RDJ: Where cyber protection is a 24/7 occupation
Ricky Kelly is the head of RDJ’s Cybersecurity, Privacy and Data Protection Practice.
Cyber Security is a rapidly evolving area and one of increasing importance for businesses, organisations and government entities.
According to the April 2024 Global Financial Stability Report, the risk of extreme losses from cyber incidents is increasing — losses which could potentially cause funding problems for companies and even jeopardise their solvency. The size of these losses has more than quadrupled since 2017 to €2.3 billion, with additional indirect losses from reputational damage. This acceleration can be seen unfortunately from the permanent stream of reports of organisations and individuals falling victim to cyber-attacks and fraud. This report demonstrates the potential financial impact cyber-attacks can have on organisations and the collateral consequences for customers, suppliers, and employees alike.
For Ricky Kelly and his team at RDJ, cyber security and incident response is a 24/7 occupation. Leading RDJ’s Cybersecurity, Privacy and Data Protection Practice, Ricky has broad experience advising clients in the end-to-end investigation, management and recovery from security incidents. He adopts a commercial, practical and strategic approach to assisting clients effectively manage, respond to and recover from cyber and data security incidents, while also mitigating against potential future risks.
“Law regulating how organisations interact and use personal data has been with us in Ireland since 1988. It is not until the European Union attempted to harmonise the regulation of personal data across all Member States in 2016 with the GDPR, that the majority of organisations first experienced financial penalty risks for failing to protect the personal data that they hold. The sixth anniversary of the GDPR coming into effect passed quietly on 25 May. During that time, we have observed how data protection regulation can reach into everything our clients do."
In reacting to this demand, it was necessary for RDJ to develop broad data protection and cyber security expertise across all of their main practice areas from education, employment and dispute resolution to corporate commercial and property.
“The practice is separated into two groups — proactive and reactive — with the former involved across compliance, policies, training, impact assessments and bringing organisations into compliance with regulations.”
“On the reactive side, we knew we were going to have a lot of work dealing with cyber and personal data breaches, and set up a 24/7 service facilitating clients with an instant response service to triage issues and set in motion a process to ensure their business is back operating safely within the shortest possible time, all the while ensuring compliance with their evolving regulatory obligations.”
Where necessary, RDJ partner with various third parties encompassing forensic investigation and crisis management teams, organisations specialising in the recovery and rebuilding of IT systems and PR communications teams. “In the case of a ransomware attack, we have worked with a number of partners that engage safely and directly with hackers on behalf of our client where necessary.”
“As the first law firm in Ireland with the international security standard ISO 27001, it wasn’t good enough for RDJ to be advising organisations what to do if we weren’t going to do it ourselves. We have adopted a similar approach in the areas of environmental and sustainability, and are currently in the process of getting an internationally recognised standard to again make us an early mover in that area.”
Since 2018, RDJ have seen a significant change in the types of cyber-attacks, shifts in how breaches were happening and what hackers were trying to achieve.
“Hackers' objectives have changed over the years, particularly ‘business email compromise’ — moving from spam email phishing chains to breaches and social engineering campaigns designed to execute fraud, with a view to monetising attacks. Only last month we saw reports from the National Cyber Security Centre of the increase in hacktivist groups targeting Ireland as part of an orchestrated campaign across EU Member States. This involves the hacking of computer systems for political or socially motivated purposes.
"While there wasn’t the same awareness around the need for IT security when the GDPR came into effect, there is now and we have seen significant investment in this area. Indeed, through many of our universities, we now have a phenomenal resource and an evolving skillset in the country. In fact, according to Cyber Ireland, Ireland was the only country in the world last year to reduce their skill shortage in the area of cyber."
The demand for cyber security skills over recent years saw a trebling of job roles advertised between 2019 and 2022, from 2,000 jobs advertised to 6,700. On a growth trajectory of 10%, the sector anticipates the creation of 10,000 additional jobs by 2030, totalling 17,000 in the sector, contributing €2.5 billion per annum to the economy. Ricky emphasises the prospects for graduates considering careers in the fast growing sector: “The opportunities are enormous, without a doubt.”
While others exist, the two main types of cyber-attacks experienced by organisations are business email compromise and ransomware attacks. These attacks have evolved to leverage the increased regulatory landscape, whereby the hackers not only, for example, encrypt information and systems, in a duel style attack, but they download information held by the victim organisation and leverage the threat of regulatory sanction, data subject claims and reputational damage by threatening the publication of the fact of the attack and stolen information online.
“Hackers are constantly evolving their methods, changing their approach to ensure they monetise their attacks, and are getting very efficient at it,” he adds. "Three years ago, the RDJ team would have seen hackers' demands to be approx 15% of the organisation’s turnover — company information they access through an organisation's internal management accounts. If a company has a cyber insurance policy, their demands often reflect the coverage offered by that policy. The hackers would then negotiate a reduction of that. Now the figure in the initial demand is closer to 10% or less — but the ability to negotiate has also reduced.”
Ricky highlights the international work being done by groups like Five Eyes; an alliance of the US, the UK, Australia, Canada and New Zealand comprising bilateral agreements on surveillance and intelligence-sharing.
“There is phenomenal work being done at an international level targeting these ransom groups, and in some instances can alert organisations to the fact that they are victim of an attack before they realise it themselves. That is where we need to be,” he says, adding that the work and investment accomplished by the NCSC and An Garda Siochana in recent years has seen an enormous shift in capability and support.
The Artificial Intelligence Act is expected to come into force shortly. Aiming to ensure that AI systems placed on the European market and used in the EU are safe and respect fundamental rights and EU values, the Act is designed to promote the adoption of trustworthy, human-centric AI to ensure that the EU reaps the “potential economic, environmental, and societal benefits across the entire spectrum of industries and social activities”.
It will strike a balance between boosting innovation and supporting the adoption of artificial intelligence technologies, ensuring it happens in an ethical and responsible way. “It is the first of its kind globally, and is of itself an enormous body of work,” Ricky explains of this IT game changer. “In the same way that it was with the introduction of GDPR six years ago, we are leading globally in terms of the regulation of AI.”
Organisations are investing heavily in AI, RDJ included. “It is critical and will be critical for our business going forward,” he says, adding that AI is defined as “a machine based system designed to operate with varying levels of autonomy, to infer from information provided to them to generate an output.”
An important aspect is that AI systems should be “human centric and trustworthy” — core areas that the AI Act is designed to bring about. “It is intended to harmonise AI across the EU,” Ricky concludes. “I believe it will do a good job of that.”
To learn more, visit the official RDJ website.
