THEOS Cybernova - Jonathan Crompton: Crisis Leadership When Cyber Attacks Strike

Show Notes

THEOS Cybernova Ep. 5 - Jonathan Crompton: Crisis Leadership When Cyber Attacks Strike

What happens when a ransomware attack hits, and every decision counts?

Jonathan Crompton, Partner at Reynolds Porter Chamberlain (RPC) and Head of Cyber Response for Asia, takes us behind the scenes of cyber crisis management. With extensive expertise in cross-border disputes, cyber incident response, and data protection, Jonathan explains how legal strategy and clear decision-making can mean the difference between recovery and chaos.

In this episode, host Paul Jackson dives into the realities of managing a breach, from evaluating ransomware demands and navigating regulatory obligations to building the right response team. Together, they uncover the critical steps and decisions companies must make during high-stakes incidents, while highlighting the importance of preparation and collaboration in mitigating risks.

If you’ve ever wondered what happens when a cyber crisis unfolds or how legal and crisis management come together during a breach, this episode offers practical insights and expert advice to help you stay resilient in today’s cyber realm.

Production Credits:

Presented by: Paul Jackson
Studio Engineer & Editor: Roy D'Monte
Executive Producers: Paul Jackson and Ian Carless
Co-produced by: Theos Cyber and W4 Podcast Studio

Chapters

• 0:00: Intro
• 9:06: Navigating Crisis Management in Cyber Incidents
• 15:25: Cyber Insurance Response Partner Selection
• 20:14: Making Informed Cyber Incident Decisions
• 27:45: Enforcing Cyber Laws in Hong Kong
• 42:39: Musical Tastes of a Lawyer

Transcript

Paul: 0:00

Wherever you are in the world, hello and welcome to Theos Cybernova Podcasts. Before we begin, I've got a quick favour to ask from you. There's one simple way that you could support our show, and that's by hitting the follow or subscribe buttons on the app that you're listening to the show on right now. It makes a huge difference in helping to get the show out there to as many people as possible. So, please, please, give us a hand and click that button now. Thank you very much.

Johnathan: 0:35

The Theos Cybernova podcast hosted by Paul Jackson.

Paul: 0:40

Welcome to another episode of Theos Cybernova podcast. I'm Paul Jackson and each week I'm digging into the latest trends, challenges and innovations shaping the cybersecurity landscape, as well as talking to a fantastic mix of leading industry experts, thought leaders, technologists, legal eagles, with a particular focus on the Asia-Pacific region. So, whether you're a professional in the field or simply curious about staying safe in the digital wage, we hope Theos Cybernova will offer up valuable knowledge and actionable insights for everyone. So today, I'm delighted to welcome Jonathan Crompton to the show. Jonathan is also based in Hong Kong, so he's sat opposite me right now and it's a real pleasure to see you again, Jonathan. We've known each other for a number of years right now, but perhaps you'd share your background with the audience to get to know you better before we start the conversation.

Johnathan: 1:39

Yeah, thanks, paul, and thank you very much for having me. I think it's very interesting and exciting that you're doing these podcasts, and I think podcasts are a great way of reaching an audience that probably isn't normally reached. So I'm very happy to be here. Although I'll leave it for other people to say whether I'm a leading cyber light, I think the first thing I have to say is that I am a disputes and investigations lawyer by training. I trained in London and was working for a very large international English firm focusing on disputes and investigations in the finance industry. But how I ended up in running a cyber incident response team probably goes back a bit further than that and before even my interest in law, because I've always been interested in tech to a degree.

Johnathan: 2:28

My father was a techie, he was a high-frequency radio technician in the Air Force, and so I grew up surrounded by the latest personal computers, whether it was a ZX Spectrum, a Commodore 64, an Amiga. I always had a computer around me. But, being of the cusp generation, the Oregon Trail generation, unfortunately we didn't really have computers in our schools. We had an aim in our school to have one computer in every classroom if they could. We ended up having a computer lab and occasionally we would have word processing classes. So my wife tells me I type like a crab with my thumb and first fingers. So I'm not a computer programmer or coder, but I've always grown up with tech around me.

Johnathan: 3:16

Skipping forward a few years, I studied at King's College, london, and that's the university that naturally breeds private practice lawyers. So I very soon found myself in a big firm in London and in my day job I had always taken an interest in the technological parts of being a lawyer, so, for example, ediscovery and as a junior lawyer, that interested me a lot how to make the job of reviewing documents easier. As I progressed, the financial regulatory obligations for black box trading and eventually, as it started to become a hot topic for regulatory obligations around cyber incidents and data breaches. But I still was not really working in the cyber sphere and in 2017, I joined RPC. Rpc is very well known as an insurance firm.

Johnathan: 4:05

As I've said, I'm not an insurance lawyer, but at the same time as I joined, we launched our cyber response service out here, which was offered as a.

Johnathan: 4:14

I'd say it was a bit of a triumvirate, so it was offered out as us as the pointy end of the spear as the incident response manager, with a forensic investigator designated forensic investigator, and a communications agency again designated communications agency, and that worked slowly to start with because there weren't that many incidents, and a couple of years later I was about a year and a half later the council that was running that team left the firm and I was asked if I would like to take it up, and I did.

Johnathan: 4:45

I spent a couple of months getting up to speed with our procedures and how we operate and then, summer 2019, cyber just exploded out here, and that might be because of the insurers that we were working with and who they had written policies for. But from then on I've been leading the team, often the person at the end of the phone call, until we grew the rota big enough that I didn't have to be the person on the end of the call, and we just built up significant experience over the past. What are we talking about five, six years now?

Paul: 5:15

And we'll talk about some of those experiences, because obviously we've worked together on quite a number of let's call them incidents. But before we kick off with some of these questions, you're obviously supremely well-educated You're a lawyer after all right and very well-spoken. So we only just launched this podcast, and one of my fiercest critics is my dad. So my dad was a former schoolmaster. He never uses the word teacher. That's beneath him, right Schoolmaster, schoolmaster. He never uses the word teacher. That's beneath him, right Schoolmaster. And he commented he said I've listened to your first three podcasts and great job, he said. And I've gone.

Paul: 5:59

Wow, praise from my father, fantastic. But he said I've got one nitpick to share with you. And he said every time you agree with one of your guests, you say yeah. He says that's not right. You've got to say yes. Let's use the English language properly. So you're a very eloquent person, so if you hear me say yeah, correct me and tell me to say yes. So keep my dad happy, get behind us. Let's talk a little bit about Hong Kong. You're here with me in Hong Kong. How did you end up here, though, and do you like it? You love being here. You're comfortable here.

Johnathan: 6:26

Absolutely, and this isn't blind loyalty to the place that I live at all. It's an active decision that I've made a few times. Whilst training at this international firm, I'd lived in London for about 10 years, on and off, and, as I said, my father was in the Air Force and I grew up largely overseas. I got itchy feet after about 10 years in London and in the start of the global financial crisis in 2008, the firm asked if anybody wanted to move to Hong Kong for a two-year secondment Typical expat story in Hong Kong Do you want to go to Hong Kong for two years? And I put my hand up. That was mid-2008. I moved here in Hong Kong. Do you want to go to Hong Kong for two years? And I put my hand up. That was mid-2008. I moved here in November 2008. And I've been here for 16 years.

Johnathan: 7:19

What I love about the city now still applied then. Obviously, the city's changed. We can talk about that a little bit, but it is vibrant. It is is driven. Everybody here is trying to make money in one way or another and therefore they they're striving and, um, I've made a decision repeatedly to stay here.

Johnathan: 7:35

I've thought about whether hong kong is my place to be when I was asked to take a secondment to bangkok and it was a one-year secondment, so I decided I would go. When I was asked to stay in Bangkok for longer and I decided that I wanted to be back in Hong Kong. When I married my Korean wife, we talked about whether we should stay here, whether we should go somewhere else Singapore is the obvious place that comes up all the time, also the UK or Korea and we decided that Hong Kong was still right for us. And when I was, like many, many people, locked out of Hong Kong during COVID, I was in the UK for three and a half months. Each of those times I've thought is this a place where I want to be, where I can enjoy life but also where I can do well? And that remains the same today as it was 16 years ago, despite the changes that have happened.

Paul: 8:27

Fantastic, as you know, I entirely agree with you, and despite some of the negative media that Hong Kong gets, it's definitely a place to be, isn't it? It's a fantastic place to live and work and make money. You know, as you say, it's always been a business city and people here are focused on doing jobs, getting stuff done, and that can-do attitude still prevails prevails even today, I think. Right, I guess we're here to talk about cyber, though. Really aren't we not about hong kong? So much and um, let's talk initially about cyber breaches, because I know you sort of fell into this a little bit by accident. In fact, I think I was with you on one of your very first incidents and a little bit daunting. Perhaps you know to try and manage as a breach coach a cyber incident, but perhaps you could tell us more in your own words about the role of the lawyer or breach coach, however you want to position it in the whole sort of process.

Johnathan: 9:18

I'll talk about this from the angle of a breach coach, and we can definitely talk about lawyers and taking that role, and I am very happy to disagree with you repeatedly on whether that's necessary. I think we probably disagree. So we agree vehemently in different directions on the issue of whether it needs to be a lawyer. But the role of a breach coach is essentially crisis management, and when I was thinking about preparing for the podcast, what came to my mind was Rudyard Kipling's poem If so, if you can keep your head when all about you are losing theirs and blaming it on you, if you can trust yourself when all men doubt you but make allowance for their doubting too. Essentially, you come into a situation where everybody is panicking, everybody's worried about their job because something has gone wrong, and our job as breach coach whether it's as a lawyer or an IR provider is to come in and say don't worry, guys and girls, we've seen this before. We may not have seen exactly how this has happened, but we bring our experience and our knowledge to the table so that when people are rushing to answer questions from their stakeholders and there's a variety of stakeholders at the table at that point we can look at it rationally and come up with answers so we can spot issues ideally before they arise. We can calmly advise on a path out of the forest whilst both looking at the weeds in front of them and and at the woods generally. But if you, if we're talking about specific, that we look at the type of the incident, we consider the skills and vendors that they might need.

Johnathan: 11:02

In the grand scheme of things, based on our experience, we use our knowledge of the large and ever-changing landscape of forensic investigators and we consider what other services they might require. For example, if it's a ransomware incident, are they going to pay? Have they closed the door on paying, or is there a possibility that they may pay? And if they, they may pay. It's highly unlikely that a company that is victim unless it's a crypto exchange it's highly unlikely that they store cryptocurrency and so they are going to need a broker. So as soon as somebody says, well, we might pay a ransom, then we know that that triggers certain things, including the possibility of a cryptocurrency broker.

Johnathan: 11:45

If it's in the US, they absolutely will need credit monitoring, because that's an obligation in most US states. If it's an incident that impacts Asia or the UK or the EU, they probably won't need credit oriented monitoring, but the regulators might ask for it and it may be best to offer it first. So these are the things that we come to the table with kind of that overview of what might happen, and it's then our job to answer the specifics and also keep our head up and enable the people who are responding whether they have a specific crisis response team or it's just people running around doing their jobs we enable them to do those jobs whilst we're spotting issues, and then the role of us as an insurer introduced incident response manager is that we can then deal with the insurer in the background, head off questions, deal with any issues that come up to try and avoid insurance coverage disputes in the background.

Paul: 12:46

As the listeners can probably tell, we've had previous conversations on who makes the best breach coach. We obviously differ slightly in our opinion on that, but honestly speaking though, in fairness, it's about the person and it's the right person. Whether that person is a lawyer or an investigator is the right person to manage a crisis, to help guide the client through probably the most difficult times of their careers. So, in fairness I am in the middle of this it's all about the person, and you're definitely the right person to be having in charge of a crisis. Your demeanor, your calmness and your knowledge certainly helps clients through those difficult days.

Johnathan: 13:25

And your knowledge certainly helps clients through those difficult days.

Johnathan: 13:31

And this is one of the things I've said before is that if we argue in the ecosystem of cyber response providers, service providers of which we are one and Theos is one and there are many others if we argue about our role and if we try and act like hyenas or jackals over the victim and we try to take as much work for ourselves, the only people that will benefit from that are the threat actors.

Johnathan: 13:51

And if you think of the cyber ecosystem as a series of connected Venn diagrams, we overlap on many of the things that we do, but the key is to respect each other's role, and respect each other's role and respect each other's relationships and work together, because on one occasion I may bring Theos in and another Theos might bring me in, but if what we're trying to do is take as much work as we possibly can to bill as many higher fees as we can, then the victim company will lose. We will fight, you will stop referring work to me, I will stop referring work to you, and then the only people that will win are the threat actors.

Paul: 14:25

And, to be fair, that's why we work well together, because we know that balance is important and, yeah, it should always be in the best interests of the client. So let's move on and talking about getting engaged for an incident. So we'll talk about the whole ecosystem in a moment. But what do you find most challenging for yourself around an incident, when you've you know that phone rings and you suddenly you've got a big, major cyber breach or ransomware incident on your hands, what do you find most challenging?

Johnathan: 14:53

the quick and easy answer to this is gaining the victim's trust. I think that's partly because of the way that we're engaged and, um, we are the hotline, which is often provided by the insurer. So this might be the first time that the victim is coming to us. They have a service that has been offered by their insurer and they come to us in a time of crisis, but they may never have spoken to us before. Now. It would be better if they have spoken to us before.

Johnathan: 15:25

We often do onboarding calls. We have another one tomorrow morning where we introduce what we do and who we are, but the the biggest thing is that people are mistrusting at the time, and so for certainly, the role that we played the hardest job is to gain the trust. So we come in and I am a financial controller, who are you? Or I'm the IT team, what do you know about IT? And so it's very important we set out our role to start with. We say what we are good at and what we are not good at, and what we do not do is we don't do the forensic investigation. So that's very clear. So we can come in and say we don't do the tech part. We know people that do, and these are the right people for this incident. We recommend you use X and that builds trust and that trust is really important.

Paul: 16:24

So you raise a really good point there. We've kind of talked about the whole ecosystem of insurance, cyber insurance. It's all about helping a client who is insured to have the right people ready to respond, to be the fireman, if you like, when the house is on fire, to come and respond quickly and do all the things necessary to put out that fire. I'm obviously focused on the incident response piece. It's always been my background In Theos. We've just recently built out that capability to add to the arsenal of services that we provide. But I'm curious, right, how do you go about, with the insurance companies, deciding which is the right IR partner, which is the right incident response partner, because things change so quickly, don't they? We've seen lots of movement in the Asia Pacific region recently. How do you kind of decide on the right partner for a job?

Johnathan: 17:07

We need to know the vendors and we need to spend a lot of time knowing the market for instant response. For example, there is one team that focuses on pen testing and if they were asked to do a forensic investigation in the way that you might do a forensic investigation, I think they would probably struggle. There's another vendor that is very well known that won't do employee investigations, so if there's a hint of an insider, they will refuse to touch it. And so it's knowing these things knowing, for example, what happened to your previous team where people went, what you're doing with Theos and who you've brought in and having the trust that you have the right skills and the right people that you can work with. So it's really knowing the landscape of vendors is the most important thing. And then having a relationship so that we can talk openly about the cost.

Johnathan: 18:03

For example, if it's a victim that has no deductible ie the insurer is going to pay everything then that means one thing it means that they probably won't be wary about engaging people.

Johnathan: 18:17

But if it has a particularly high deductible or it's a small company or a charity, they're not going to be able to tolerate the same level of fees. And so if we were to call Fios and we would have a preparatory call with the victim and you would come up with an estimate. We have the level of trust where I could say this looks toppy to me or I've seen this in another incident and this looks above where I think it should be Before we even flag it to the insurer is there anything you can do with this? And then when we do go to the insurer and we go to the insured victim, we can say no, actually we've questioned this and it's genuinely what it would cost. If you'd like us to get a second estimate, we can All along trying to encourage them to move as quickly as possible, but I think it's knowing the landscape, having personal relationships with the vendors and being able to talk about whether it's an incident that the vendor can work on geographically in terms of capacity, and whether it works from a financial perspective.

Paul: 19:22

Yeah. So you raised a very important topic of deductibles and it's very rare to have full coverage nowadays in cyber insurance. Well, I don't know how many you see, but we see almost never that you get full coverage from zero upwards. So we come up, like many companies, we come up with a solution for that, which is a retainer, an incident response retainer, so that if the incident falls within below the limit of the deductible, well, they can use our services without touching the insurance and save the insurance for the disastrous day, the big event. What happens if a company has a retainer, say, with a company like us, but we're not on the insurance company's panel? How does that work? Because obviously the insurance company will have approved a number of vendors. What if the insured wants to choose their own incident response?

Johnathan: 20:14

provider insureds in asia have a lot more uh power to choose than they do in the rest of the world, and so what an insurer here will generally be looking at and we don't advise on coverage and I certainly don't speak for the insurers, I speak for what I'm seeing but what an insurer will generally look at is whether the costs are reasonable, and that will depend on the account how much the premium is, all sorts of things. If an insured is going off panel, they need to be prepared to answer questions about whether it's reasonable or not, and we certainly may be called in to answer questions or to ask questions of the insured about what we think is reasonable or not and maybe suggest a couple of other options. But the most important thing is to know number one what services and which service provider does the victim want. If they want to use a vendor who is not on panel, that's probably fine. They need to know whether it is going to be covered or not. They need to know whether they are prepared to pay if it is not covered, and we worked on an incident in the autumn where the insured was a big financial institution and they brought in a very large international response team of a big tech company that was charging very high hourly rates and staffing it very, very highly.

Johnathan: 21:46

The insured victim brought in that company before we were onboarded and we spotted this as an issue. We were onboarded and we spotted this as an issue when we recommended a ransom negotiator. We recommended a ransom negotiator that we knew also did IR so that they could have a bit of an overview and see whether things were being done properly. What they said was they are being done properly, it's just really expensive. And we were able to relay that message, and what the victim was then able to do was to come to a natural point with the original vendor and then switch over, because they were incurring a huge amount of costs every week that probably weren't necessary.

Johnathan: 22:31

So the insured out here have an awful lot of choice that they don't in the rest of the world, but they need to be prepared to explain whether it's reasonable or not. They also need to be prepared to cover the costs if it isn't, because when we're brought in, we're brought in as a service provider. We're not imposed by the uh, the insurer, and we wouldn't want to impose ourselves into a crisis situation where we're not wanted. So the victim company just needs to know what its solution is. And you and I definitely agree on this point, which is that you shouldn't be deciding your team at the time of the incident. You should have decided who it is already. And if that is to have an incident response retainer with someone like Fios, great. If it's to have insurance coverage in place that provides that service, great. If there's an overlap, also great. Just know who you're calling at what time.

Paul: 23:27

Yeah, you don't want to be dealing with limits of liability and other legal clauses whilst your house is on fire, right? So absolutely right. And we? We talk a lot about retainers and having pre-approved, pre-agreed contracts with your suppliers, but still, time and again, we see many, many incidents happening to companies who've never even thought of this and they struggle through it at the time of an incident, which is far from ideal or all that certain parts of the business have thought of it.

Johnathan: 23:55

For example, the management team may have thought of it and then may have pushed it to the risk management team, who has put in place a solution through the insurer, and they've also flagged it with the IT team that may have put in place a retainer. But what they haven't done is thought about how it works. They haven't had a simulation, they haven't actually considered what will happen in the event of an incident Absolutely.

Paul: 24:18

And those simulations or tabletop exercises are pretty important, aren't they? Because they give a flavor of what's already been pre-planned, whether it works or not, and bring in all the partners that you have. We see all too often that a tabletop will just use us, for example, example, to talk through the technical aspects, and I do say to them every time why don't you bring in the law firm as well? Because in a real incident you'd have a breach coach, etc. And they go well, it'll cost too much for the tabletop or something like that. They'll find a reason not to, and yet that's not fully testing their capability, is it? And yeah, well, it's kind of on them, though, isn't it really? Yes, right, and I'm glad you said yes, not, yeah, okay, moving quickly on and last last question on features is the thorny question of paying the ransom. So we always get asked this, you know, should we pay, shouldn't we pay? What are, what are the risks? Is there honor among thieves? Will they honor if we pay them? How do you advise clients on this?

Johnathan: 25:24

There is a legal answer to this and a cyber response answer to this. So the legal answer is you have to look at it two ways. Firstly, is it legal to pay the ransom? Can you pay a ransom? The second question is looking at it from the other side who are you paying, as in the recipient? Is it legal to pay that recipient?

Johnathan: 25:43

Now, in England, singapore, hong Kong, some other common law jurisdictions, it's legal to pay a ransom and there's a very clear decision on that in the context of kidnap and ransom. But the money doesn't constitute the proceeds of crime until it hits the hand of the threat actor. That's the legal point and, for the record, that's not legal advice. If you need legal advice, please come to us. But it's not only a legal question but there might be a regulatory question. Does your regulator permit it? So some regulators would not commit the paying of a ransom. Do your law enforcement authorities do they permit it? And generally they won't say no. Some are less willing to to let it slide than others, I would say, but some just see it as not a question for them. And then you've got issues of the victim company itself. Is there any reason why it wants to pay a ransom or any reason why it can't.

Johnathan: 26:52

We worked on an incident that involved a company that was linked to an embassy, and they said absolutely not, we will not be paying a ransom, but we will negotiate. We will negotiate to buy time, so the strategy that we put together was that they would negotiate whilst they investigated and put in place a notification strategy. Once they had issued their final notifications to regulators and to data subjects, they then just stopped negotiating. So the company itself had reasons why it wasn't going to pay, but it was prepared to negotiate. There are other reasons. For example, they hold data of vips where they might think that they don't want to negotiate and and then, partway through the incident, they change their mind because they realize that that data has been impacted. We've had one of those.

Johnathan: 27:45

All of this, though, is this shows why a decision has to be taken in the round, and you need a response team, not just a legal advisor, not just a managing director or whoever is handling the business side of it an IT team. Can you tell us that you're secure before we stop negotiating or before we decide not to pay, because at that point, you're going to irritate the threat actor? So all of this goes into the ground of making a decision on whether to pay or not to pay. That decision has to be.

Johnathan: 28:20

The victim company's Insurers won't say one way or another. They will just say whether, in principle, it is insured or not, but they won't advise on whether to pay or not to pay. We can advise legally on whether it's possible, but we will then raise issues that the victim company needs to think about in reaching its decision. For example, is there one board member who strongly feels against it? But that board member has a lot of political power on the board. It's these types of things that need to weigh into the decision on whether or not to pay. But can companies pay ransoms? Generally, yes, in most jurisdictions in which we operate.

Paul: 29:01

Pay ransoms Generally yes, in most jurisdictions in which we operate, unless it's to a sanctioned person, got it and you know, all the stuff you've just brought up is companies never think about this, organisations never think about it until it's too late. And it just comes back again to that preparedness, that readiness, that resilience that companies need by rehearsing this, by practising, by having tabletop exercises, crisis exercises and talking through these kinds of decision-making that they may have to do under stress, and I think all the points you've raised are fantastic. But I'd like to switch gears again in the last 10 minutes or so that we've got and talk a little bit about Hong Kong, because that's where we're both sitting right now, although I'm sort of regional, but I sat with you right now here in Hong Kong and it's big in the news protection of critical infrastructures, brackets, computer systems bill and it's caused a lot of noise. What are your views on this, you, laura, and could you briefly explain what it actually means to you?

Johnathan: 30:03

this new law and could you briefly explain what it actually means to the protection of critical infrastructures? Computer systems bill, uh, which is snappily titled, is the equivalent of cyber security bills or cyber security acts seen in various other places in the world. Singapore has one, malaysia has one that came into force last year. Various countries, or jurisdictions, I should say, are putting in place critical information infrastructure laws and what they do is that they designate certain companies as critical information infrastructure operators. They might call them CII's or CIO's or whatever they are, but essentially, if there were an attack on your systems, would this be critical to the jurisdiction? So train networks, airports, water companies, energy companies, pipelines colonial pipeline is an example of a company that got hit. Now all of those companies are potentially going to be designated as critical information infrastructure companies, and the Hong Kong law that they propose is going to designate them in advance and it's going to require them to meet certain proactive obligations and certain reactive obligations in the event of a breach. I think what's important to know is that if a company is going to be designated as a critical information, critical infrastructure operator, they probably already know because, unlike in other jurisdictions, hong Kong has been discussing this with the CIOs already. So they're a subway company, they know that they're being designated, the exchange is probably going to be designated I mean all the things that you would expect and that means that they can prepare in advance, even after the law comes into effect.

Johnathan: 31:58

There's a transition period before it kicks in. In other jurisdictions malaysia is an example the law came into effect, the the cii sector leads were then designated. Those cii sector leads then have to go out and decide who they're going to designate as critical information infrastructure operators, and so it in Hong Kong. The companies already have an eye on what they will need to do. The obligations for reporting in Hong Kong are more lenient than in Singapore and in Malaysia.

Johnathan: 32:34

But the problem with the bill and the problem with, I think, a lot of Hong Kong recently is it comes off the back of the protests and then COVID, and so there's any time that the security department is involved. There is a question about whether this relates to national security or not, and the division of government that is managing this and will be the liaison is the Security Bureau, and so a lot of people have raised questions about whether this is a law that is trying to do something that it's not and the government is going to great lengths to try to say no. We're really just trying to protect our critical information infrastructure. With everything with Hong Kong we'll have to see. I genuinely believe that this is something that is designed to protect IT systems that are critical for the running of Hong Kong and the wording of the law is more lenient and certainly the companies that I've been talking to that have been designated don't necessarily see this as some way to try and undermine their information security.

Paul: 33:41

Yeah, you know you're skirting around some of the core issues that have been raised by the media and I'm going to save that for another podcast because, honestly, jonathan, we could go so much deeper and further into the laws in Hong Kong and the controversy surrounding whether they're real or whether they're just hyped up to sell more newspapers or get more clicks. It's a lengthy topic that hopefully you might be up for one day, but I know it touches on sensitive areas and don't want to get you into trouble, certainly on that. But talking of laws, obviously I don't want to go into this now because I do want to get you back on another show and we're kind of running out of time on this one. But data privacy is a huge thing here because the laws haven't been updated in many years and let's save that for another day.

Johnathan: 34:30

Actually, we can answer it very, very quickly. Go on then. So the personal data privacy ordinance is an incredibly old ordinance. It was based on a template that I think came about in the very early 1980s. There have been a few updates to it. We were hoping to see some updates in relation to what to do in the event of a breach, but the government has recently announced that it's shelving these following feedback from business. I'm not one who likes additional regulations put on our clients, but Hong Kong is quite an outlier. We now have a regulatory landscape that is very out of kilter with a lot of jurisdictions, and that creates complexity, and removing that complexity, I think, would help companies, creates complexity, and removing that complexity, I think, would help companies, whereas what we're seeing is the government is focusing on other issues and saying that it doesn't want to place additional burden on industry and therefore has decided it's going to shelve these changes again.

Paul: 35:32

That's a great answer and I entirely agree with you. I think it does add complexity, and no doubt about it. So, yeah, let's keep fingers crossed that the government revisits this sometime soon. But yeah, as I say, they've got a lot of other things to be dealing with at the moment. But talking of dealing with things just to wrap the sort of legal side of things up, along with laws comes the stick and look, I'm a former cop, right, you know that. And it's challenging to find the right people in law enforcement, in government bodies, in the authorities, that are capable and have the talent to properly investigate and to, you know, to uphold these laws and enforce sorry, enforce these laws. So what's your view on the enforcement capability here and do you think they've got enough people to to really deal with these new laws coming?

Johnathan: 36:22

in the way that you phrase. The question is essentially do they have the capabilities to deal with enforcing the critical infrastructure bill? I think the what I can say is that the the capabilities, the tech capabilities in the Hong Kong police force have grown enormously in the past few years. The money that has been put into the cyber teams at the police is quite significant. We are seeing we do cyber fraud as well. We do civil fraud. Basically any bank fraud that takes place, we deal with the police quite a any bank fraud that takes place, we deal with the police quite a lot, and so when we're dealing with the police there, if we get through to the right team, they know what they're doing. They can move quickly. If we deal with a district investigation team who doesn't deal with cyber or fraud on a regular basis, they don't necessarily have the skills.

Johnathan: 37:21

I think the issue is policing priorities and whether the team is big enough to cover everything that's happening. Hong Kong is, I think, quite well known as a recipient jurisdiction of fraud funds and we are writing to the police pretty regularly and we're just one of many law firms. So the question is whether the police have the resources to deal with everything. And then, what are their policing priorities? I personally think that the critical information infrastructure bill is going to be one of their priorities, and so I think that there will be a team that either is in place or is tooled up. But I don't know, because I don't know who that team is. And you're right that if there is somebody who is very, very good, they might well be poached to go to private industry. That's true.

Paul: 38:16

Yeah, okay. So I'll let you off the hook with that one a bit and move on swiftly, because you're a lawyer, right? So, look, you're more familiar with actually asking questions rather than answering them. And I'm going to ask a dangerous question here before I close out the show. But if you were hosting this show, what would you ask someone like me?

Johnathan: 38:36

We've just finished, earlier today, a fireside chat with a tech founder who was previously a lawyer, and what came out of that discussion was the idea of when is the right time. When is the right time to move, when is the right time to found something. I think you know where I'm going with this, so you have been in large global organizations and you've headed teams for large global organizations for quite some time. What you've done is you've made an active decision now to join Fios and to add to its capabilities and potentially take it to another level. I suppose my question is why now? And also, what is it that you're hoping to achieve?

Paul: 39:22

That's a great question. Thank you for that one and I'll answer it very quickly. It's about the stage in my career, okay. So with my previous employer, as you know, things changed. They decided to make strategic decisions in our region which impacted my ability to deliver in this region. So I'm not going to say too much about that, other than it was very disappointing and it's left a gap in the market here.

Paul: 39:45

Now I could have moved to another similar company, you know a large global firm, where I'd be heading the region and building out capacity, but there's always a risk the same thing would happen again. You know I would not be the ultimate decision maker and that could affect my ability to deliver out here and also my reputation out here. So I had long conversations with the former CEO of EOS, who's Alex Hudlow, who's in our first podcast, and we explained some of the reasons behind this. But I think ultimately it's an opportunity to leave a legacy, to build something special in this region. We want to be focused on the region, not driven from overseas, from another region, and really be bespoke and be on the ground with people, to really work with clients and provide professional advice and guidance in the way they deserve in our region. So it's the opportunity to build something special, leave a legacy and do things in the way that I control. That's the simple answer.

Johnathan: 40:44

Right back to me asking questions. I was going to say I'm very happy that you are doing that because it provides another IR service provider. It provides options and we know that the quality that you bring and some of the team that is working with you we know their quality as well, so we're looking forward to working with you.

Paul: 41:01

Thank you, jonathan. It's always good to have options right. And talking of options, what music do you like listening to? Because I always end the show with this question, because I'm a music lover. It's the way I relax, it's the way I decompress from a very stressful job, and I just love music. I the vinyl records. You know that just take great satisfaction in putting that needle on the record, and I know you like music a bit as well. So what are you currently listening to? What helps you to decompress a little bit?

Johnathan: 41:27

I listen to pretty much everything, I have to say. Well, part of my story that I jumped over was I nearly left grammar school at the age of 16 to go and study performing arts. I didn't, I stayed and here I am. But so you will probably shoot me for this. But I do love some show tunes. So at the moment I'm finding it very hard to escape pretty much all of the Wicked soundtrack. But alongside that I'm listening to 1990s divas. There's a reason for these two things 1990s divas. But also there's a couple of artists that I'm listening to Rag and Bone man I love a bit of Rag and Bone man.

Johnathan: 42:20

I love a bit of Rag and Bone man. I also quite like what Leanne Pinnock is doing. So she was in Little Mix, she's now on her own and she's pursuing a kind of Afrobeats career, so I like that. And Kygo anything where Kygo remixes I love, so literally anything. But let me just explain the show tunes and the divas. I have a 10-month-old daughter and my wife doesn't listen to that much music at home. I listen to music all the time, and so what I will do in the morning is I'll get up, I'll turn the speaker on and I will play something that she wants to hear and she loves divas, absolutely loves divas, and at the weekend I introduced her to Wicked and she was popping away with a head, and so I think there's going to be a bit more of that around the house, I'm afraid.

Paul: 43:11

I am so glad I asked that question. What a great answer. It never fails to surprise me what my guests listen to, and I think you've just taken it to a whole new level there. But I'm not surprised that an 11-month-old is listening to that stuff. I'm just surprised that a seasoned lawyer is listening to it. Don't get me wrong. But, jonathan, thank you so much for being a guest today and I really hope we can resume the conversation in a few months' time and perhaps unpick how the laws are evolving, how data breach coaches is evolving, and touch on other topics that maybe our listeners might want to raise with you. That would be great. Thank you very much. So, theos Cybernova was presented by myself, paul Jackson, the studio engineer and editor was Roy DeBonte, the executive producer was myself and Ian Carlos, and this podcast is a co-production between Theos Cyber and W4 Podcast Studio.

Johnathan: 44:06

The Theos Cybernova Podcast.