My work as a cyber risk lawyer
Norton Rose Fulbright lifer Steven Hadwin discusses working on some of the most high-profile data breaches covered by the press, ahead of tomorrow’s virtual student event
Coming from an insurance background, Steven Hadwin crossed paths with cyber law shortly after qualifying and now works in Norton Rose Fulbright’s (NRF) global Information Governance, Privacy and Cybersecurity team.
Having studied law and French at Newcastle University, Hadwin joined NRF as a trainee in 2010. From here, he took up a newly qualified (NQ) position at the firm specialising in contentious insurance disputes, where he become fascinated with the interaction between technology and legal risk.
Following qualification, he was given the opportunity to work on large-scale insurance claims relating to computer crime — his first taste of cyber-related legal work. He also developed an interest in cyber insurance, which at the time was a relatively new product on the market, and remains a key element of his work.
From there, Hadwin continued to develop his interest in the intersection between information security and legal and regulatory risk — and worked with colleagues to position NRF as a market-leader in the cybersecurity space.
Now director and head of operations in the Information Governance, Privacy and Cybersecurity team, Hadwin’s practice stretches beyond the cyber insurance remit, to include some of the most high-profile data breaches covered by the press. He tells me:
“Having set out to be an insurance lawyer, I’m definitely now more of a cybersecurity lawyer today — I’ve moved from primarily advising in the cyber insurance realm, to all kinds of clients who face cybersecurity issues.”
Hadwin is also part of what is now a global legal risk team at the firm. Discussing the expansion of the group, he tells me, “to start with, we were working in what was thought of as quite an esoteric area — but the team has expanded over the past four to five years and now incorporates over 100 people”.
The global group is made up of people with a variety of backgrounds too — from data protection and privacy specialists, to investigations lawyers and traditional litigators. Team members have diverse professional backgrounds — from law enforcement to government departments and tech start-ups.
Commenting on the group, Hadwin says:
“It’s a real mix of backgrounds and perspectives and I think you need that in this area. You’re dealing with a situation where you need to understand the threat and the risk landscape, and equally you need to know the technical detail around what has happened — without this you can’t properly advise your clients on the potential legal and regulatory implications of something.”
One of the most interesting and challenging parts of his day-to-day work involves dealing with clients that have been the subject of extortion attacks by sophisticated threat groups. These groups often engage in ransomware and data theft extortion, meaning that as a lawyer here, you’re involved in some of the biggest decisions regarding how to get a company back on its feet again at the same time as advising on specific legal and regulatory matters. Attacks can also involve third parties looking to steal trade secrets, intellectual property, or valuable information for political or industrial espionage, meaning there are often national security concerns at stake.
For lawyers at the start of their career, this is an exciting new practice area, and somewhere you can now qualify into at NRF via their cyber team. As Hadwin tells me, this area of law is particularly well suited to those interested in geopolitics, with cyber-attacks often being cross-border and underpinned by political motivations.
Cyber is also an area where the tech is always changing. What attackers are now using is far more sophisticated, and so is the tech used to prevent against such attacks. As a result, “if the future of both security and risk interests you, this is an area you should consider”, Hadwin advises.
While a lot of firms now have strong teams in this area, the breadth of expertise varies. Hadwin’s core piece of advice would be to focus your attention on firms that offer teams with what he calls the “magic combination” of backgrounds. This includes people that understand (i) the threat and risk landscape (ii) the technical details and (iii) the black letter law and regulation. While some firms have all the above, there’s still not a huge number that do.
As an NRF lifer, Hadwin praises the firm’s willingness to invest in new practice areas, which has been crucial to his own career path. For him, this involved the firm being open to creating a slightly unusual new role when he was only a few years PQE, specifically so he could continue what he was doing in cybersecurity law at the time. Rounding our discussion off, Hadwin says:
“There’s a willingness at NRF to think creatively about how we are helping our clients and doing business, and that outlook has been key to getting me to where I am today.”
Steven Hadwin will be speaking alongside other lawyers in the global legal risk team at ‘Managing global legal risk — with Norton Rose Fulbright’, a virtual student event taking place tomorrow, on Tuesday 21 September. You can apply for one of the final few (and free) places to attend the event now.