Follow us


The Financial Times’ Cyber Resilience Summit: Europe gathered senior strategic and operational leaders, innovators and other experts to address evolving cybersecurity risks. The programme focused on the latest innovations in cyber governance, and the opportunities for collaboration to secure and leverage technology and other assets that can protect key sectors including finance, critical infrastructure, healthcare, utilities and more.

You can watch a key panel discussion from the event on cyber resilience in the board room below as well as read our key takeaways from the summit.


Cyber resilience in the boardroom – Strategy, leadership and governance

Cyber security and intellectual property partner Peter Dalton took the stage at the FT Live Cyber Resilience Summit, joining a panel of experts to tackle the industry's most critical cybersecurity challenges. From quantifying cyber risk to aligning cybersecurity with corporate governance and navigating an evolving regulatory landscape, the discussion offered invaluable insights for building a more secure digital future. Watch the panel discussion below.


Andrew Moir, Global Head of Cyber & Data Security and Miriam Everett, Global Head of Data Protection and Privacy share their perspectives from the Summit, evaluating future risks and how the increasingly changing cyber and data landscapes impact businesses.

There was much discussion during the conference on artificial intelligence and how it is changing the cyber security landscape.

When generative AI (GenAI) first came onto the scene, there was much speculation as to whether threat actors would use it to enhance the kill-chain for incidents. While that was the fear, the consensus among those at the conference was that it hadn't yet materialised to a significant extent.  Instead, artificial intelligence (and machine learning) were being leveraged for principally defensive purposes – for example, to be able to spot anomalous or malicious activity on networks or systems based on, for example, models trained on firewall logs or other artefacts. 

Andrew comments "The challenge with monitoring offensive use of GenAI is that we can't necessarily see it in use from the end-result.  We can't tell by looking at a phishing e-mail, for example, whether GenAI contributed to the drafting.  Research published by OpenAI does however indicate that malicious threat actors are trying to leverage GenAI. Safeguards are in place on ChatGPT that mean it will politely decline if, for example, you ask it to author code to exploit a vulnerability.  But there are also well-documented prompt injection attacks that mean that policing malicious use of GenAI is going to become increasingly difficult."

AI also can have a protective role to play – for example software solutions that use AI to help prevent data loss by indicating to users when an e-mail is misaddressed for example, or where an e-mail includes a large quantity of personal data. This also increases the user awareness of cyber security – it was thought better to have a "perpetual nudge" around cyber security issues than one session of two hour training per year.

Artificial intelligence – Friend and foe

We can't tell by looking at a phishing e-mail, for example, whether GenAI contributed to the drafting. Research published by OpenAI does however indicate that malicious threat actors are trying to leverage GenAI."

Andrew Moir,
Partner

There was a general consensus that geopolitical risk (and state sponsored attacks including advanced-persistent-threat) had increased significantly. There had been 20 significant attacks on critical infrastructure across Europe in recent times, eight of which were directly attacking the operational technology.

Interestingly, cyber has shifted much of the intelligence around threat groups and nation state activity from intelligence agencies to the private sector. This is partly driving the collaboration between intelligence agencies and security/threat intelligence firms in the private sector, as well as knowledge sharing initiatives such as the Cyber Security Information Sharing Partnership (CISP).

Increasingly, intelligence agencies are publicly attributing attacks back to the nation state involved.  Typically, if that nation state is then quiet about it, this is generally a good indicator that the attribution is in fact correct.

The war in Ukraine has also been the first occasion where offensive cyber has been fully integrated into warfare.

Andrew comments "There are well-documented examples of nation state activity having real-world effects, for example the cyber attack in Ukraine in 2015 which resulted in power outages for approximately 230,000 people.  This is not a new phenomenon – another often cited example is the Stuxnet malware, that was used to attack the industrial control systems of nuclear facilities in Iran".

In more than one panel session, the issue of supply chain vulnerability was raised. Although the issue of threat actors gaining access via third party suppliers remains a key area of concern (with discussions around undertaking appropriate due diligence on vendors/suppliers), the panellists also discussed the indirect impact of suppliers themselves being subject to cyber-attacks. The potential knock-on effect of suppliers not being able to provide products or services was certainly front of mind for some organisations.

Miriam comments “Given the recent EDPB opinion on processors and subprocessors in the supply chain, it is clear at least from a personal data perspective that the European regulators want there to be full visibility of the length and extent of each and every supply chain. Whilst this could be beneficial from a cyber risk mitigation perspective, the practical challenges cannot be underestimated in an increasing digital economy. From another perspective, the ICO has also recently announced its intention to levy its first ever fine against a processor for failure to implement adequate security measures.”

Supply chain vulnerability

Given the recent EDPB opinion on processors and subprocessors in the supply chain, it is clear at least from a personal data perspective that the European regulators want there to be full visibility of the length and extent of each and every supply chain."

 

Miriam Everett,
Partner

There was some discussion around the threats presented by quantum computing, and in particular the need for post-quantum cryptography.  The consensus seemed to be that organisations did not consider it a priority, relative to other more pressing threats.  This sentiment was echoed by [HSF5] Stephen Bonner (Deputy Commissioner of the Information Commissioner's office, who has responsibility for leading supervision and enforcement matters across the ICO), who observed that the priority should be to get the basics rights.  It remained the case that most of the incidents (and enforcement action that the ICO takes) could have been mitigated by following five basic risk management strategies: (i) implementing multi-factor authentication; (ii) implementing adequate logging; (iii) monitoring that logging to identify incidents quickly once they occur; (iv) using strong passwords; (v) an adequate patching strategy.

Miriam comments “From an ICO perspective, the regulator will also be well aware that significant enforcement action under the UK GDPR (and the GDPR before it) has been infrequent and not always successful, with a number of significant ICO enforcement procedures being wholly or partly challenged/appealed. This may go some way to explaining why the regulator is keen to encourage all organisations to get the basics right on compliance, rather than having to focus regulatory time and resource on sanctions and enforcement.”

It was also clear that cyber security was now a regulatory focus in many geographies.  There was much discussion around new legislation such as DORA, NIS2, the European Cyber Resilience Act (CRA), whether it was "tough enough" and the impact of numerous member states not implementing NIS2 in particular by the deadline.  Christiane Kirketerp de Viron (Acting Director for Digital Society, Trust and Cybersecurity, DG CONNECT, European Commission) reiterated that the Commission's view is that it is essential that NIS2 is properly implemented, and is in close contact with Member States on it.

Andrew adds: "We are now seeing this play out in that, the day after the conference, the European Commission has opened infringement procedures in respect of 23 Member States that have missed the deadline to transpose the NIS2 Directive into national law. This effectively gives those Member States two months to respond and to complete the transposition".

We are also seeing a shift in the regulatory landscape from being reactive (for example, dealing with incidents or data breaches, as with the GDPR) to being pro-active (for example, regulators undertaking audits and issuing penalties under NIS, without there necessarily having been an incident or outage).

Key contacts

Andrew Moir photo

Andrew Moir

Partner, Intellectual Property and Global Head of Cyber & Data Security, London

Andrew Moir
Miriam Everett photo

Miriam Everett

Partner, Global Head of Data Protection and Privacy, London

Miriam Everett
Peter Dalton photo

Peter Dalton

Partner, London

Peter Dalton

Stay in the know

We’ll send you the latest insights and briefings tailored to your needs

London Technology, Media and Entertainment, and Telecommunications Data Protection and Privacy Crisis Prevention and Management Cyber Risk Advisory Technology, Media and Telecommunications Cyber Security Crisis management Geopolitics and Business Data and Privacy Business Protection and Risk Andrew Moir Miriam Everett Peter Dalton