What makes a great lawyer in a cyber incident response?

This is a key question that I explored during part 2 of our podcast with Professor @Ciaran Martin, a world leading cyber thought leader.

The questions challenged Ciaran but he answered it succinctly as “one do and one don’t”. The best incident leaders loosen control (the “do”), rather than tighten it (the “don't”). A damaging instinct in a crisis (often driven by impractical lawyering) is locking everything down and keeping help out for fear of liability. In practice, faster recovery usually comes from working openly with the broader cyber response community. Most people genuinely want to help.

Here were my other favourite pieces of wisdom shared by Ciaran coming out of the discussion.

1. The “pyramid of liability” has inverted. When something goes wrong, we still reach for the easiest explanation – i.e. “someone clicked the link”. That’s comforting, but it misses the point. Most incidents are really about upstream failures — poor software design, weak procurement choices, and a lack of accountability for vendors and platforms. Blaming frontline users (including our corporates) just ignores the real source.
2. Transparency after an incident doesn’t destroy trust, but builds it. There’s a strong instinct (again, I'm sorry, but often driven by legal) to say as little as possible. But if you actually look at major incidents over time, the organisations that were sensibly open about what happened and what failed didn’t suffer lasting reputational or commercial damage. If anything, they earned goodwill — from regulators, peers and the broader ecosystem. The "what" are questions of fact and are often not protected by privilege anyway.
3. Cyber planning breaks down when it obsesses over data and ignores continuity. There are numerous examples in the healthcare space. Legal duties pushed decision‑makers to prioritise protecting data over keeping life‑saving services running. That’s a structural flaw. In some crises, loss of service is far more harmful than loss of data — yet our frameworks don’t always reflect that.
4. Along this line, operational outages are more dangerous than data breaches — and we’re not ready for them. When ports, airlines or hospitals go down, the economic and social impact is immediate and severe. These aren’t just “bigger data breaches”; they’re a different category of risk altogether. Australia hasn’t yet experienced one at scale, but when it does, the shock will be national. It's certainly my biggest fear.
5. Ransomware only works if we treat threats as credible. Data extortion relies on panic and amplification. Australia’s experience shows that when institutions, media and law enforcement refuse to play along — and don’t amplify stolen data — attackers lose leverage, even if data technically leaks. The economics of the cyber criminal model collapse surprisingly quickly.

There’s loads more in the full podcast (~20 minutes). Definitely worth a save and watching or listening on your commute to/from work. This is cross examining Professor Ciaran Martin – Part 2. Here we go…

In this episode of Insurance Bites, Greig Anderson, Partner, and Sarah Irons, Knowledge Counsel, from the Insurance & Professional Risks team, look at key developments impacting policyholders and the risks they face in the coming months. Topics explored include cyber risks and AI, evolving liability exposures (including changes to product liability legislation, PFAS and what is new in climate change related litigation), developments relevant to D&O cover, Government proposals on captives and SME terrorism cover.

Below you can find links to our blog posts on the developments and cases covered in this podcast:

• HSF Kramer AI Tracker – Tracking AI law and policy globally
• UK government looks set to introduce ransomware payment ban and mandatory reporting
• Major changes to UK Cyber Legislation: Cyber Security and Resilience Bill published in UK Parliament
• UK Jurisdiction Taskforce consults on draft legal statement on liability for AI harms
• UK Insurance Regulation: looking ahead to 2026
• Modernising the redress system: Fair and reasonable changes?
• Lliuya v. RWE – Landmark German ruling recognising potential liability in principle of a local emitter for climate change harms in a foreign jurisdiction
• Milieudefensie Takes Legal Action Against ING Over Climate Impact
• High Court allows case to proceed against defendant companies domiciled in England despite claims having more real and substantial connection with Brazil
• Preliminary update in case regarding Shell responsibility for legacy oil pollution in Nigeria
• FCA advances next steps on non-financial misconduct
• Capital markets – new UK prospectus regime in force from 19 January

In this episode, we are joined by Professor Ciaran Martin, one of the globe's leading cyber thought leaders. He is often called upon by Governments, Government agencies and the private sector alike. He is also currently taking a leading educational role, demystifying the cyber space. Ciaran was the former head of the National Cyber Security Centre in the UK and played a critical role supporting the Australian Government in the creation of the Cyber Security Strategy.

Our discussion with Ciaran was so interesting that we have broken it into two. In this part 1, we talk about Ciaran's various roles and how he has become such an important voice in the cybersphere. We also talk about the impact of geopolitics on the cyber threat.

We know you are going to enjoy this discussion. Here we go...