Login
iscover
Jerome Doraisamy and David HollingworthShare this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Norton Rose Fulbright partner and Australian head of cyber security Annie Haggar discusses the role of lawyers in cyber security, how it’s changing, and how it will continue to change.
Our friends at Lawyers Weekly recently sat down with one of Cyber Daily’s favourite people, Annie Haggar of global law firm Norton Rose Fulbright, for a podcast, and her thoughts on the role of lawyers in cyber security are well worth sharing.
Lawyers Weekly: Cyber security is one of the biggest and most talked about practice areas, not just in Australia but also globally at the moment, and I wanted to gauge your sense of how the year is going so far. Coming into 2025, there was a pretty broad consensus that it was going to be a very busy year for lawyers in the cyber security space. Is that panning out so far?
Annie Haggar: It certainly is.
If anything – if my workload is anything to go by, and those of my colleagues – I think there are a couple of reasons for that. There was a general slowdown in attacks in Australia while a lot of the threat actors globally were being incentivised, for various reasons, to focus their attention on the US.
But once the US election was over and it was more into the transition period, they started to focus their attention back on the rest of the world. So, the cadence of attacks impacting Australia started to pick up again.
We, of course, are now in the lead-up to our own election, so we can expect an increase in attacks on Australian organisations as well. Not just the traditional attacks, but particularly ones that law firms face around business, email compromise, and funds transfer, which were all, unfortunately, becoming quite day-to-day.
But we should also be looking out for our clients who might be experiencing attacks related to the election. So misinformation attacks – attacks giving people information about voting, et cetera. So, less traditional attacks in terms of what lawyers are used to advising the Australian population on and more connected to national security.
Lawyers Weekly: We didn’t realise that was part of the remit of the work of cyber security lawyers as well. We always assumed that election disinformation and misinformation were the realm of lawyers in other practice areas.
Annie Haggar: Unfortunately, these days, with cyber security and with AI, it is part of our remit as well. It’s our IT systems, and it is essentially part of the cyber security breaches that are happening. It’s phishing and the sending of information using IT systems, which is really our bread and butter.
There’s a saying that all businesses now are part of the national security defence of Australia – there is no organisation that’s not connected to the internet. And as soon as you’re connected to the internet, you, your systems, and your business become part of Australia’s national security picture. And so, any of the big brands in Australia can be used to send out certain information and be influenced, whether they intend to or not. And misinformation being perpetrated by threat actors online through all sorts of channels is probably a misunderstood and underestimated influence in the lead-up to elections and is not the traditional realm of where we are talking about cyber security as lawyers.
Lawyers Weekly: It really hammers home the idea that being a cyber security lawyer is more than just being a black and white practitioner who’ll deal with ransomware attacks or data breaches. The scope of work that cyber lawyers like yourself are grappling with day to day … You go so much further than that, and there are so many different practice areas within a firm like yours that you would likely have to be liaising with these days.
Annie Haggar: That’s absolutely right. I think there was probably a misconception for a long time that cyber security lawyers were really just focused on privacy issues or on cyber breach response. A lot of people have a really strong insurance background because they’ve been through insurance claims, but there’s a much broader range of skills needed to be a cyber security lawyer these days.
We are drawing on the expertise of our government colleagues, of our litigation colleagues, and also bringing to the table those of us who’ve got national security experience as well. And having to put all of those skills to the test and keeping up with things … The pace of change in this area is really hard to keep up with, even for those of us who are doing it every day as part of our jobs.
Lawyers Weekly: How does that change not just the scope of the work that the lawyers like yourself have to do but also how you perceive your own roles? Do you think that a cyber lawyer in 2025 looks completely different to what a cyber lawyer will look like in 2030?
Annie Haggar: Absolutely, that will be the case.
Because even a cyber lawyer a couple of years ago [didn’t have] to advise on cyber breaches involving AI, which is a day-to-day part of our job already.
We had a breach that we had to help respond to for a client. Three days after DeepSeek, the Chinese AI model, was launched, an employee of my client had thought that they would just test out this model using a piece of sensitive data, and, lo and behold, a global data investigation was needed. That was three days.
So, the role of a cyber lawyer today is going to look completely different in 2030, and I just can’t tell you what that’s going to look like because we don’t know what the technology is going to be like. There may be more widespread availability of quantum computing to start with, let alone where AI is going to be by then.
But I think even if you look at the job of the cyber security lawyer today versus a couple of years ago, today we are much more talking as trusted advisers, advisers to the organisation and the risk team. It’s not that we are just focused on a cyber breach and the privacy response. We are there helping them to build their risk management framework; to advise on compliance with laws like the Security of Critical Infrastructure Act, which was amended again at the end of last year and has new rules in place as of a few days and weeks ago.
We’ve got the new APRA regulations impacting all APRA-regulated entities to deal with risk management, specifically security and supply chain. So that’s CPS230, which comes into force at the end of June. We’ve got the new Internet of Things security requirements for any organisation manufacturing or supplying devices that connect to the internet, which is pretty much everything these days.
You know, Harvey Norman’s going to have to comply with these things, as just one example of retailers all across Australia that sell internet-connected fridges and microwaves – suddenly they have to comply with the Cyber Security Act.
The complexity of cyber security implications for businesses – and, therefore, their lawyers – has exploded in the last few years. It’s not just breach response work anymore.
You can listen to the full podcast with Lawyers Weekly here.
Be the first to hear the latest developments in the cyber industry.
