Cyber security is a board-level risk, not just an IT priority.
In a digital age where online threats are progressing at an unprecedented pace, our team of cross-practice cyber lawyers deliver robust advice and support to clients across the globe.
We combine technical expertise with an in-depth knowledge of the evolving global legal and regulatory cyber landscape. Our knowledge comes from extensive client work, engagement with industry forums and key relationships with regulatory authorities and policymakers.
Our lawyers work closely with an internal specialist forensic team, comprising experienced accountants and forensic technologists based in London and New York. This forensics capability provides key benefits for clients in cyber incident response and investigations, including malware and ransomware cases, insider threat, data loss and network intrusions.
Our extensive track record includes working for client across the full spectrum of cyber advice. We focus on your risk approach and alignment with your wider cyber and operational resilience strategy, on a three-pronged approach, targeting governance, engagement, and response.
Challenging adverse decisions, penalties and appeals
Regulatory engagement and policy
Private enforcement:
Litigation risk
Defending litigation
Vicarious liability considerations
Remediation:
Root cause and lessons learnt analysis
Governance remediation
Ongoing monitoring
Introducing the new and improved Clifford Chance Cyber Assist app
The updated Clifford Chance Cyber Assist app is your partner for navigating the complexities of cybersecurity. Whether you're dealing with a cyber incident or staying informed on the latest regulations, Cyber Assist is here to support you.
Webinar – AI Series: Data and cyber considerations for AI
Organisations developing, deploying or using AI systems and tools must navigate privacy, data protection and cybersecurity requirements alongside AI-specific regulations. These parallel, and at times overlapping, frameworks and rules raise new challenges but also enable fresh opportunities for organisations.
Our Cybersecurity Handbook aims to help organisations understand and comply with the diverse and evolving cybersecurity regulations that affect their activities.
The CRA introduces mandatory cybersecurity requirements for products with digital elements (PDEs) across the EU market. While the majority of its requirements will be applicable from 11 December 2027, some obligations start to apply sooner.
“
Clifford Chance are able to deal with issues on a global scale and are able to help us understand where the regulatory environment is heading to.
”
“
They are careful with complex and sophisticated matters but also very practical within their guidance.
”
“
Clifford Chance’s data protection, privacy and cybersecurity practice provides strategic advice that is informed by its experience working for clients across different industries.
”
Navigating cybersecurity and resilience in 2024
The global trend towards increased cybersecurity and resilience regulation will tighten existing requirements and affect a broader range of businesses than ever before. From updates in SEC and NYDFS cyber requirements, to Singapore’s proposed Cybersecurity Amendment Bill, our global panel featuring Megan Gordon, Holger Lutz, Oscar Tang, Alison Evans and David Olds examined developments in the US, APAC, Europe and the Middle East.
On 27 March 2025, the Information Commissioner's Office (ICO) imposed a fine of £3.1 million on Advanced Computer Software Group Ltd (Advanced) for security failings that compromised the personal data of 79,404 individuals and caused disruption to the provision of essential healthcare services. What happened and what are the key takeaways for businesses.
The French Prudential Supervision and Resolution Authority (ACPR) clarified that administrative financial penalties are uninsurable under French law, significantly impacting how organizations manage compliance risks, especially in data protection and cybersecurity. This decision compels businesses operating in France to reinforce internal compliance frameworks, clearly distinguishing between insurable operational losses and uninsurable regulatory fines.
Quantum technology, although nascent, has the potential to revolutionise computing and to reshape geopolitics as nations race to secure a foothold in this cutting-edge field. However, this technology comes with enormous risks. In this article we explore the challenges and opportunities that lie ahead, together with legal and regulatory concerns, as a number of jurisdictions impose export controls and other restrictions on quantum technology.
This article provides an overview of key tech-related developments during the second Trump administration's first seven days: what's out, what's in and what's still in. We will provide in-depth analyses and updates as these developments continue to evolve.
This article examines the EU’s key legislative instruments – the NIS 2 Directive, Cyber Resilience Act (CRA) and Digital Operational Resilience Act (DORA) – which together harmonize cybersecurity standards across critical sectors such as infrastructure, digital products and financial services.
Foreign threats to the US information and communications technology and services (ICTS) supply chain constitute a national emergency. This briefing provides an overview of the Final Rule introduced by the Department of Commerce, other regulatory efforts focused on safeguarding ICTS for national security reasons and ICTS-related developments impacting the automative sector.
In whose hands – the data controller's or the hacker's – should hacked data be assessed to determine if it is "personal data" under UK data protection law? On 4 November 2024, the UK Information Commissioner's Office (ICO) filed an application seeking permission to appeal the Upper Tribunal's recent decision relating to a personal data breach involving DSG Retail Ltd (DSG). The appeal focuses on the definition of "personal data" in UK data protection law and argues that the Upper Tribunal interpreted the term too narrowly in the context of this breach.
On 30 September 2024, the State Council of the People's Republic of China promulgated the Administrative Regulations on Cyber Data Security (2024), which will take effect from 1 January 2025. This article provides an in-depth analysis of the key new requirements introduced by the CDS Regulations and their relevant impact.
We have developed this survey to provide information to our clients and other interested parties about cybersecurity related disclosures included in annual rep...
The King's speech, setting out the new Labour government's proposed legislative programme, included only one brief reference to digital regulation – specifically, to the need for regulation of the development of the most powerful large language AI models – but, as ever, the devil is in the detail.
The EU Cyber Resilience Act (CRA) is now a reality. Published in the Official Journal of the European Union on 20 November 2024, the CRA establishes mandatory cybersecurity requirements for products with digital elements (PDEs) within the EU market. We have developed this briefing on key takeaways of the CRA. It looks at objectives, scope, risk categorisation, application, enforcement and penalties, key obligations and business preparedness.
On July 19, 2024, around 8.5 million Windows devices worldwide crashed, displaying the infamous "blue screen of death" when CrowdStrike, a digital security vendor, released a faulty software update. This article outlines certain key tactical considerations for organizations to address following an incident of this nature. It also examines proactive measures organizations may implement to reduce operational, legal, and reputational risks and costs attendant to similar technology malfunctions.
The Australian Securities Exchange (ASX) has updated its Guidance Note 8 (effective 27 May 2024) which provides crucial insights for listed entities on managing and disclosing cyber incidents. We set out the key takeaways for listed entities in Australia.
Article looks at the core tenets of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency's Notice of Proposed Rule Making detailing requirements for compliance with the Cyber Incident Reporting for Critical Infrastructure Act
We have developed this survey to provide information to our clients and other interested parties about cybersecurity related disclosures included in annual rep...
Four years into the 2020s there is a clear push in the European Union harmonisation of the rules within the cyber security landscape, with the financial services sector, devices, and cloud security being key areas of focus.
The CJEU's decision that the fear of potential misuse of personal data can constitute 'non-material damage' could potentially lead to an increase in damage claims from data subjects following cyberattacks.
On 28 November 2022, the Council of the European Union (EU) voted to adopt the Network and Information Systems Directive (EU) 2022/0383 (NIS 2). Seeking to exp...
On 10 November 2022, the European Parliament voted to adopt a new EU regulation on digital operational resilience for the financial sector (DORA).
With obliga...