Cyber Security

Cyber security is a board-level risk, not just an IT priority.

In a digital age where online threats are progressing at an unprecedented pace, our team of cross-practice cyber lawyers deliver robust advice and support to clients across the globe.

We combine technical expertise with an in-depth knowledge of the evolving global legal and regulatory cyber landscape. Our knowledge comes from extensive client work, engagement with industry forums and key relationships with regulatory authorities and policymakers.

Our lawyers work closely with an internal specialist forensic team, comprising experienced accountants and forensic technologists based in London and New York. This forensics capability provides key benefits for clients in cyber incident response and investigations, including malware and ransomware cases, insider threat, data loss and network intrusions.

Our extensive track record includes working for client across the full spectrum of cyber advice. We focus on your risk approach and alignment with your wider cyber and operational resilience strategy, on a three-pronged approach, targeting governance, engagement, and response.

Areas in which we can support you include:

Governance

Leadership:
- Board risk oversight
- Organisational risk tolerance and appetite
Strategy:
- Operating structure and model
Information risk:
- Policies and standards
- Third party management
- Supply chain risk
- Transactional exposure
Compliance risk:
- Data protection and privacy
- Reporting frameworks
- Policy monitoring
- Risk assessments

Engagement

Education:
- Security education and awareness
Architecture:
- Business continuity planning
- Security architecture mapping (TOMs)
- Data mapping
- Product security
Monitoring:
- Legal risk monitoring and scoring
- Horizon scanning
Incident preparation:
- Practice exercises
- Communication planning
- Cyber incident plan design and refresh

Response

Security incident response:
- Crisis management support
- Complex internal investigations
- Forensics and document management support
- Notifications to authorities and law enforcement
- Engagement with stakeholders and data subjects
Public enforcement:
- Submissions and responses to regulators
- Challenging adverse decisions, penalties and appeals
- Regulatory engagement and policy
Private enforcement:
- Litigation risk
- Defending litigation
- Vicarious liability considerations
Remediation:
- Root cause and lessons learnt analysis
- Governance remediation
- Ongoing monitoring

Latest Insights

Webinar – AI Series: Data and cyber considerations for AI

Organisations developing, deploying or using AI systems and tools must navigate privacy, data protection and cybersecurity requirements alongside AI-specific regulations. These parallel, and at times overlapping, frameworks and rules raise new challenges but also enable fresh opportunities for organisations.

Learn more

Cybersecurity Handbook 2024

Our Cybersecurity Handbook aims to help organisations understand and comply with the diverse and evolving cybersecurity regulations that affect their activities.

Learn more

The EU Cyber Resilience Act is now a reality

The CRA introduces mandatory cybersecurity requirements for products with digital elements (PDEs) across the EU market. While the majority of its requirements will be applicable from 11 December 2027, some obligations start to apply sooner.

Our clients say:

“ Clifford Chance are able to deal with issues on a global scale and are able to help us understand where the regulatory environment is heading to. ”

Chambers & Partners: Data Protection & Information Law

“ They are careful with complex and sophisticated matters but also very practical within their guidance. ”

Chambers & Partners: Data Protection & Information Law

“ Clifford Chance’s data protection, privacy and cybersecurity practice provides strategic advice that is informed by its experience working for clients across different industries. ”

Legal 500: Data Protection, Privacy & Cybersecurity

Navigating cybersecurity and resilience in 2024

The global trend towards increased cybersecurity and resilience regulation will tighten existing requirements and affect a broader range of businesses than ever before. From updates in SEC and NYDFS cyber requirements, to Singapore’s proposed Cybersecurity Amendment Bill, our global panel featuring Megan Gordon, Holger Lutz, Oscar Tang, Alison Evans and David Olds examined developments in the US, APAC, Europe and the Middle East.

Find out more

Insights

Explore our insights

President Trump's first 7 days in office: what's out, what's in and what's still in for Tech? 30 January 2025
This article provides an overview of key tech-related developments during the second Trump administration's first seven days: what's out, what's in and what's still in. We will provide in-depth analyses and updates as these developments continue to evolve.

Bookmark
Critical Year for Cybersecurity Compliance 6 January 2025
This article examines the EU’s key legislative instruments – the NIS 2 Directive, Cyber Resilience Act (CRA) and Digital Operational Resilience Act (DORA) – which together harmonize cybersecurity standards across critical sectors such as infrastructure, digital products and financial services.

Bookmark
Impact of US ICTS supply chain focus on the automotive sector 24 December 2024
Foreign threats to the US information and communications technology and services (ICTS) supply chain constitute a national emergency. This briefing provides an overview of the Final Rule introduced by the Department of Commerce, other regulatory efforts focused on safeguarding ICTS for national security reasons and ICTS-related developments impacting the automative sector.

Bookmark
The test for "personal data" in the context of data breaches under UK data protection law 16 December 2024
In whose hands – the data controller's or the hacker's – should hacked data be assessed to determine if it is "personal data" under UK data protection law? On 4 November 2024, the UK Information Commissioner's Office (ICO) filed an application seeking permission to appeal the Upper Tribunal's recent decision relating to a personal data breach involving DSG Retail Ltd (DSG). The appeal focuses on the definition of "personal data" in UK data protection law and argues that the Upper Tribunal interpreted the term too narrowly in the context of this breach.

Bookmark
China issues cyber data security regulations 4 November 2024
On 30 September 2024, the State Council of the People's Republic of China promulgated the Administrative Regulations on Cyber Data Security (2024), which will take effect from 1 January 2025. This article provides an in-depth analysis of the key new requirements introduced by the CDS Regulations and their relevant impact.

Bookmark
Survey of Cybersecurity Disclosures in Annual Reports on Form 20-F Filed by Selected Well-Known Seasoned Issuers 7 October 2024
We have developed this survey to provide information to our clients and other interested parties about cybersecurity related disclosures included in annual rep...

Bookmark Download
Labour's approach to UK digital regulation 17 July 2024
The King's speech, setting out the new Labour government's proposed legislative programme, included only one brief reference to digital regulation – specifically, to the need for regulation of the development of the most powerful large language AI models – but, as ever, the devil is in the detail.

Bookmark
EU Cyber Resilience Act 6 December 2024
The EU Cyber Resilience Act (CRA) is now a reality. Published in the Official Journal of the European Union on 20 November 2024, the CRA establishes mandatory cybersecurity requirements for products with digital elements (PDEs) within the EU market. We have developed this briefing on key takeaways of the CRA. It looks at objectives, scope, risk categorisation, application, enforcement and penalties, key obligations and business preparedness.

Bookmark
Operational Resilience - CrowdStrike and Beyond 30 July 2024
On July 19, 2024, around 8.5 million Windows devices worldwide crashed, displaying the infamous "blue screen of death" when CrowdStrike, a digital security vendor, released a faulty software update. This article outlines certain key tactical considerations for organizations to address following an incident of this nature. It also examines proactive measures organizations may implement to reduce operational, legal, and reputational risks and costs attendant to similar technology malfunctions.

Bookmark
Cybersecurity and the ASX Listing Rules: Key Takeaways from the Updated Guidance Note 8 4 June 2024
The Australian Securities Exchange (ASX) has updated its Guidance Note 8 (effective 27 May 2024) which provides crucial insights for listed entities on managing and disclosing cyber incidents. We set out the key takeaways for listed entities in Australia.

Bookmark
Cybersecurity update Singapore's Cybersecurity Act extends its reach 13 May 2024
Singapore's Cybersecurity (Amendment) Bill was passed by the Parliament on 7 May 2024. Here are some key takeaways from amended Act.

Bookmark
Draft Rules for Cyber Incident Reporting for Critical Infrastructure Companies 1 May 2024
Article looks at the core tenets of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency's Notice of Proposed Rule Making detailing requirements for compliance with the Cyber Incident Reporting for Critical Infrastructure Act

Bookmark
Survey of Cybersecurity Disclosures in Annual Reports on Form 10-K Filed by Selected Well-Known Seasoned Issuers 31 May 2024
We have developed this survey to provide information to our clients and other interested parties about cybersecurity related disclosures included in annual rep...

Bookmark Download
Cybersecurity in Europe: where are we now? 26 January 2024
Four years into the 2020s there is a clear push in the European Union harmonisation of the rules within the cyber security landscape, with the financial services sector, devices, and cloud security being key areas of focus.

Bookmark
The SEC's Evolving Cybersecurity Enforcement Landscape: CISO Liability 12 January 2024
Bookmark
Court of Justice of the European Union on GDPR & Cybercrime 15 December 2023
The CJEU's decision that the fear of potential misuse of personal data can constitute 'non-material damage' could potentially lead to an increase in damage claims from data subjects following cyberattacks.

Bookmark
SEC adopts new cybersecurity disclosure requirements 4 August 2023
Bookmark
New Amendment to New York's Cybersecurity Requirements for Financial Services Companies: a Call to Swift and Urgent Action 6 December 2023
Bookmark
NIS 2 Directive: Europe revamps its cybersecurity framework 29 November 2022
On 28 November 2022, the Council of the European Union (EU) voted to adopt the Network and Information Systems Directive (EU) 2022/0383 (NIS 2). Seeking to exp...

Bookmark Download
DORA: What the new European framework for digital operational resilience means for your business 15 November 2022
On 10 November 2022, the European Parliament voted to adopt a new EU regulation on digital operational resilience for the financial sector (DORA). With obliga...

Bookmark Download