It can be difficult to navigate corporates safely through difficult, complex and often unique situations and so we hosted a ‘Chatham House Rules’ discussion on the real-world impact of cyber threats, AI-driven misinformation, and the growing legal and reputational risks facing businesses today.
Key Takeaways & Lessons Learned
- Cyberattacks Are Inevitable – It Is Not If But When
The Marks & Spencer cyberattack revealed that even the most well-resourced businesses can be caught off guard. A successful social engineering compromise enabled threat actors from Scattered Spider posing as a Marks and Spencer employee to reset access credentials through a third party provider. The group was able to infiltrate and deploy DragonForce ransomware, encrypting digital infrastructure and halting online shopping entirely. The damage to the business is estimated at £30m.
Lessons Learnt: Be prepared and have a detailed cyber incident response plan. Strong Multi-Factor Authentication is key. Isolate contractors from core systems.
- Deepfakes Are Getting Better – Create a Curious Culture
Ferrari narrowly avoided a costly scam when threat actors deepfaked its CEO and attempted to initiate a highly urgent confidential fraudulent transaction.
Lessons Learnt: Implement secure communication protocols, enforce call-back verifications, and train teams to stay calm, question and verify.
- Cyber Incidents Can Trigger a Liquidity Crisis – Prepare for the worst
Jaguar Land Rover’s system-wide hack led to halted production and financial strain. JLR’s systems were celebrated as a showcase of “smart factories where everything is connected” (Anupam Singhal) but that interconnection exposed a single point of failure. Once hackers had infiltrated their system, JLR had no way to isolate functions so it had to shut down most operations at once. The impact on the supply chain resulted in a liquidity crisis.
Lessons Learnt: Review contracts for flexibility during downtime, consider insurance and plan for business continuity. If at all possible segment critical systems.
- Communication Can Make a Bad Situation Worse – Control the narrative
Optus, Australia’s second largest telecommunications operator, suffered a cyberattack in 2022 affecting around 10 million customers with ID documents being stolen. Optus were criticised for being slow to engage, allowing chatbots to deal with customer queries and painting itself as the real victim. The vacuum created customer and government backlash with the government encouraging customers to hold Optus to account. Optus is now in litigation and under investigation by its regulators, setting aside $140million to deal with claims.
Lessons Learnt: Have a crisis communications plan ready. Communicate with confidence, clarity and empathy. Transparency builds trust. Do not be afraid to communicate that you do not yet have all the answers but try to give realistic timelines and update again at that stage. Confidence and agility are key.
- What Your Business Should Do Now
In order to be able to deal with a fast-paced cyber incident, it is important to prepare. Crisis response is dynamic and it is important to remain agile but the more you can do in advance of a cyber incident the better it will be handled. It is critical to build a cross-functional crisis team with IT, legal, HR, and communications and for that crisis team to have a crisis plan and agree on risk appetite in advance of any incident. As important is training and running incident simulations so that you are ready. Remember that you will have reporting duties to regulators and check the position in relation to legal privilege for any claims arising.
Whether it’s ransomware, AI deepfakes, or coordinated disinformation campaigns, organisations must be ready to respond legally, strategically, and ethically.
For further information, please contact Hanna Basha, Mark Jones or Lucas Moore. Alternatively, telephone on 020 7465 4300
