That’s when friends who know each other from something reach out, even if they’re from regulatory authorities or in government.
William Ridgway (25:18):
Great. Should we talk a little bit about breach notification, David? Yeah.
David Simon (25:21):
That seems like a good idea. Hasn’t AI solved that Bill? Aren’t we there yet?
William Ridgway (25:26):
It does not. Not quite yet. So we still should be paying attention to it. And it seems like there’s a race between AI and then, the deadlines on these regulatory notification requirements. So it seems both to be moving, but ...
David Simon (25:37):
It’s true. I thought by now, we’re talking about breach notification. Obviously, there’s all these clocks that start to tick. “Oh, well, someone told me my data was stolen.” The threat actors claims to have taken all this stuff. All of these things could have happened. This is where working with your lawyers is really important because when we were in government, we learned early on it’s important to preserve operational decision space for our government clients. And same thing for clients in the private sector.
(26:00):
You need to have the ability to make business calls, but also in a way that’s going to comply with the law and be defensible. We’ve watched waves of government move in and out around the world try to solve the cyber problem. And without commenting on it, one thing we know is true, just as the severity and frequency of attacks has gone up, so have the number of notification obligations, and they’re so conflicting and dizzying. So if you think about it, if you’re in the United States, you’ve got state laws, the trigger on some access, some on unauthorized access, most on the sort of ceiling of data, unauthorized acquisition.
(26:33):
But overseas in Europe, where I practice in Brussels, watched more and more, innovation was effectively rendered obsolete by regulation. You have GDPR, which requires a 72-hour notification from awareness, not certainty, DORA, which really applies to tech companies and financial. It has a much tighter turn notification for operational impact, data aside. And now in this too, which is critical infrastructure reporting, adds this early warning requirement of a 24-hour notification often for boards that aren’t even aware.
(27:02):
And again, multiple of these have executive level, board-level personal liability. These clocks do not align, they don’t pause, and companies are facing significant fines based on their revenues from last year. Some were 2%, 4% of revenues. Sometimes the revenue calculation is their group entity, not just them as an individual company. And so this is a significant step. And again, AI hasn’t solved this. It’s just basically given more power to the attacker to impose costs on the victim who then have to turn around to their lawyers before they even know what’s going on.
William Ridgway (27:33):
Yeah. I like the point you make about preserving optionality. I think that’s so critical. And we see companies sometimes rushing to draw conclusions about what data may have been impacted and the import of that in many ways that then will start the clock and we at least usually try to focus on really following the evidence and making sure you have a firm understanding of what data has been impacted before you start thinking about making communications that would suggest there has been a trigger.
(28:00):
You mentioned also for public companies, SEC materiality, an important area. And frankly, for most public companies at this point, most of them have some sort of playbook or framework for thinking about how to handle and address and consider cybersecurity incidents. David, you mentioned before, and I think this is super important, the documentation, there’s requirements without unreasonable delay. So you really want to focus on getting together with that, whether it’s your disclosure committee or some other set of executives to document the decision-making around that and preserving that documentation.
(28:32):
Because at least for us, we’ve worked with our SEC colleagues where the SEC reaches out two years later and you try to go back and piece together calendars to figure out when, what sort of assessments were made and what sort of factors were considered. That’s not a position you want to be in. Making sure you have that cross-functional meeting with the right stakeholders, assessing the quantitative and qualitative factors is so critical and something that we see.
(28:57):
Sometimes incident response teams can focus more on the technical and may not always have the SEC component to this all lined up and ready to be nimble, and that’s important.
David Simon (29:05):
It’s true. And at the end of the day, you have to have coordination and decision-making around what your really take on this is. But one of the things that I think we want everyone here to react to is, do you know what kind of data you really have? Do you think you have a lot of personal information or even a lot of sensitive information? Almost every time this happens, client comes to the view that there’s not much there there, but it turns out they have been keeping their employee data for a decade plus, or they actually keep information about patents or who knows what sensitive data is there.
(29:37):
Or they didn’t even know that they’ve been consolidating the data that they got from lots of other organizations. So the breach notification risk is something that they should be thinking seriously about. And as you’re doing your AI programs, frankly, this is a good time to think about data loss prevention and also what data you have for analysis that’ll manage down this risk. So if we think forward a little bit about the ransom story, right? So in a ransomware attack, there are some key things to think about, and there’s some questions everyone wants to know. Who’s behind this? Who’s done it?
(30:05):
They want to see that last episode of the Netflix series. We might never get there. Attribution is important, but there’s limits. There’s obviously economic sanctions issues, OFAC liability, related considerations. And then of course, these decisions are heavily scrutinized. So if there’s a ransom demand, there are some key questions. We started talking about them earlier, but one of the questions is, do we negotiate? Should we communicate with a threat actor through a forensics firm, a counter extortion negotiation firm that is not under investigation by the Department of Justice at this time?
(30:35):
Are there OFAC sanctions risks? It’s not enough for the FBI to tell you, no, this group is not sanctioned. That’s not enough. What role does cyber insurance play? What do they allow? How do you coordinate with them without waiving privilege? And then how do we document this decision? I mean, one of the things that I think is important, and Bill, maybe your reaction on when people hear OFAC, liability is strict liability. For folks who don’t appreciate what that means, and it’s probably useful just to hear it.
William Ridgway (31:02):
Yeah. I mean, look, it basically means if you end up paying an actor, you believed that was not sanctioned, it turns out you were wrong for a variety of reasons. And sometimes you don’t know. You could still be liable for that payment. Now, the guidance at least has some factors about how OFAC would consider whether actually taking enforcement action, but at least in our world, we’re never wanting to put our client in a position where we have to rely upon the good graces of a regulatory body to exercise discretion.
(31:31):
We want to avoid or minimize that risk to the extent possible. I guess another topic just in this 48 to 72 hour range is on the communications piece at least. We certainly see ... This is the time you start having lots of inbounds from customers, from auditors, from sometimes regulators if you’ve done those notices. And how do you think about those communications while you’re still running a privileged investigation? And it’s very important to consider. Obviously, you’re going to have to be able ... in a position to share facts.
(32:00):
You are going to have to be at a position eventually, at least to share facts, but at least share information about the process, the investigation, but be very cautious about the information that you may share early on in the incident because when the investigation is ongoing, the facts can change. And we certainly think changing the story with a client or with a regulator or with whomever you’re communicating with just suggests a lack of cyber maturity and maybe not a very effective incident response. So certainly would be cautious around third party communications when you’re in that 48 to 72 hour time window.
David Simon (32:33):
And just one point on this, it’s so important, Bill. Most of our clients facing an incident are not cybersecurity companies. And so, they’re not going to be expected by a court, a regulator to be able to judge for themselves, “Am I completely secure now?” But they are hopefully retained through council, a leading forensics firm, and they should rely on good faith in what those firms say. So this cooperation, giving them the information they need to clear on talking points, if you want to be able to say, “Look, I can tell you that my third party forensics firm, world beating forensics firm knows that we’re good.”
(33:07):
Then you should make sure that you’re cooperating with them and sharing information with them and positioning them to do that so that you’re not leaning too far of your skis and that you’re not finding yourself with talking points that evolve. And on one hand, you’re saying, “Oh, we’ve contained the incident, but it turns out you’re nowhere close.” I think that’s one of the things from a communication perspective, what are the things you want to be able to say? Well, let’s do the hard work to make sure that it’s the case. What is your thought here on how to keep the board informed in this process, Bill?
William Ridgway (33:32):
Yeah. So again, going back to the point of it making sure, we certainly ... The board will usually expect to be receiving reports and receiving information particularly about critical decisions, whether you’re going to do an 8K, make a ransom payment, even regulatory notifications. Those are the types of decisions most boards that we work with like to have information and a heads-up and provide even feedback on those decisions. At the same time, we try to avoid having too many discussions in the wake of an incident that time is valuable.
(34:03):
And it’s important for management to be able to focus on the incident itself. So that’s the balance that we often have to walk when it comes with the board to make sure they’re aware of those key decision points and can provide feedback without having slowing down the decision making in an incident.
David Simon (34:21):
There’s no magic number, but I think during a relatively normal ransomware extortion incident, it makes sense for the board to meet at least a couple of times, during the pendency of the incident on their ransom payment decision, maybe around notification. And you want the board to ask questions. You want it to not just be receiving information, but to show it’s being active performing its oversight responsibility. That’s very important. And often, it’s tough to get the board together on a tight timeline. So that’s a good thing to do.
(34:47):
And again, if you know that you have subsidiary boards because you’re in Europe and you have NIS2 or DORA or Cyber Resilience Act obligations, those are really quick turns. So if you want to be gathering before a 24-hour notification, folks need to know that could happen and have a way to communicate effectively that way. So I think that’s important. I also just emphasize too many written reports to the board, unless that’s your governance model, that’s a real gift for plaintiff’s firms. It’s kind of a yellow brick road to sue you.
(35:15):
So if that’s your approach, some clients do have that, but just be mindful of the risk around it. Maybe we should talk for an ounce of prevention, can go a long way here. What we think ... When boards ask us what matters, we should say, “Look, what you want to know is, is your response within the norm or are you an outlier in the wrong way?” There are some things you can do to really position yourself. So obviously, having the right team in place internally and externally is key because cybersecurity is a team sport. The second thing, which is not a legal thing, but I mean, cybersecurity is a luxury for companies that know where their technology is.
(35:51):
Most of our sophisticated clients that get hit, it’s because they don’t know where their technology is. They’re building a skyscraper on styrofoam. They’re building their most glorious digital business atop some concrete that is basically the equivalent of something below a Boca Raton condominium, that’s about to sort of collapse. Hopefully that doesn’t happen to anyone here or anyone that they know, but that’s what a lot of tech deck leads to. And then, the stuff that lawyers and incident responders focus on tabletop exercises once a year for the executive team, some things for the management mid-level.
(36:20):
And the board should do one at least once a year, the role of the board. Having privilege-friendly templates. Having the right escalation pathways, who’s supposed to be involved when? And of course, make sure your vendors are vetted so that you’re not retaining a firm that is currently under investigation for taking ransom payments as the firm that’s helping you to make ransom payments, and then of course have decision checklists. And at the end of the day, tabletop exercises are not that painful. You can do a one or two hour or three hour.
(36:50):
We do dozens of these a year, and sometimes in large groups, we actually just did one last week with a group of security leaders in the private equity community. It was a very successful AI-focused activity. If you’re interested and have questions about that, let us know. But I think it does get folks really thinking about how would they respond, and that’s really the beginning.
William Ridgway (37:08):
And it’s helpful because those exercises help people understand what are the other things I need to know in advance better for me to know than try to learn mid-crisis, like what are my basic reporting obligations, my contractual notice, any sector specific rules that may apply to my business? All the better if you map that out a bit in advance, there’s always going to be some twists and turns. You can’t anticipate everything, but there’s a core set of requirements that most businesses should be able to ascertain in advance of an incident. And having mapping that out with your team, we think is super helpful. Should we wrap up now, David?
David Simon (37:41):
Yeah, I think it’s a good idea. So look, there’s always lots of takeaways, but I think to keep it really simple, three things. Obviously, one, you got to get your lawyers involved early, but make sure that you’re thinking about how to be operational, right? Super practical, super commercial. Second, you got to know your regulatory clocks around the world and know which boards are implicated. And of course, think about how to preserve and maintain privilege throughout when it comes to communications.
William Ridgway (38:05):
And then, just one other point, we’ve already mentioned it is just doing the testing of that plan, the tabletop exercise, benchmarking your materials, your incident response plan, your SEC materiality framework, having a sense as to whether you’re kind of in line with what the market is doing, we think is super important and valuable to prepare for something.
David Simon (38:24):
Before we close out, we wanted to share with you ... because I know many of you know us, but for those who are getting to know the SCAD and cyber and data privacy team, we are doing a lot to connect with industry partners, security leaders, chief privacy officers. We bring them together for a whole range of different activities to share ideas and opportunities and transcend the sort of typical methods and practice conversations. And so, one of the things we did just last week and we’ve been doing for years now is gathering the sort of CSOs from private equity firms, alternative investment fund managers to get together on a leadership forum.
(38:56):
And talk about best practices, listen to and hear from experts in the field. And we’ve been doing that for years. And we also gather from a broader cross section of industry, Fortune 500 company security leaders for our Fortify Cyber and Data Privacy Summit, which happened last fall. We’re having another one this coming fall. It’s a two-day event, really bringing together the best of the best. It’s like the Davos of cyber privacy and AI from across industry. So it’s not just lawyers talking about these topics. It’s CSOs, CIOs, CTOs, the folks in charge of AI and some government officials to have that more serious dialogue around AI-driven security events, accelerating AI adoption, data protection, the how, right?
(39:38):
And we have formed up community. So if you’re interested in connecting, we have a LinkedIn group called the Fortify LinkedIn Group. And then of course on AI, Skadden is a much deeper and broader bench, and we’re delighted to be part of that team. And that conversation has been taking place around the world. We were in London a few weeks ago for our AI forum, and we have a number of events coming up in London in June, in Frankfurt in September, and we’ll be out at RSA coming up soon, Bill. So that should be a lot of fun.
William Ridgway (40:04):
Yeah, it’s great. We really view this as an opportunity for leaders in this sector to really hear from each other, frankly, not just from Skadden, and that’s something that we think is super valuable. So we’ll continue to host gatherings, both our major one in the fall and also smaller gatherings throughout the year, which we can let you know about, and hopefully you get to hear about it from our podcast.
David Simon (40:25):
So if you think about us for this first episode, our next episodes are going to touch on a range of topics, including some thinking scenario-based, managing the sort of privacy set of risks that arise in these contexts, AI assurance in 2026. We’re going to do a deep dive on DORA, the Digital Operational Resiliency Act, NIS2. What do those mean in practice? We’ll talk about some of the AI regulatory changes that are really making a difference for how companies respond. And then, we’re going to have some really exciting conversations with industry leaders, from CSOs across sector’s chief privacy officers, and then some key government officials who are now in the private sector and can share more candidly, what are their real insights?
(41:03):
If you are interested in listening, please subscribe to our podcast, reach out to us if you have questions and ideas for episodes, and we look forward to keeping up with you.
William Ridgway (41:12):
Thanks, everyone.
Voiceover (41:14):
If you’re enjoying Decrypted, be sure to subscribe in your favorite podcast app so you don’t miss any future episodes. Additional information about Skadden can be found at skadden.com. Decrypted is a podcast by Skadden, Arps, Slate, Meagher and Flom LLP, and affiliates. This podcast is provided for educational and informational purposes only and is not intended and should not be construed as legal advice. This podcast is considered advertising under applicable state laws.
Listen here or subscribe via Apple Podcasts, Spotify, YouTube or anywhere else you listen to podcasts.
