Hong Kong

By Kenny Tung, In-Gear Legalytics

Email: kenny@iglegalytics.com


Cybersecurity used to be viewed as black magic. From a non-technical, user or customer perspective, most people are happy that the IT folks “just make it work” and “no news is good news”.
This sentiment is familiar to lawyers, who are commonly viewed as someone to call when things go wrong; keepers of checklists of past experience; the person to sweat the details in a dispute or complex negotiation. And who are to be avoided in most other situations.
In a recent McKinsey podcast, Nathaniel Gleicher, head of cybersecurity at Illumio, raised a number of challenges facing the cybersecurity industry that echo many of the challenges facing legal professionals.

The recent change in the perception of cybersecurity has evolved due to the increasing scope and scale of breaches, organisations’ move into exposed environments and the emerging internet of things.
Gleicher observed that if we made cars the ways we make computers and software, they would go 800 kilometres an hour, travel 200 kilometres on a litre of fuel and blow up once a week. In the cyber world, surprisingly small software bugs are increasingly capable of causing significant physical chain effects.
Legal environments are also getting more complex. There are more regulations, globalisation is driving greater cross-border complexity, changes to rules are happening faster and more frequently, rule-making is routinely falling behind macro drivers amid turbulent socio-economic and technological shifts, and corporations are routinely being targeted by social discontent as society demands a higher bar for compliance. On top of these challenges, social media amplifies the threat of reputational risk.
In response to this threat environment, cybersecurity professionals are increasingly expected to quantify the risks and measure the benefits of their solutions. Likewise, today’s clients of legal services expect analysis and insights from data, and demand solutions to legal issues to be based on what lawyers know and not just what they think.

Strategic failure
Yet Gleicher complains that the cybersecurity market can sometimes act like a group of fourth graders playing soccer — the whole bunch chasing the ball across the field rather than playing a coordinated game with big-picture coverage. Hot topics and best practices — encrypting data, strong passwords, whitelisting apps, segment environment, patching vulnerabilities — do surface but are not generally in practice because of the challenges of accomplishing them in scale across large organisations.
By the same token, lawyers continue to value legal complexity above solving for business problems. Billing hours aside, their reason for existence is mostly about the latest case, rule making and gossip. Best practices are talked about but not often put into practice, mostly due to the culture of practising law for the sake of jurisprudence, lack of law savviness among clients and general dearth of progress in the development of lawyers as T-shaped professionals to solve problems holistically across organisational silos.
The main cybersecurity challenge today concerns the lack of a single coherent strategic model that prescribes how to protect an environment. While many tactical models exist, companies are starting to figure out how to see the threat as a whole.
Most companies do not have, or have not known, a corporate legal strategy that is integral to the business/corporate strategy. Legal strategies come up mainly in major disputes, rule-making with significant impact on an industry or bet-the-farm transactions.

Understanding the environment
In principle, the foundation of every security discipline is to understand the environment to protect and exert control, such as prevention of access, detection and response over the environment. But yet when it comes to cybersecurity, most organisations live with a general lack of clarity in defining what is the network, what is connected to what and where high value assets are. As a result, they end up with relatively few options to control the environment, and are found defending an open field, stuck in a reactive position to attackers’ moves.
In the legal space, most lawyers work at their desks, even if they are considered to be co-located with their clients. A majority rarely work across the corporate silos despite the fact that the legal function supports every business unit and function. Few lawyers have close up and thorough appreciation of what their colleagues and internal clients do or what their vital interests are. Even fewer are engaged with the client at the strategic level and are usually called upon only after something has gone terribly wrong or opportunities for an easier solution were missed, leaving no option but to call in the clean-up team. At that stage, whether in dispute resolution or an investigation, it is convenient to shift part of the responsibility to the legal team if the outcome is unsatisfactory. This is all too common when we stand at the threshold of an era where compliance is called upon to graduate from being aspirational to strategic and from remedial to preventive.1
Better detection and response in cybersecurity starts with understanding the environment — the business risks, assets that the corporate strategy, initiatives and operations rely on, which, if exposed or compromised, would fundamentally harm ways of doing business. Take how the secret service protects the U.S. President before a speech in an auditorium (an open environment). The main exercise is to reduce the number of attack angles to monitor by restricting public access, thus simplifying the environment to control, which makes detection much easier — managing the false positives and false negatives, making breaches more obvious and enabling speedy reaction, prioritising alerts of threat to highest value assets.
Screen Shot 2017-08-30 at 3.31.04 pmSimilar considerations call for practising preventive law and even helping to drive corporate and business strategies. Beyond conversations with the business folks in canteens, to truly appreciate the business environment and risks, lawyers should regularly walk the shop floors, join sales calls, meetings with suppliers, product development gate conferences and generally maintain an immersive experience with business processes where legal input may matter. This will enable legal to start looking at risks as a whole or a portfolio, in a measured, prioritised and practical manner. In addition to connecting opportunities with commensurate risks, we will look at risk management in terms of minimising false positives that will overwhelm limited resources, and false negatives that will shift the focus of solutions away from the legal function and damage, or even end, the organisation. All must be grounded on the organisation’s strategic priorities and negotiated across people-process-system — also known as corporate culture.

Organisational solutions
Cybersecurity is an organisational solution, not just a response to a technical problem. There are many touch points — computers, systems, employees and third parties. Applying the basic security hygiene (passcodes, basic caution in cyber activities and people control) at all chinks in the armour will eliminate half of the problems. As with other areas of compliance, everyone has a role to play.
The modernised legal function starts with deriving a living corporate legal strategy from the organisation’s strategy, to serve as basis for legal decision making and solutions, especially in an era of precise interaction based on data analysis. Starting with streamlining legal work processes and automating tasks that were previously thought to be bespoke and uniquely handled, lawyers, like every function, will leverage change management to tackle a more complex environment by simplifying it rather than resorting to pure legal complexity and uncertainty. This means shifting our own and other’s expectation on what the modern legal function can achieve and playing a part to link up resources and insights across businesses and functions. This mission for the legal function is not a nice-to-have, but is critical for the function to be ready to work with the “internet of legal things”, working with clients and designing an environment that addresses problems faster, better and within commensurate costs.
As with other changes, a successful legal function transformation is prescribed by the four Cs across an organisation:

  • Command — From a top-down leadership to drive change which rests with interdisciplinary cooperation and a common purpose, not just a legal department project;
  • Connection — With the strategy to shape and sustain a business model to satisfy customer needs — not technology for technology’s sake — and ultimately with the customer’s value proposition;
  • Culture (and Capability) — Especially toward collaboration and creativity in problem solving in a digital world, and more proactive thinking like an enterprise owner;
  • Commitment — To stay the course as transformation requires alignment of disparate interests and keeping an eye on moving the needle over twists and turns.

While the legal profession is no exception in the need to leverage technology to keep up with how the world works, when it comes to working with people and their relationship with their organizations and the world, lawyers can return to the roots of their expertise which is not just the law but the underlying relationship impacting parties who are ultimately human.


Kenny Tung has been advising companies on strategic projects and transactions through Lex Sigma. He also co-founded In-Gear Legalytics to serve providers, clients developers and investors in the legal service value net. Previously Kenny served as the chief legal counsel of Geely Holding and before that as the general counsel in Greater China or Asia at a number of multinationals that are also household names.


End Note:

  1.  “Five Currents Pointing To Compliance As A Strategic Function,” Kenneth Tung, Linkedin Post, May 17, 2017; first published in Compliance Elliance Journal, Volume 3, Number 1, 2017.



http//: www.iglegalytics.com

Email: kenny@iglegalytics.com

Tags: Cybersecurity
Related Articles by Firm
Foreign Banks Allowed to Operate in Myanmar
After more than 50 years of banning, the Central Bank of Myanmar has issued the first final licenses allowing four foreign banks to operate in Myanmar.
Tanzanian Draft National Energy Policy of 2015
Highlights on the ongoing and upcoming industry developments with focus on the transition of the energy sector since the introduction of the Big Results Now! campaign
Mineral Rights Available in Tanzania
Overview of the mineral rights available in Tanzania, with specific focus on the various categories of mineral rights
The Legal Framework of the Aviation Sector in Tanzania
As attention turns to Tanzania’s trade and energy opportunities, the spotlight has fallen upon the nation’s infrastructure. This update focuses on the capabilities and issues of the Tanzanian aviation sector.
Oil price volatility - Offshore oil storage
Are there any legal concerns with tankers being used for floating storage?
Oil price volatility - risks and opportunities in 2015
While many companies can weather the oil price slide and volatility, some industry players face a real risk of insolvency.
India: Union Budget 2015
A bullet-point overview of changes in Direct Tax, Indirect Tax and Goods and Service Tax in India in light of Finance Minister Arun Jaitley’s first full-year Budget…
Prohibition against transfer of personal data outside Hong Kong
Section 33 of the Personal Data (Privacy) Ordinance (PDPO) prohibits the transfer of personal data to places outside Hong Kong, except in circumstances specified in the PDPO.
Security of payment under FIDIC contracts: more secure, for now
The High Court of Singapore recently handed down an important judgment in relation to the enforceability of Dispute Adjudication Board (DAB) decisions under the FIDIC forms of contract.
Insurance Laws (Amendment) Bill passed as Ordinance in India
The long-awaited Insurance Laws (Amendment) Bill has become a provisional law in India. The Bill amends the Insurance Act (1938), the General Insurance Business (Naturalisation) Act (1972), and the Insurance Regulatory and Development Act (1999).
SICC: now open for business
On Monday 5 January 2015, the Singapore International Commercial Court ("SICC") was officially opened...
Myanmar insurance update
Clyde & Co partner Michael Horn recently visited Myanmar's commercial capital Yangon and reports on the current state of the insurance market...
Launch of the online mining cadastre transactional portal
Plus, a summary of the key mineral rights available in Tanzania; and, a look at the manner in which mineral rights can be transferred.
Restrictions imposed on holders of mineral rights
This briefing looks at some of the restrictions imposed on holders of mineral rights in Tanzania by the Mining Act 2010
Draft local content policy for the oil & gas industry in Tanzania
The first draft of the long-awaited local content policy for the oil & gas industry in Tanzania has now been published by the Ministry of Energy and Minerals ...
Tanzania: Revocation of mining licences
The Tanzanian government recently announced the cancellation of a total of 174 mining licences. This mining update examines the key continuing obligations imposed by the Mining Act upon mining licence holders.
Mining Development Agreements
In this month’s mining briefing we look at Mining Development Agreements (MDAs) and the role that they play in the mining sector in Tanzania.
The Tanzanian railway system: current legal framework
The railway system of mainland Tanzania has a total track length of 3,676 kilometers (km) with two separate networks, run by two separate organisations ...
Related Articles
Keeping track of sanctions
Governments around the world are increasingly using economic sanctions and embargoes as a foreign policy tool ...
A crisis of compliance
Investigating allegations of compliance breaches is an expensive affair. Employee and third-party malfeasance remain a costly budget item on P&Ls across Asia ...
A new bed — a shared dream?
A discussion of the new China Foreign Investment Law and the creation of an Expert Committee to produce template documents for in-house counsel ...
Related Articles by Jurisdiction
When disaster strikes – seven lessons in handling a cyber attack
Proper preparation and planning can help organisations set out a clear path for responding to a cyber breach ...
Dispute Resolution Special Report
In this month’s Special Report on dispute resolution, we take a look at how Asia Pacific’s role as an international centre for dispute resolution, particularly arbitration, has grown against a backdrop of increasing cross-border transactions. As demand has ...
Navigating a shifting landscape
In the ongoing transformation of Asian capital markets, money flows are changing direction and new industries are rising across the region. But Hong Kong and Singapore regulators still set the pace, reports Eric J. Brooks.
Latest Articles
The New Normal: An interview with LOD’s head of innovation and design
We speak with Anthony Wright about the development of lexvoco, joining forces with LOD and the future of legal in Asia.
Don’t suffer FOMO* for Southeast Asia LegalTech!
Avoid the 'fear of missing out' by embracing the incredible opportunities technology offers.
Blown away by the IBA
Patrick Dransfield describes his experience as a speaker and delegate at this year's IBA conference in Seoul.