Navigating Privacy, AI, and Cyber Law in APAC

Paul Jackson: Wherever you are in the world. Hello and welcome to THEOS Cybernova podcasts. My name is Paul Jackson, your host. And before we begin, I’ve got a quick favor to ask from you. There’s one simple way that you could support our show, and that’s by hitting the follow or subscribe buttons on the app that you’re listening to the show on right now.

It makes a huge difference in helping to get the show out there to as many people as possible. So please give us a hand and click that button now.

The THEOS Cybernova podcast hosted by Paul Jackson.

Paul Jackson: So here we go with yet another fantastic episode of THEOS Cybernova podcast, episode 12. I’m Paul Jackson, and each week I’m digging into the latest trends, challenges and innovations shaping the cyber security landscape. As well as talking to a fantastic mix of leading industry experts, thought leaders, legal eagles and technologists with a particular focus on the Asia Pacific region. 

So whether you’re a professional in the field or simply curious about staying safe in the digital age, we hope THEOS Cybernova will offer up valuable knowledge and actionable insights for everyone. Today, I’m delighted to welcome Anna Gamvros to the show. Anna is a partner with A&O Shearman and a leading light in the legal circles in our region. 

Anna thanks so much for joining me today.

Anna Gamvros: Thanks for having me today, Paul. Very excited to talk to you.

Paul Jackson: Yeah. So first of all, A&O Shearman, so obviously this is a bit of a change last year A & O Shearman, could you talk us through this merger because, you know, some, like myself, may have overlooked this. 

Anna Gamvros : Yeah, very happy to. So it was a very exciting moment in our firm or in our new firms, as I should say, we were Allen and Overy, leading UK global firm, and Shearman and Sterling, the two firms have come together to really to create A&O Shearman. And the whole sort of idea behind this merger was really to bring together a firm with an exceptional footprint for the UK and rest of world with a very strong US firm, because many firms that you look at globally have either that rest of world presence or a very strong US presence, but the two, but the two together, were what didn’t exist before our merger. So by bringing together, leading US firm with some overseas presence and a leading rest of world, I’ll call it firm with some US presence. We brought the best of the of the world together to create. Really, you know, what we think is, a novel and premier law firm to provide an offering to our clients. 

Paul Jackson: Fantastic. That sounds like a real powerhouse. I mean, yeah, you must be really proud to be there.  

Anna Gamvros: So very proud to be there. And very proud to be part of it. Yes. 

Paul Jackson: Fantastic. Yeah. So, look, before we go any further, let’s tell your story, right. How did your career start? I mean, I’ve known you for quite a while now, and you’ve always been the leading light you know, in our part of the world. 

And how did you get to this point? 

Anna Gamvros: Well, it’s all started in humble Brisbane, and I like to think, and this will really date me and show my age. I like to think that my interest in technology, law and technology issues started with the Y2K bug. So, you know, back in the late 90s when we all thought the, that the world was going to end when we ticked over to the year 2000, this was a really new and exciting issue that lawyers hadn’t worked on before. 

And I’d been doing some IP before that, a little bit of technology contract work, which was very new, but this was a new and exciting thing. And we were doing something new and something with no precedent.  

Now nothing happened, which was great because, you know, as I was holding my brick phone on New Year’s Eve waiting for it not to work and to be cold, you know, we were able to enjoy our New Year celebrations and go on. 

But this really made me realize that there was going to be or that there was beginning an area of law really focused on something new, and that would always continue to change. So since that time, you know, my career has really evolved from sort of that advisory work into technology contract work. So we were doing software contracts when they were new. 

Of course, now they’re, they’re not so exciting. That evolved into large scale outsourcing contracts where we were moving people and assets and data, and then data obviously started to become a focus. You know, there was very few significant privacy laws in the world, and particularly in the APAC region. I moved to Hong Kong sort of in the middle of my outsourcing days in 2001, where we sort of had Hong Kong’s privacy law. Australia had not what the privacy law has today, but some degree of privacy law. And there are a few scattered bits and pieces around the region, but not a lot. Sort of then around about 2005, we had sort of Korea pop up and then, you know, we had more laws pop up in than in in the ensuing years in Singapore and Malaysia and the Philippines, Taiwan. 

And all of a sudden there was a really interesting body of law that really no one knew a lot about and that, you know, we were trying to work out how it applies and what it applies to. So and that’ fascinated me. Again, in my sort of quest for doing new things without precedent. So, that’s kind of how I found I was, I was interested and no one else was doing it. 

So I sort of started to create an expertise and sort of carved my niche, in data protection law in APAC. Now, happily, there are many others that also do that now. But it was it was really something new and interesting that sort of kind of rolled into all of a sudden those clients whose data we’d been helping protect all those years started to get hot. 

Paul Jackson: Right. 

Anna Gamvros: And what do you do then? Well, I mean, you and I know well, but and there were no breach notification laws in Asia back you know, back when, when we started looking at breach notification. So and, you know, very much clients were like, well do I just clean it up and not tell anyone? Which actually was what could happen, you know, prior to all of these laws. 

So we sort of started advising clients on that. And then obviously what followed very quickly and very much as a sort of a waterfall after GDPR in the UK was a, you know, a body of cyber related laws, breach notification laws, particularly where now clients in this part of the world in particular, had to tell someone, had to do something where they’d been the subject of a cyber incident. 

So hence we then rolled into I rolled into the kind of the cyber incident response phase, of my career, which I find fascinating. And, you know, we started to work together during that period and, you know, and that’s become a really big part of my practice, preparing clients for cyber incidents and responding. And now we’re rolling into a new phase, as obviously, AI and clients are asking questions about AI, and we’re seeing new laws and new issues that we have to look at. 

So I mean, that’s what I love about this practice area is that, you know, we’ve had we have to kind of roll with the punches a little bit and the new laws and you know, sometimes we are making it up as we go along. But you know, I feel like we’re doing that  with a pretty good background of having to make those interpretations and apply what we know and laws to new situations. 

Paul Jackson: When you when you talked about the Y2K bug, you had me getting flashbacks to my time in the Hong Kong Police when there was everyone was panicking about this and, I was in the Crime Prevention Bureau at the time, the computer security unit. And, yeah, it was as you’re right, it just fizzled out in that, then we just seemed to carry on as normal. 

But, I would never have guessed you went back that far, though, Anna, but well. 

Anna Gamvros: But that’s good.  

Paul Jackson: Before we jump onto more privacy stuff, I was curious, you know, you just mentioned preparing companies for crisis. Are you. Are you doing, like, how are you doing this? Are you doing in tabletop, or are you just helping them, prepare their plans? 

You know, with the legal, obviously components of that, what? How does actually work?  

Anna Gamvros: Yeah. Look, we are helping them obviously prepare their plans and review their plans, trying to give them a holistic picture that, you know, trying to bring together the technical teams, the legal teams, the risk teams, the management teams to understand that, you know, a significant incident is a whole of organization response. 

And then we are, working with our clients to test them in, in tabletops and scenarios. That’s a really, really important part of our incident preparation. We also have built out, incident response hotline, where our clients have access to us, not me personally, but our teams on a 24/7, 3-6-5 basis. 

You know, we do that by engaging our clients, making sure that we understand their plan so that if they do call, call the line, we can trigger their response as they had intended. And with the vendors that they want to use, be it, you know, forensics, comms, ransomware negotiators, whoever they need, we know we know who they need to pull in to  start the immediate triage. 

So we’re doing that as well as, a lot of what we’re doing is around preparing boards. You know, obviously we’re seeing a sharper focus now into board member knowledge of cyber incidents. And also boards as a whole is the decision making and the information that they’re receiving from their organizations around cyber issues, increasing focus from regulators, increasing focus from courts looking at, you know, liability of directors and making those decisions. 

So that’s a really important focus in helping us prepare, you know, from board down, our clients for cyber incidents.  

Paul Jackson: That’s it’s really interesting because that actually meshes exactly with the kind of work that I’m doing now as well. Obviously, in my new role as CEO, I’m less hands on in terms of, you know, the investigation side of things, but more focused on, as you say, board briefings, board awareness, helping to navigate the risk management of of an incident and, also, of course, you know, leading tabletop exercises with where that high level when, when we’re working with execoms, etc.. So it’s very interesting that you’re seeing the same kind of demand for those kind of, services as well. And, and yeah, it’s good to see because it just shows or demonstrates that leadership across our region are perhaps taking, cyber more seriously day by day.  

Anna Gamvros: Yeah, absolutely. And, you know, and, and we’ve we’re finding it, a fascination at board level in, in ransomware and what to do when we pay what, you know, what questions do we need to ask. 

And you know, you it’s everyone loves to hear war stories and, and talk you know talk ransom in the cyber context. But when you actually sit down with a board and actually ask them to talk through, what questions do they have and what’s their kind of decision tree, and how would they begin to address an issue if they if their companies were faced with a with the ransom? 

It’s very interesting to see, you know, there’s often a lot of fist thumping on the table. No, we don’t, you know, negotiate with criminals until you start to present what the scenario could look like and the reasons why, you know, there may need to be considerations on both sides, and other and the information that they need to ask for. 

It’s very interesting. You get you get very interesting discussions and, you know, follow on questions,  

Paul Jackson: Hundred percent! 

Anna Gamvros: As I’m sure you know better than anyone else,  

Paul Jackson: I do. I was fascinated because I, you know, presented to boards. Right. In all the countries , well not all but pretty much all the countries across the region. And there’s definitely a different dynamic depending on the location across Southeast Asia. 

And but what I am seeing is a lot of questions, a lot of feedback and a lot of, you know, it’s not something they’re doing to tick a box anymore. This is now genuinely right, top of their radar. And managing those risks is essential. So it’s good to see and it’s encouraging as well as is the sort of dynamic around the strengthening of laws in our region, which we’ll touch on in a moment. 
 
But before we do that, you know, you also have a secondary rolled out. You and the IAPP and, you know, perhaps you talk us  through your role there and, and what the IAPP does and, and how listeners may, may want to get involved. 

Anna Gamvros: Yes. So the IAPP, originally IAPP stood for Associate International Association of Privacy Professionals. 

However, the IAPP now has expanded its mandate to cover professionals in privacy, AI, governance and cybersecurity in particular, given that many historic privacy professionals now have to cover that kind of suite of subject matter. And the interesting thing about is the IAPP in particular has had a very big focus recently on trying to get their arms around the really the scope of digital laws that what was once called a chief privacy officer now has to, has to consider as part of their roles. 

And we had a leadership kind of summit last year where the theme was really chief privacy officer and, because everyone has an and now it’s and AI governance officer and data ethics officer and cybersecurity. You know, there are so many different parts of this role because they’re there’s so many overlapping aspects with respect to data. 

So the IAPP really is a is an organization which provides education, certification and networking for professionals in in those subject matters. I sit on the on the board of directors, which, I’m very privileged to do with some fantastic individuals. Over the years, I’ve been very involved in the IAPP and sat on. We have the knowledge net in Hong Kong, which I was sort of one of the founding members of, which is a networking group in Hong Kong, also on the, the first Asia Advisory Board, which is responsible for networking and working on issues in the region. 

It’s at the Asia, CIPPA, which is an exam on  Asian Data Privacy and helps choose the topics for the conference in in Asia, which is held in Singapore in July. Then I was on the women leading privacy board as well where, you know, obviously focus there on networking and and women in the privacy profession, although the privacy profession is one of those professions where there is a large number of women in senior roles, which is fantastic. 

So, yeah. So now on the board, it’s a five year term. And I’m in year four and it’s been fantastic. So I’m headed off to the global conference that is held every year in Washington, DC, later this month. 

Paul Jackson: So it’s a bit like a president. You don’t get an opportunity for a second term or,  

Anna Gamvros: No second term, no,  

Paul Jackson: No, I, you know, obviously we go back a long way. I’m fully aware of the amazing work that you do, and I’ve been privileged to speak at a couple of events, with the IAPP as well. And, it’s a fantastic mix of audience and, asking all the right questions, I find. So, you know, kudos to you in the, in the entire group there. 

It’s, you know, those who, I’m more interested, especially those in Hong Kong who want to join those knowledge sessions because they are good. I remember speaking on one of those a few years back that, it’s, Yeah, they are fantastic events. So perhaps they could reach out to you if they have any interest to learn more. 

Anna Gamvros: Yeah, absolutely. And I mean it. I think it’s great that, you know, the IAPP has expanded its kind of subject matter realm to include AI and and cybersecurity now beyond privacy, you know, even though that that was always part of the discussion. But obviously particularly in the last few years with AI. You know, we’ve we’ve had to pivot very quickly. 

And they set up a separate sort of AI governance body of knowledge. And there’s a separate exam now with respect to, to AI governance. So, you know, there’s it’s been a very exciting time for the IAPP to grow its member base and to grow and what it can do for its member base, sort of responding to what is needed and the changes that the professionals in our space are facing. 

Paul Jackson: I was going to ask you about AI later in this episode, but we’ve touched on it now. So let’s continue a little bit about how I mean, this is a challenging aspect for privacy. And how do you combat the theft of identity if you like, you know, using deepfake etc. technology, you know, it must be one of the, you know, the hot topics, within the, the community. 

 
What are your thoughts on this? I mean, where, where what are our solutions or do we not really have any at the moment given the technology?  

Anna Gamvros: Well, I think I mean, it’s the $64 million question. You know, everyone is, responsible use of AI is what we obviously advocate as lawyers and, you know, as privacy professionals. 

And, you know, when we’re dealing with our own clients who are asking about AI and  governance, you know, you’re trying to make sure that those that the tools and the  training data and you know, how that how their AI use cases is set up sort of from the get go are done in a responsible way. Only using personal data where they have permission to do so in the same with the same as any other usage of personal data. 

I mean, what has become difficult is the fact that there are tools which can scoop up data, you know, at a rate and speed that we haven’t been able to see before. And there are so much data about us sitting freely available for sure, on the internet that many of us have put out there ourselves. Right? So, yes, not for AI tools to hoover up and create deepfakes of ourselves, but it’s a very difficult issue to face when you know, we can ask our own clients and organizations to be responsible, but there are always going to be unethical actors. 

And this is another, another usage of personal data that’s in the public domain, that is, you know, very difficult for us to control. And it’s obviously a lot scarier in a way than we’ve seen in the past. You know,  we’ve looked at scraping or other misuses of data. So yeah, it’s definitely a tricky one. 

I mean, from a cyber perspective, you know, we’re having to make it, you know, as part of a training and reeducation of our clients. Yeah. Beyond phishing. Now it’s like looking out for things like deep fakes and you know, creating a new heightened level and a new level of sensitivity around questioning instructions, questioning phone calls, questioning messages, even because, you know, AI is also creating better phishing emails and all those types of things. 

So we are definitely changing the way that we’re getting our clients to even train their own staff to be, you know, become aware of, of these risks, and potential issues that they might face. 

Paul Jackson: So one of the hot topics in Hong Kong was obviously that fraud everyone knows about. Now, you know, that the, the, the video deepfake. 

Anna Gamvros: Yeah. 

Paul Jackson: Are the laws keeping up with it? I mean, watch, you know, the legal system if you like, be doing not just Hong Kong but everywhere in order to perhaps deter or make it much more severe offense to  impersonate individuals using deepfake. Is that happening or is it something that’s a way of.  

Anna Gamvros: Yeah. Well, it’s kind of another form of a, it’s another way for threat actors to infiltrate the systems, you know, and it’s I mean, we know that that laws aren’t stopping, threat actors from using ransomware, in that, that there’s there are definitely avenues that law enforcement follows to try and find the threat actors. 

But I think that’s still the response. All of these things are illegal, you know, to impersonate someone to, you know, to use, impersonate and to, appropriate funds. You know, they’re all illegal, but it’s very difficult as it is in any other kind of cyber incident to find perpetrators.  

Paul Jackson: Yes, sure.  

Anna Gamvros: And I mean, you know, you know that better than anyone else I know. 

Paul Jackson: I know exactly. Yeah. Yeah. Right.  

Anna Gamvros: And this becomes the issue because the perpetrators are even more hidden when they’re, when they’re using deepfake technology to, you know,  

Paul Jackson: Yeah, I don’t want to deviate away from corporate sort of the but, you know, I was just in the UK and, in the news, it was a sad story of a teenager, you know, committing suicide because somebody would create a deepfake of that girl and, you know, and, in compromising positions and, you know, this kind of things are only going to increase, aren’t they? Unless something is done. But, what can be done? 

Anna Gamvros: Yeah. Look, I mean, as a mother as well, I worry about these things. You know, any parent does, it’s set. And, you know, and we know that children of generation that our children are they love to post videos and photos and all of the material that can be used for deepfake purposes. 

And so, you know, I remind my children that that that could happen. And that’s what that that data could be used for. I mean, you know, obviously they’re probably more sensitive to it than many. But yeah, I mean, on that level, it’s incredibly scary.  

Paul Jackson: It definitely is.  

Anna Gamvros: It’s another threat that, you know, that that we have to be very, very aware of. And it’s is again, it’s education, education for families or for employees of companies.  

Paul Jackson: Right. Yep. Unfortunately that it’s like all these scams, frauds, etc. it all boils down to education at the end of the day because unfortunately, as you rightly say, the the laws are going to deter them and it’s difficult for enforcement. So, education is key. 

All right. So let’s switch gears slightly and talk about data privacy laws in Hong Kong. Now this is something that people moan about constantly because I mean I’m try to cast back my memory, but I do remember it must have been around 1997 and I haven’t got a cheat sheet in front of me, so I don’t know. 

But, because I remember very well that at that time I was moved in the Hong Kong police into a new unit that had to deal with telecommunications companies, the mobile phone companies were just setting up around 1996, 1997. And, I was asked to lead that unit, to because I had a telecoms background. And of course I had to deal with the new privacy law that had just come in in order to get data off those companies. 

And so I had read that one backwards and forwards, but it hasn’t changed much since then. And that’s like 2007 or whatever it was. Right. So what are your thoughts on the data privacy laws and when are we going to see a modernization and update on these.  

Anna Gamvros: It’s another $64 million question. So yeah, you’re right. With your timing, the only and the only real updates that we’ve seen was around 2008, I think, with, the octopus incident, where we got, at direct marketing laws, I think it’s 2008, 2008, 2010, and they are still some of the most stringent direct marketing laws in the world in terms of the information and consent requirements. 

You we have to give very, very specific information in Hong Kong about how we use data for direct marketing purposes. It’s quite contrast to, you know, what we need to do around data collection protection under, you know, for any other of other use of data in Hong Kong. We then saw the doxing laws that were came in a few years ago, and they were supposed to be part of a suite of, of dates to the law. 

There was going to be new requirements around data retention, breach notification. There were going to be some new powers for the privacy commissioners and the penalties, and the doxing laws. So we got the doxing laws, which, you know, are again, quite novel to Hong Kong. There are doxing laws in other parts of the world, but ours are very unique, and the latest is that the rest of the reforms are not going to follow. 

So we’re kind of back with the, with the blank slate. But Hong Kong’s law as they were slated back then. So it doesn’t mean that there won’t necessarily be reforms. But those have moved on and they had come in. And I do think it was five years ago. I think it was it was 2020 when we when we first got wind of reforms, GDPR was 2018. 

So the sort of like well let’s have a look at that. A cherry picked a few things from GDPR and that was what was going in. We’ve seen other laws in the region come in now that are far more stringent and far more comprehensive and far more GDPR like. But yeah, so we’re in desperate need of an update. 

I think Hong Kong is seen as not a particularly safe place from a data collection or a data security perspective, not because of security as such, but because the laws aren’t really providing that protection. There’s no really no restrictions on cross-border data transfer, which is, you know, it’s really key, no breach notification, which I think we really we really do need desperately in Hong Kong. 

Paul Jackson: Yeah. Well companies are notifying are they you know, they’re they’re hiding away incidents and it’s yeah. It’s not good for well, customers, consumers ,partners etc.. So yeah, we 

Anna Gamvros: And the penalties are so low that, you know, that’s at some clients. Not my clients, of course, but some organizations take it as a cost of doing business, 

Paul Jackson: Correct. 

Anna Gamvros: To get a fine in Hong Kong. And that’s just not what how we want to be promoting data protection in Hong Kong or in the region. And I do think there are many, many organizations that care very deeply about data protection in Hong Kong. But there are many that don’t because they don’t have the framework or the stick to keep them in line. And it’s not until those organizations often suffer an incident that you really see how poorly they handled, often quite sensitive data. 

Paul Jackson: Right. So we are heading down the track of, of notification though, because obviously the new critical infrastructure bill, cybersecurity bill came in, just recently. And, that does require a subset of organizations to notify should they have a breach. What  are your views on this new law? Because it has had a bit of controversy, isn’t it? 

Anna Gamvros: Yeah. It has. I mean, I think in principle, critical infrastructure should be held accountable for its cybersecurity posture. And I think, I think for, for those bodies and organizations in Hong Kong that are, that are providing critical services, then should be required to make sure that they can have continuity of those services.  

Paul Jackson: Resilience, I guess 

Anna Gamvros: So. So yes, exactly. Resilience. They’re protecting the services from threat actors and from threats that could disrupt Hong Kong. I think in principle that’s, you know, that’s a solid  principle. I think where there has been some well, a lot of debate and questions asked is around the extra territoriality. How far the reach of, of the law goes. 

 
You know, there was much in the guide guidance saying it’s not it’s not a extraterritorial, extraterritorial law. However, the law does can allocate is a critical computer system systems which are accessed from Hong Kong. So that indicates that it could touch well, it does touch systems that that are outside of Hong Kong. So I think this is where there’s some concern because when you’ve got systems outside of Hong Kong, they may also be subject to other laws. 

And then you get sort of like your conflicts of laws positions, because you’ve got one legal regime wanting the organizations to take one set of measures and another to do another. So, you know, there’s some concern there. And then. Yeah, so I mean, that’s that’s one of the sort of the key concerns that we’ve seen from our clients. 

Paul Jackson: So do you think Hong Kong enforcement will have the necessary stick if you like to enforce this, because it’s a whole new department being set up, isn’t it. To police this if you like.  

Anna Gamvros:  Yeah. And that’s I think that’s what I was could get to was that there is some there’s obviously been some discussion about this new body and whether they will have the right set. 

You know, obviously they’re going to be focusing on, on sensitive systems, sensitive industries, cybersecurity, whether they’ll have the right qualifications to make the right assessments as to what should be in and out of scope, as well as, you know, the right level of investigation powers and the right understanding of what they of what they should be doing. 

So yeah. So I think there’s, that’s the other area where there’s been there’s been concern around, you know, a brand new regulator. We haven’t had one for some time. 

Paul Jackson: Thanks right, so it’s going to be interesting, isn’t it? 

Anna Gamvros:  So it’s just going to be very interesting  
 
Paul Jackson:  Because it because I’m actually sat in Manila at the moment and you know, the Philippines, I don’t know how much what you do around the region. 

But you know, obviously where the Philippines has some one of the tightest or strictest data protection laws, but, a failure to enforce it in many ways. Yeah, I guess that’s endemic of the whole region in many ways. And I look, I have law enforcement background, but I know how difficult it is to get the right talent and capabilities to actually properly enforce this. 

It’s hard enough for us to find talent in the private sector, never mind in law enforcement.  

Anna Gamvros: Yeah. Look, and you’re absolutely right. And I think there’s not a country in the region which could do with a lot more resource and funding for the data protection or cybersecurity authorities because they are tasked with a big job. One significant incident in a country could can unhinge a whole regulator as they have to focus on  that, you know, investigating that, you know, understanding what the organization did, making sure that the containment measures and, you know, are in place, you know, it. 

And many, you know, we’ve  seen it in almost every regulator in the region because many of them are very new that they don’t have the right skill set to ask the right questions, to investigate, to even to even make the right directions or enforcement measures at the end of it, because they just really don’t know what they’re dealing with. 

Now we’re seeing a huge uptick in maturity as the regulators do settle in. You know, some of those that have been in place a lot longer now, they’re much more predictable when you’re dealing with them, can kind of know what’s coming down the line. But some of the newer regulators, we’re still, you know, it is still very difficult to know how an investigation will roll through and what powers they will exercise or use and how long they will take to do the investigation as well. 

We’ve seen some take seven years to do the investigation, which..  

Paul Jackson:  Because that’s so challenging for you, isn’t it, because you’ll be guiding clients and they’ll be asking exactly these kind of questions. You know, what’s going to happen with the with the authorities, you know, how long is it going to take, etc.. And when you’re, you know, sort of up in there and this must be extremely challenging for you. 

Anna Gamvros: Absolutely. And I mean, would you would know better than anyone else that that the life of a night professional in an organization is often not seven years. So when you’ve got an investigation that’s taking that long, often it’s the lawyers that are the only ones that are still there. You know, the CISOs moved on, the IT staff moved on and security staff are no longer there. Even the legal teams are no longer there. And, you know, we’re often debriefing as to why this these questions are still being asked, you know, seven years later, the only ones with the knowledge of the incident. And it’s that’s very difficult because, you know, the questions are very specific, but regulators ask around cyber incidents and, you know, you want to make sure that you can answer them because they’re a regulator. 

But that takes a long time to ask the questions. They’re not going to get the best answers.  

Paul Jackson: Yeah, definitely. So I’ve  been involved in a number of, you know, obviously very protracted and complex investigations and to sing your praises well in general as, as good lawyers said, so critical to continuity and to helping a, you know, the clients out of the mess that the they’ve ended up in. 

And, yeah, I’ve got to say, it’s, I’ve never seen a complex incident where the lawyers haven’t played an enormously key part, but obviously it’s getting to know that before an incident happens, that sometimes the challenge. Right?  
 
Anna Gamvros: Yes. And thank you for saying that because, that’s often what we, we have to convince people of that we that we that we even though we’re lawyers, we do have value in a cyber security incident. And I was just talking to a CISO yesterday and one of the things that we were talking about, and this is a CISO that had been through a number of significant incidents, was the tail. And you and I have talked about this, as well as the tail of regulatory investigations and legal follow up that follows an incident. 

We all know that the that you know, that the security teams, the CISO, they focus on an incident, on containment, on recovery, and then let’s move on. But then what they many of them who’ve never been to an incident before, don’t realize is that there could be this huge tail of asking questions about what happened before the incident and what have you done since. 

And you know, distracting as CISO would say from their job of right, you know, of of containment and recovery. However, they’re just not prepared for that pace. And I think that’s one of the things that I often talk to CISOs. Another about is it this is you really need to know that this is also going to be a drain of resources during and after an incident because, you know, the regulators will come knocking and they want they want your time. 

And it’s often the, the piece that no one realize is going to happen.  

Paul Jackson: Yes. Right. And that’s why anybody listening to this should be reaching out to Anna, perhaps myself to, talk about preparation and, and crisis, you know, resilience and preparedness. But, and I’ve got to close off because we are butting up against time. 

It’s been, we could talk all day about this stuff, but, it’s been a fascinating discussion, but I always ask my guests one last question, and, I have no idea what you’re going to say, so here we go. As a music lover, this is my way of unwinding. And, I love my vinyl records. And, I’ve got to ask you. 

What? What do you listen to? Your music fan at all? Do of you listen to music. And if so, what do you listen?  

Anna Gamvros: I am, I am, I am a heavy metal fan.  

Paul Jackson: Whoa! That’s awesome.  

Anna Gamvros: Yes, so. The last band I saw was Metallica.  

Paul Jackson: Boom! 

Anna Gamvros: And. Yep. Going to see them again, in Brisbane later this year. 

Paul Jackson: Oh, lucky you. 

Anna Gamvros: So, so yes, yes. I’m a, I’m a, I’m a heavy metal fan. So that’s, that’s what I listen to unwind, which some would say it probably doesn’t unwind you, but it, it makes me feel good, so. 

Paul Jackson: Well, it might surprise you. I know that I’ve got a fair amount of heavy metal in my collection as well, so, I do enjoy, yes, some louder music. 

So, great to hear you really taken me by surprise, but, and thank you so much for joining me today. And, and I do hope we can maybe do another episode in the future, because we’ve got a lot to talk about. Listen, things move so fast, especially in the AI space.  

Anna Gamvros: I’d love to thank you Paul for having me today. 

Paul Jackson: THEOS Cybernova was presented by myself. Paul Jackson, the studio engineer and editor was Roy D’Monte. The executive producer was myself and Ian Carless. And this podcast is a co-production between THEOS Cyber and W4 Podcast Studio. 

The THEOS Cybernova podcast.