Sectors
CyXcel works with clients across multiple sectors, solving their greatest digital challenges.
We work with listed and private companies, public bodies and non-profit entities globally. Our track record is second-to-none.
- Agribusiness
- Energy & Utilities
- Healthcare & Pharmaceuticals
- Insurance & Finance
- Professional Services
- Public Services
- Manufacturing & Retail
- Technology, Media & Telecom
- Transport & Logistics
Agribusiness
The Agribusiness sector is experiencing rapid digitization, thanks to technological innovations for automating farming and livestock management.
Moreover, large-scale industrial automation is being used to enhance product manufacturing, quality management, and the downstream logistics of perishable goods.
As the agricultural processes and food retail ecosystems evolve, there is growing reliance on technology for business and operational analytics, supply chain integration, and customer relationship management.
Moreover, with the increasing use of connected devices and data analytics, companies in this sector now collect vast amounts of data; they must stay compliant with privacy regulations, which are complex and vary by region.
We enable agribusinesses at all stages of digital maturity to ensure they are secure and primed for lasting growth.
Explore our case studies
Cyber Strategy & Transformation
Having identified cyber as a significant risk, our client's internal audit department commissioned us to identify key issues in a comprehensive report and drive improved cyber resilience across the businesses.
Our unique approach of quantifying loss exposures relating to cyberattacks and technology disruption proved unique and we were selected to carry out an end-to-end evaluation of the cyber loss exposure and make detailed recommendations to improve cyber resilience.
To find critical weaknesses and calculate the financial impact of a cyber incident, our method comprised a thorough cyber business impact study. We assessed the controls maturity of industrial control systems and IT, and to increase awareness, we led a customised board-level cyber-simulation.
In addition, in accordance with the EU NIS2 Directive, we created and executed a five-year security transformation strategy that included the creation of a secure architectural design for the whole company, audits of every manufacturing location, and a cybersecurity governance framework.
Cyber Loss, Controls and Insurability
Prior to engagement with an insurance broker or carrier, our client was considering the purchase of cyber insurance for the first time. The client wanted to understand their cyber risk exposure in financial terms and the maturity of their current controls in reducing the impact of or preventing a major cyberattack.
They also wanted assistance with preparing a market presentation, articulating to insurers the significant investment that they had made in cybersecurity controls.
Our approach focused on assessing and enhancing the client's cyber risk management by conducting a cyber loss assessment to quantify strategic risks; evaluating controls maturity across IT and industrial systems; and performing a gap analysis between the client’s existing property insurance and the cyber insurance policy of a recent acquisition.
We also prepared a cyber insurance marketing submission and assessed the client’s incident response vendor landscape to help evaluate insurer offerings more effectively.
Complex Data
Advice on processing personal information collated from over 5 million annual customer interactions in 20+ countries across five continents. We devised the optimum contracting structure, factoring requirements for international data transfers to ensure global compliance.
Further work included updating privacy notices and cookie policies through to preparing international data transfer arrangements, third-party processing contracts and intra-group data sharing agreements.
Energy & Utilities
The integration of decentralised devices, such as smart meters and solar panels, into the Energy & Utilities sector has created multiple cybersecurity risks. These devices have critical components that interface with the electricity grid, and are vulnerable due to their frequent exposure to internet connectivity for remote monitoring and control.
The rapid adoption of these devices, and new ones being designed without rigorous security controls, means that the power distribution network faces significant risk from novel attacks. This focal point for potential attacks could result in a disruption to energy flows or manipulation of data to prompt shut down. Therefore, securing these interfaces and the broader network they support is essential.
Compounding the risk is the transition of legacy systems towards a more data-driven approach to facilitate operations and increasing technological additions to environments that were never constructed with security in mind.
Increasingly, IT systems that manage data and applications are integrating with OT systems that control physical processes, exposing the infrastructure to potential compromise. The Russia-Ukraine conflict is a prime example: multiple high-voltage electrical substations in Ukraine have been compromised with tailor-made malware that exploited remote access mechanisms to halt operations.
We work with companies operating such critical infrastructure to ensure sector-wide improvements.
Explore our case studies
Cyber Risk & Resilience
Retained to evaluate the effectiveness of the existing cybersecurity strategy by defining a set of critical loss exposure scenarios and testing control effectiveness in mitigating a few, high impacting scenarios.
Based on the simplicity of the approach the client allowed us to develop and implement the business resilience programme as a fully outsourced service, the Information Security Management System (ISMS).
This included developing top level policy statements and a full set of information security procedures and the crises management system, including an overarching incident response process and procedure, a cyber incident playbook and a disaster recovery procedure for several of the firm's critical applications.
Security Review
For a national gas transmission organisation that included elements of critical national Infrastructure, we led a risk-based, business and regulatory focused Industrial Control systems (ICS) security review on several critical assets across multiple countries.
We then performed an actuarial-led cyber risk quantification exercise to determine the full quantum cyber exposure. Lastly, we developed a blueprint of a secure and resilient architecture against industry good practice, such as NIST 800-82 and ISA/IEC 62443 and designed a multi-year investment plan to deliver the secure architecture across dozens of sites.
The plan was presented to the UK regulator and accepted as the basis for a 5-year transformation.
Injunctive Relief for Misappropriation of Data
Successfully obtained injunctive remedies against former employees of a Plc energy broker client who used sophisticated data extraction software to obtain highly confidential information.
The speed and effectiveness of our actions were instrumental in protecting the misappropriated data and limiting the damage sustained by our client. The case proceeded thereafter and was successfully resolved at mediation, with a negotiated resolution.
Healthcare & Pharmaceuticals
Risk and innovation are familiar territory for the Healthcare & Pharmaceutical sector. The sector is complex, highly regulated, and capital intensive. The sensitivity and commercial value of the data this sector collects and processes, and the critical nature of the services it provides, makes it a prime target for cybercriminals seeking high-value trade secrets or leverage for ransoms.
Intensive supply chain dependency is an acknowledged area of cyber risk, and one where regulatory requirements are hardening, particularly in sectors such as this which are categorised as critical infrastructure.
In healthcare, cybersecurity is increasingly recognised as a patient safety issue; the direct personal impact on patients in recent incidents has been stark. The growth in telemetry and remote monitoring creates additional risks for organisations handling larger, and increasingly rich data sets across an ever-growing network of connected devices. Good cybersecurity and respectful data handling practices are becoming important differentiators in a competitive market.
Furthermore, the promise of new data driven technologies (to reduce costs and improve services), and the drive to harness patient data to identify novel insights and treatments present significant governance and regulatory challenges for organisations.
We support organisations at all stages of maturity in their cybersecurity and data protection journey.
Explore our case studies
Sensitive Data Protection
Personal data and commercial advice on the creation of a genomics app using patient data, together with licensing to NHS Trusts and private laboratories.
Data protection, commercial and IP advice to a consortium of NHS Trusts on the formation and implementation of a radiology network to share various personal data, including the identity of radiologists and scanned images.
Advice on both commercial and data protection implications of strategic research and the sharing of anonymised patient data with external organisations.
Telecoms Contract
We successfully defended high-profile proceedings, widely reported in the media, brought against our healthcare sector client in the High Court by Blu-Sky Solutions for alleged breaches of a contract for mobile network services. The contract included draconian provisions and omitted an annexe of website terms that were otherwise imprecisely specified. When our client cancelled the contract, Blu-Sky imposed a six-figure cancellation fee as an ‘administration charge’.
The High Court found that: the so-called ‘administration charge’ was onerous and not fairly or reasonably brought to our client’s attention; and that it was an unenforceable penalty clause.
Regulator Investigation
Following a NIST CVE update our client was forced to take certain services offline. We prepared notifications under the GDPR and NISD/Implementation Act to the German regulator, followed by phased reporting and close liaison with the assigned case officer.
We deflected criticism towards a company in the client’s IT supply chain after independent reports of failures in its security. The regulator’s investigation lasted a year but ended with a closure notice without any sanction or corrective measures.
The regulator commended our client’s transparency and proactive steps to resolve the incident and minimise the break in service continuity.
Ransomware threat
An attack by a notorious ransomware gang resulted in the encryption of our client’s global IT estate and the exfiltration of personal data affecting a significant number of individuals in 32 US states, the UK, 8 EU/EEA countries, Russia, Switzerland, and the Congo.
We coordinated notifications to multiple data protection authorities within the space of four days. Simultaneous forensic analysis of the threat actor’s activity led to a detailed breach severity assessment, necessitating extensive data subject notifications comprising employees, customers, and supply chain personnel.
To support those affected, mitigate anxiety and harm, we deployed a team of identity theft and fraud resolution specialists to deal with inbound calls, giving them discretionary escalation to legal and senior personnel. We further backed up the support with credit and dark-web monitoring, CIFAS registration, and bespoke personal insurance for loss and out of pocket expenses.
Further detailed investigation revealed a CVE in third-party VPN hardware, compounded by publication before the release of any effective patching. This created the opportunity for a recovery claim against the developer, as well as providing a robust basis for the client to argue against any regulatory consequences.
Further evidence was also secured pointing to an affiliate of the ransomware gang on US soil, which was passed to law enforcement to pursue and led to an arrest.
The notification and care regime for affected data subjects was widely commended and resulted in a nil incidence rate of third- party claims. Closure notices were also obtained from all regulators without any sanctions or enforcement action.
We are now assisting the client to “harden” their technical security and to improve to their controls and policies concerning staff use of company assets and handling of personal data. This includes advice on appropriate measures to facilitate, but also protect, the continuing transfer of customer and staff personal data from the EU/UK to the US.
Insurance & Finance
The cyber risks for the Insurance and Financial Services sector centre around supply chain and third-party providers; social engineering; and ransomware.
As organisations increasingly rely on third-party vendors and interconnected supply chains, their vulnerability to cyber incidents and data breaches is growing due to the expansion of the attack surface, indirect compromises via less-secure vendors, and limited visibility.
Exploitation of human vulnerabilities to breach networks is especially common, via tactics such as phishing, spear phishing, pretexting, doxing, and tailgating.
Several high-profile companies have fallen prey to ransomware in recent years, including double extortion attacks where hackers not only encrypt data (thereby disrupting business activity) but also threaten to release it publicly if a ransom is not paid. These attacks are increasingly sophisticated, widespread, and inflict substantial operational, financial, and reputational harm.
Silent cyber is another notable risk. Also known as non-affirmative cyber risk, it refers to the exposure of insurance companies to cyber risks not explicitly covered in traditional polices. Carriers therefore may have to pay arising claims that were not unexpected.
Through our comprehensive service stack, we help our clients meet these complex challenges.
Explore our case studies
Management Prosecution
The sole director of a claims handling business faced prosecution by the ICO for criminal breaches of the Data Protection Act 2018 and money laundering offences at the Crown Court.
The case involved an agreement to purchase data illegally obtained by the employee of a nationally recognised insurance company, relating to the details of motor insurance claims arising out of road traffic collisions. The parties involved were then the subject of “cold-calling” sales calls to engage the client’s company to bring motor and personal injury claims on their behalf.
We represented the client in the court proceedings, highlighting relevant mitigation and liaising with the prosecution to ensure the client received a favourable non-custodial sentence and avoided the need for lengthy contested proceedings. We also negotiated a favourable confiscation order, which the client was able to discharge without the forced sale of his home and other personal assets.
The case is one of only a handful of criminal prosecutions brought by the ICO.
Spearphishing
Our client’s CEO was spear-phished, leading to a doxing attack on its case management system. Hackers stole a staggering 6TB of data and then presented ransom demands to avoid its publication and distribution on the dark web. The stolen data was thought likely to include personal and special category information belonging to tens of thousands of individuals.
The client’s case management system was a legacy system, which meant datasets stolen by the hackers were unstructured, posing a challenge to assess the severity of the breach.
We repurposed scripts from proprietary software to scan the data sets and draw out personal information based on predetermined parameters. This allowed assumptions to be made about the content of the data, which were then cross-checked by manual review of random samples. This regime drove a highly reliable 98% rate of accuracy and a sound basis for justification of the approach to the regulator.
Meanwhile, we collaborated in sharing evidence with the NCA in the UK and other international law enforcement agencies, which led to the identification of several other victims and ultimately the successful take down of servers being used by the hackers to host the stolen data across the EU and US.
Data Exfiltration & Extortion
Hackers stole a staggering 3TB of data and then presented ransom demands to avoid its publication and distribution on the dark web. The stolen data included personal and sensitive personal information belonging to tens of thousands of individuals.
We devised the response strategy and then brought together a specialist team to seamlessly deliver the remedial action required. This included negotiations with the threat actor, the restoration of data from back-up and remediation of the client’s environment, an ICO investigation, and notifications to the client’s key customers and stakeholders.
Our efforts resulted in nil claims and no enforcement action for our client.
Data Sharing
We designed the legal architecture and advised on the complex data and IT elements of MyLicence – one of the UK’s largest ever data projects - a successful collaboration between our client, the MIB, and the DVLA. My Licence is a revolutionary data sharing scheme, endorsed by HM Government, the DfT, the ABI, and wider insurance industry to combat insurance fraud. At its core is a comprehensive UK database of all licensed drivers and motor insurance policies.
We also provided advice on interoperability, facilitating the legal transfer of millions of data points through to preparing and negotiating the entire supporting contractual framework. The project’s political and strategic importance, not to mention its numerous stakeholders, demanded high attention to potential sensitivities and conflicts.
Data Outsourcing
Advising a leading MGA on the transfer of personal data from the UK to the USA and China, including drafting associated data processing and distribution agreements in compliance with UK, EU, US, and Chinese data privacy laws.
We are also advising on interactive platform data processing terms and negotiating publicity agreements with celebrities and medical professionals.
Professional Services
Digital assets are the foundation of Professional Services organisations such as law firms, accountancies and consultancies. Due to this heavy reliance on systems for revenue generation and business-as-usual activities, the sector has a vast and diverse set of exposures. A single breach could compromise assets such as merger deals, confidential legal strategies, intellectual property and sensitive personal information.
Given the valuable and sensitive nature of information held by professional services firms, a breach could result in significant reputational harm, and legal or regulatory consequences.
Moreover, many firms heavily rely on vendors for essential support functions such as billing, cloud storage, business intelligence and document management, which leaves opportunities for supply chain compromise.
Changes in working patterns since the pandemic mean that employees and contractors in the sector are either in hybrid or remote settings, increasing reliance on mobile and bring-your-own devices (BYOD). This has widened the attack surface for threat actors. Difficulty with effective user monitoring as well as employee awareness training has led to an increased exposure to social engineering attacks.
We equip our clients with a comprehensive digital safety programme to manage these complex risks.
Explore our case studies
State-linked hacking
We were instructed by a specialist SME business providing childcare for families of HNW, UHNW and PEPS. It was one of several organisations affected after a SaaS provider’s network was breached by a suspected state actor.
We managed all communications with the SaaS provider and its legal team and secured a full indemnity against the cost of notifying and compensating data subjects.
Notably, we devised and implemented a round-the-clock physical protection regime for the children whose data, including sensitive location data, had been compromised, successfully keeping them all safe from harm until their routines and care arrangements had been changed.
Ransomware incident
A small family-run occupational health services company suffered a RYUK ransomware attack that completely disrupted their operations, forcing them to manage appointments using physical handwritten diaries.
Given the persistence of the infection, we not only focused on containment and root cause analysis but also aided in recovering and rebuilding their entire IT environment. Additionally, we collaborated with legal counsel to analyse the data exfiltrated by the threat actor.
For a small company, the risks of such a ransomware incident can be severe, including the inability to operate and the potential threat of going out of business. However, we successfully restored their operations in a timely manner, enabling them to return to business-as-usual and continue serving their clients.
Payment Diversion
We conducted a Business Email Compromise (BEC) investigation involving 15 accounts at a European asset management company. The breach was first detected when a payment was made to a fraudulent account.
Our analysis revealed that the attacker had successfully phished an admin user, gaining access to their account credentials. The attacker then identified invoices and inserted themselves into email conversations, altering payment account details.
Further investigation showed that 15 accounts had been compromised over a 3-month period. We immediately advised the client to enforce a system-wide password reset and enable multi-factor authentication (MFA). Additionally, a security assessment of their email environment was conducted to strengthen their overall security posture.
Historical Insider Threat
We were engaged by a professional body concerned about potential insider threats, a possible breach by external actors, and ongoing risks to their cloud systems.
We carefully designed our approach to preserve the confidentiality of our investigations and mitigate the risk of alerting an internal bad actor to our involvement. Our investigation involved a thorough analysis of cloud system logs and security settings. Regular updates were provided to the leadership and select members of the technical team, along with recommendations for remediation based on each finding.
We offered both legal and technical guidance on GDPR compliance, risk management, and security best practices. The investigation culminated in a comprehensive report detailing the findings, which was followed by a full debriefing for the leadership team.
Cyber audit for pension schemes
We worked with a leader in benefits provision and pensions administration to support their client base by developing and embedding a cyber training programme and audit benchmark into the onboarding of every new pension scheme. This programme was based on the pensions regulator (TPR) requirements relating to cybersecurity.
The training focused on raising awareness of the cybersecurity responsibility of trustees in managing the sensitive data and finances entrusted to them. It then focused on reducing overall risk at the scheme by carrying out an expert-led audit of their technology and cybersecurity arrangements.
We developed a tailored menu of critical risk reduction services including cyber tabletop exercises, third-party risk assessments, a suite of data protection & handling policies, and a bespoke incident response service for schemes.
After carrying out numerous scheme audits, we developed a cybersecurity benchmark that now provides instant insight to pensions providers on the maturity of their cybersecurity arrangements depending on the size, complexity and amount of funds under management.
Public Services
Cyberattacks attacks against Public Bodies such as governments, educational establishments and charities are rising worldwide. Due to geopolitical headwinds, such organisations are also becoming top targets of state-linked espionage and disruption activity. Such attacks disrupt service delivery (including of emergency services), impose huge financial burdens on the taxpayers, and erode public trust in government.
Part of the challenge is the sector’s dependence on legacy systems that are open to intrusions and costly to upgrade. In coming years, operational and security problems associated with integrating new technologies into such legacy systems will also intensify, unless the sector prioritises cyber resilience.
Public sector organisations also collect, process and store an ever-growing volume of sensitive and personal data. As regulatory scrutiny and social awareness about data privacy rise, and laws about new technologies such as AI come into force, they will need to improve their data protection and governance procedures.
Another significant concern is insider threats and human error, which remain primary causes of security breaches in the sector. It will be more crucial than ever to address these risks with better cybersecurity monitoring, training, and controls — especially as remote work becomes more common.
We enable organisations in the Public Sector to build holistic digital resilience and harness technology safely. This is also central to our CSR objectives.
Explore our case studies
Business Email Compromise (Education)
A university whose Office365 environment was breached fell victim to a Business Email Compromise, affecting both staff and students. Incident protocols were inadequate, so they reached out to us for help.
Using proprietary technology, we were able to accelerate our analysis of the attack’s scope and risk assess all affected accounts, before reporting to the client with our findings within just four days, also limiting the need for further manual analysis of those accounts deemed to be at ‘high risk’ by the client’s HR team.
Gun to tape, we resolved the incident in less than four weeks.
Software Misconfiguration (Emergency Services)
We managed the response to a data breach arising from a configuration error on software used to produce statistical analyses from crime occurrence logs. The breach involved the inadvertent disclosure on-line of highly sensitive and detailed data on sexual offences, including victims and perpetrators.
Key activities included risk assessing, notifying and counselling the affected individuals, media engagement, representing our client in the regulatory investigation, identification and remediation of the relevant configurations, and advice on improvements in detection and governance.
Risk Retention & Transfer (Government)
We were retained to help assess the cyber maturity and privacy vulnerability of an organisation involved in the processing of personal data on millions of individuals for the UK government.
The analysis was split into key workstreams focused on the security of the existing IT estate, the organisation’s principal processing activities, the categories of data concerned, the people involved, and the enabling systems and software. Exposures were then evaluated on a range of scenarios, modelling a variety of financial and reputational consequences.
Based on the findings, the organisation’s executives and responsible officers were able to assess their appetite for risk retention to an acceptable level against a measurable scale, simultaneously identifying the areas of exposure and indicators of tolerance at which transfer out would be deemed preferable or even essential.
These findings were then used to perform further assessment upon the adequacy of the organisational and technical measures employed (per GDPR), as well as the adequacy of existing insurance and other third-party contractual arrangements underpinning the incumbent risk transfer regime.
We carried out an insurability assessment for the client by quantifying their cyber exposure based on the number and sensitivity of the records being hosted and processed to determine the insurance limits required. We then measured the client’s insurability through the maturity evaluation of key technical controls required by insurers when providing cyber insurance quotes to give our client an indication of the transferability of the risk through cyber insurance.
Ransomware (Government)
Our client was a government agency who fell victim to a ransomware attack following lateral movement into its environment from a connected environment under the control of a managed service provider. We advised on incident management, crisis communications, regulatory obligations, injunctive relief, and a financial recovery from the MSP.
The situation was challenging because our strategy had to balance a zero-tolerance approach towards any engagement with the threat actor with our client’s obligations under privacy law in circumstances where none of its affected data was recoverable from backup.
A careful plan was devised in collaboration with the NCSC to secure any data leaked on the dark-web while ensuring the matter was delay with discreetly. Meanwhile, we coordinated containment, threat hunting and forensics to eradicate the threat actor’s persistence and to gather evidence necessary to prove a failure of technical measures, gross negligence, and a breach of contract by the MSP.
Stalking Horse (Built Environment)
Following a series of intimated claims for alleged cookie violations, our client became suspicious not only about the claimant’s motive and identity, but also the claims’ presentation generally, owing to the inclusion of video files and other executables purporting to demonstrate, on a step-by-step walkthrough of a user’s typical journey through the client’s website, how the alleged violations had occurred.
We suspected that the claims were a stalking horse or ‘staging’ for the deployment of malware on our client’s IT network, to facilitate wider disruption or possibly a ransomware attack at an undefined future date. We segmented the suspicious files and moved them to a secure ‘sandbox’ environment for further analysis, before sharing our findings with the police’s fraud investigation unit.
This allowed similar victims to be identified and, in combination with the evidence of those other victims, created the basis for a case against those responsible for various offences under the Computer Misuse Act.
Manufacturing & Retail
Business efficiency, product quality and access to consumer markets is increasing as companies in the Manufacturing & Retail Sector digitise their supply chain. The adoption of machine-to-machine communication and new technologies is also intensifying their reliance on a diverse range of geographically dispersed third-party suppliers.
Yet many companies in this sector use legacy technology, often chaotically adapted to meet immediate needs, leaving their overall operating environment exposed to multiple risks.
An increasingly common attack path for malicious hackers is to exploit weaknesses in the networks of third parties since they create a large radius of damage. Such attacks can leave machines inactive, and halt production, inflicting financial, reputational and operational harm on those in that supply chain.
Moreover, the sector will soon need to comply with the stringent security requirements of important forthcoming laws. These include the NIS2 Directive (which is aimed at EU companies categorised as critical infrastructure) and the EU Cyber Resilience Act (which aims to safeguard consumers and businesses buying or using products and software with a digital component).
We deliver holistic digital resilience to our clients so they can harness technology safely and ensure regulatory compliance.
Explore our case studies
Request For Information (Manufacturing)
Appointed to assist with the response to an ICO investigation following alleged breaches of the DPA 2018 arising out of a request for personal data from a dismissed senior employee.
The employee had made a Subject Access Request for their personnel file and disciplinary records which had been prepared following an internal investigation which had led to the employee’s dismissal. Our client had initially responded to the employee, refusing to provide the information requested. The employee had complained to the ICO who had written to our client requiring them to review their response and remedy any breaches.
We were able to remediate the breaches. We reviewed the request and our client’s response and assisted with an internal review. Furthermore, we supported with the preparation and redaction of material and engaged with the employee and the ICO on our client’s behalf.
The ICO were satisfied with our client’s actions and took no further action. The employee was provided with the information and decided not to bring a claim for unfair/wrongful dismissal.
Misappropriation of Data (Retail)
We successfully obtained an ex parte injunction and search order following a senior employee’s misappropriation of electronic data worth £5 million+ on a ‘BYOD’ mobile phone.
This allowed for forensic imaging to preserve evidence of misuse, leading also to admissions of wrongdoing from the Defendant and a settlement on terms that included deletion of the misappropriated data and undertakings to the Court to restrain the Defendant’s future activities.
DDoS and Supply Chain Compromise (Retail)
A key member of our client’s supply chain was targeted by hackers who encrypted its systems and launched a DDoS attack on its website when it refused to pay a ransom. The impact on our client was significant across its global customer base.
We engaged with the incident response vendors acting for the supply chain partner to understand the security risk to our client through connected systems and then created a red network to contain any propagation, while hardening controls and stepping up threat hunting on the rest of the environment.
We also checked the extent of third-party processing and data deletion to create a profile of the data subjects likely affected for whom our client had responsibility as controller, and thereafter notifying and liaising with the relevant supervisory authorities, while risk assessing and making notifications to individuals as required by law.
Our mitigation steps were highly effective, resulting in just a fortnight’s disruption and no loss of revenue for our client.
Cyber Risk & Strategy Development (Manufacturing)
Retained by the head of operational technology in a global industrial manufacturing and process automation giant, to carry out a cybersecurity best practice review. This covered 16 business units - covering power generation, transmission, industrial manufacturing, robotics and consumer goods - in 5 countries to better understand where operational and project pressures led to cybersecurity risk.
After presenting the findings internally to all business units, we also presented the findings and recommendations in conjunction with the client at the SANS European ICS Security summit as a sample of a business-focused approach to cybersecurity strategy.
Technology, Media & Telecommunication
Data privacy is a critical concern in the Technology, Media & Telecom sector, where vast amounts of sensitive user information are collected, processed, stored and shared with third parties. Organisations need to strike a fine balance between innovation and privacy.
Technology businesses such as social media depend on collecting large volumes of data to drive innovation in areas such as targeted advertising and personalised content. However, they must adhere to the strict privacy standards or risk significant financial penalties such as the €1.2 billion fine imposed on Meta in Ireland for failing to comply with the EU’s GDPR.
Additionally, the use of AI and big data analytics are becoming increasingly prevalent, raising concerns about the use of data in automated decision-making and profiling. Ensuring that their AI models comply with privacy regulations and do not infringe on individual rights is a complex ethical and legal obligation that requires the fullest of attention from all TMT organisations.
Telecoms providers are increasingly at risk of cyberattacks due to their critical role in global connectivity and the expanding digital infrastructure they manage. As the backbone of the internet and communication services, telecoms networks are high-value targets for adversaries looking to cause widespread disruption, intercept sensitive data, or manipulate communication channels.
Moreover, the sector’s central role in national security and economic stability makes it a prime target as telecoms providers handle increasingly large volumes of data, including personal and corporate information.
We deliver advanced cybersecurity and robust privacy frameworks to firms in this sector.
Explore our case studies
Privacy Violation and Physical Threat
Disciplinary proceedings were brought against a junior member of staff for persistent absence that led to the discovery of a series of serious sexual assaults against the employee by their supervisor. A criminal investigation was duly launched by the police, simultaneous with the client’s own process.
A member of HR subsequently shared confidential documents by mistake with the alleged offender which included exchanges with the police, as well as details on the victim’s whereabouts, a safehouse address and new mobile contact telephone number. So serious was the risk of harm to the victim that the alleged offender’s own solicitor raised the alarm upon learning from their client that this information had come into his possession.
We acted for the client, advising on a DPIA for the original disciplinary action before notifying, and then liaising closely with the ICO to explain the circumstances of the breach and make representations on the client’s behalf to avoid sanction. We advised the client in parallel on urgent mitigation, which included moving the victim to a new address.
The ICO issued recommendations for improved procedures and training for the client’s HR staff on data protection, but otherwise imposed no further sanctions. In reaching its decision the ICO commented on and commended the client’s swift response and transparency, as well as the original DPIA, which had identified the disclosure risk, demonstrating the client had been aware of and recognised the importance of protective measures, whilst noting in contrast that human error by a lone employee not following the prescribed procedure was ultimately to blame.
Patent Infringement
We defended a software developer against claims of patent infringement in multiple jurisdictions. At issue was specialist software designed to overcome latency and facilitate uninterrupted website access at times of peak demand.
Evidence was deployed demonstrating the contested patent was invalid. Moreover, after disclosing a highly technical Product and Process Description early in the litigation, we also helped to establish that the client’s software did not infringe in any event.
IT Services Agreement
Our client disputed a local authority’s unilateral amendment to a Service Delivery Agreement (SDA). The SDA was a major contract with a 20-year term for the delivery of key IT services, awarded following a procurement competition.
The local authority attributed the change to an unforeseeable reduction in demand for the services originally envisaged. The potential financial impact of the change to our client would have been close to an eight-figure sum annually.
We advised on the law and the contractual position, resulting in a constructive dialogue between the parties and an early resolution without the need for High Court intervention.
App Development
Review and negotiation of app development contracts for a leading app development company. One contract example includes Sail GP which produced a next generation app with a world first fan experience for a new global sports league.
The agreement between our client and Sail GP has a global reach and high intellectual property value, and accordingly required extensive and specialist consideration with strong intellectual property protection. The SailGP agreement and work was shortlisted for “Best Innovative Campaign” for world first sport fan experience.
Transport & Logistics
The Transport & Logistics sector will see a vast expansion in digitalisation in coming years. The influence of Internet of Things (IoT) and other types of cloud technologies on the sector is increasing and could pose operational and interdependency risks if not implemented with security-by-design.
Over the past several years, the industry has been slow to adopt new digital technologies which now means industry peers are accelerating the process of innovation. While driving progress and efficiency, these types of rapid advancements can result in oversight, even compromises.
We help our clients effectively manage a diverse range of challenges - from ransomware and data breaches to supply chain vulnerabilities - to bolster the resiliency as well as integrity of the business.
Explore our case studies
Payment Fraud
Emails were intercepted and invoice details manipulated, allowing fraudsters to divert funds during a container leasing transaction between our client, a marine cargo company in the UK, and the counterparty in Latvia.
We secured and removed the threat actor’s presence from the client’s IT environment, while simultaneously tracing and successfully recovering 80% of the diverted funds from a network of banks across the UK, Spain, and France.
Complex Data
Advice on processing personal information collated from over 5 million annual customer interactions in 20+ countries across five continents. We devised the optimum contracting structure, factoring requirements for international data transfers to ensure global compliance.
Further work included updating privacy notices and cookie policies through to preparing international data transfer arrangements, third-party processing contracts and intra-group data sharing agreements.
Privacy Violation and Physical Threat
Disciplinary proceedings were brought against a junior member of staff for persistent absence that led to the discovery of a series of serious sexual assaults against the employee by their supervisor. A criminal investigation was duly launched by the police, simultaneous with the client’s own process.
A member of HR subsequently shared confidential documents by mistake with the alleged offender which included exchanges with the police, as well as details on the victim’s whereabouts, a safehouse address and new mobile contact telephone number. So serious was the risk of harm to the victim that the alleged offender’s own solicitor raised the alarm upon learning from their client that this information had come into his possession.
We acted for the client, advising on a DPIA for the original disciplinary action before notifying, and then liaising closely with the ICO to explain the circumstances of the breach and make representations on the client’s behalf to avoid sanction. We advised the client in parallel on urgent mitigation, which included moving the victim to a new address.
The ICO issued recommendations for improved procedures and training for the client’s HR staff on data protection, but otherwise imposed no further sanctions.