PODCAST
Crisis Leadership When Cyber Attacks Strike

About the Guest

Jonathan Crompton
Partner at Reynolds Porter Chamberlain (RPC) Hong Kong and Head of Cyber Response for Asia

Jonathan Crompton
Partner at Reynolds Porter Chamberlain (RPC) Hong Kong and Head of Cyber Response for Asia
Jonathan Crompton is a partner in the Dispute Resolution team in RPC’s Hong Kong office, and RPC’s Head of Cyber Response for Asia. He helps companies and individuals navigate complex cross-border disputes and investigations involving their Asian businesses. He focusses in particular on technology and financial services. As Asia lead for RPC’s Cyber practice, he also acts as incident response manager, guiding victims through their response to cyber and data breach incidents, as well as advising on the legal and regulatory consequences of the incidents across jurisdictions. Jonathan and his team are the authors of the Hong Kong chapter of The Legal500 Comparative Country Guide on Data Protection & Cyber Security.
Jonathan is a member of the Vis East Moot Hong Kong Advisory Council, the Board of Directors of Justice Without Borders, and the Sustainability Committee of the Swedish Chamber of Commerce in Hong Kong. He is also a judicial officer for Asia Rugby and Hong Kong Rugby.
Credits:
Presented by: Paul Jackson
Studio engineering and editing: Roy D’Monte
Executive producers: Paul Jackson and Ian Carless
Co-production by: THEOS Cyber and W4 Podcast Studio
Stay Connected
- Jonathan Crompton LinkedIn: https://www.linkedin.com/in/jpcrompton/
- Reynolds Porter Chamberlain: https://www.rpclegal.com/expertise/services/data-and-cyber/
- Publication:
The Legal 500: Data Protection & Cybersecurity Comparative Guide: Hong Kong Chapter, authored by Jonathan and his team. - THEOS Website: https://theos-cyber.com/
- THEOS Cyber LinkedIn: https://www.linkedin.com/company/theos-cyber/
- THEOS Cybernova LinkedIn: https://www.linkedin.com/showcase/theos-cybernova/
- Alex Hudelot LinkedIn: https://www.linkedin.com/in/alexhudelot/
- Paul Jackson LinkedIn: https://www.linkedin.com/in/jacksonhk/
Episode Transcript
Paul Jackson: Wherever you are in the world. Hello and welcome to THEOS Cybernova podcasts. Before we begin, I’ve got a quick favor to ask from you. There’s one simple way that you could support our show, and that’s by hitting the follow or subscribe buttons on the app that you’re listening to the show on right now. It makes a huge difference in helping to get the show out there to as many people as possible.
So please, please give us a hand and click that button now. Thank you very much for.
The THEOS Cybernova podcast hosted by Paul Jackson. Welcome to another episode of THEOS Cybernova podcast. I’m Paul Jackson, and each week I’m digging the latest trends, challenges and innovations shaping the cybersecurity landscape. As well as talking to a fantastic mix of leading industry experts, thought leaders, technologists, legal eagles with a particular focus on the Asia-Pacific region.
So whether you’re a professional in the field or simply curious about staying safe in the digital age, we hope THEOS Cybernova will offer up valuable knowledge and actionable insights for everyone. So today, I’m delighted to welcome Jonathan Crompton into the show. Jonathan is also based in Hong Kong, so he sat opposite me right now and it’s a real pleasure to see you again, Jonathan.
We’ve known each other for a number of years right now, but perhaps you share your background with the audience to get to know you better before we start the conversation.
Jonathan Crompton: Yeah. Thanks, Paul, and thank you very much for having me. I think it’s very interesting and exciting that you’re doing these podcasts, and I think podcasts are a great way of reaching an audience that probably isn’t normally reached.
So, I’m very happy to, to be here, although, I’ll leave it for other people to say whether I’m a leading cyber light. I think, the first thing I have to say is that I am a disputes and investigations lawyer by training. I trained in London and was working for a very large international English firm focusing on disputes and investigations in the finance industry.
But how I ended up in running a cyber incident response team probably goes back a bit further than that. And before even my interest in law, because I’ve always been interested in tech to a degree. My father was a techie. He was a high frequency radio technician in the Air Force. And so I grew up surrounded by the latest personal computers. Whether it was a the ZX Spectrum, a Commodore 64, an Amiga. I always had a computer around me. But being of the cusp generation, the Oregon Trail generation, unfortunately we didn’t really have computers in our schools. We had we had a an aim in our school to have one computer in every classroom if they could. We ended up having a computer lab and occasionally we would have word processing classes.
So my wife tells me I type like a crab with my thumb and first fingers. So I’m not really a I’m not a computer programmer or coder, but I’ve always grown up with tech around me. Skipping forward a few years. I studied law, King’s College London, and that’s the university that naturally breeds private practice lawyers. So I very soon find myself in a big firm in London, and in my day job, I always taken an interest in the technological parts of being a lawyer.
So, for example, eDiscovery and as a junior lawyer that that interested me a lot. How to make the job of reviewing documents easier. As I progressed, the financial regulatory obligations for black box trading, and eventually as it started, become a hot topic. The regulator obligations around cyber incidents and data breaches. But I still was not really working in the cyber sphere.
And in 2017 I joined RPC. RPC is very well known as an insurance firm. As I’ve said, I’m not an insurance lawyer, but at the same time as I joined, we launched our cyber response service out here, which was offered as a I’d say it’s a bit of a triumvirate. So it was offered out as us, as the pointy end of the spear, as the incident response manager with a forensic investigator, designated forensic investigator and a communications agency, again designated communications agency.
And that was slowly to start with because there weren’t that many incidents. And a couple of years later, I was about a year and a half later, the council, that was running that team left the firm, and I was asked if I would like to take it up, and I did. I spent a couple of months getting up to speed with our procedures and how we operate.
And then some 2000, 2019 cyber just exploded out here. And that might be because of the insurers that we were working with and who they had written policies for. But from then on, I’ve been leading the team often the person at the end of the phone call until we grew the router big enough that I didn’t have to be the person on the end of the call, and we just built up significant experience near the past.What do we talk about five, six years now?
Paul Jackson: And we’ll talk about some of those experiences, because obviously we’ve worked together on quite a number of, let’s call them incidents. But before we kick off with some of these questions, you obviously supremely well-educated, your lawyer after all. Right. And, very well spoken. So we only just launched this podcast, and one of my fiercest critic is my dad.
So my dad was a former schoolmaster. He never uses the word teacher. That’s beneath it. Right? Schoolmaster. And he commented and he said, I’ve listened to your first three podcasts and great job, he said, and I’ve got world praise for my father. Fantastic. But he said, I’ve got one nitpick to share with you. And he said, every time you agree with one of your guests, you say, yeah, he says, that’s not right.
You’ve got to say yes. Let’s use the English language properly. So you have a very eloquent response. You can hear me say, yeah, correct me, tell me. Yes, keep my dad happy. Get behind this. Let’s talk a little bit about Hong Kong. You’re here with me, you know, how did you end up here? And do you like it? You love being here.You’re comfortable here?
Jonathan Crompton: Absolutely. And this isn’t, blind loyalty to the place that I live at all. It’s. It’s an active decision that I’ve made a few times whilst training at this international firm. I’d lived in London for about ten years, on and off. And as I said, my father was in the Air Force and I grew up largely overseas.
I got itchy feet, after about ten years in London and, in the in the start of the global financial crisis in 2008, the firm asked if anybody wanted to move to Hong Kong for two years. A common, typical expat story in Hong Kong. Do you want to go to Hong Kong for two years? And I put my hand up.
That was that was mid 2009. I moved here in November 2008 and I’ve been here for 16 years. What I, what I love about the city now still applied then obviously the city’s changed. We can talk about that a little bit, but it is vibrant. It is driven. Everybody here is trying to make money in one way or another.
And therefore they they’re striving. And, I’ve made a decision repeatedly to stay here. I’ve thought about whether Hong Kong is my place to be. When I was asked to take a second to Bangkok and it was a one year secondment, so I decided I would go. When I was asked to stay in Bangkok for longer, and I decided I wanted to be back in Hong Kong.
When I married my Korean wife, we talked about whether we should stay here, whether we should go somewhere else. Singapore is the obvious place that comes up all the time, but also the UK or Korea. And we decided that Hong Kong was still right for us. And when I was like many, many people locked out of Hong Kong during Covid, I was in the UK for three and a half months.
Each of those times I’ve thought, is this a place where I want to be, where I can enjoy life, but also where I can do well? And that remains the same today as it was 16 years ago. Despite the changes that have happened.
Paul Jackson: Fantastic. As you know, I entirely agree with you. And despite some of the negative media that Hong Kong gets, it’s definitely, a place to be isn’t is a it’s a fantastic place to live and work and make money.
You know, as you say, it’s always been a business city. And people here are focused on two jobs getting stuff done. And that can do attitude still prevails, prevails even today. I think you’re right. I guess we’re here to talk about cyber, that really we’re not about Hong Kong so much. And, let’s talk initially about cyber breaches, because I know you sort of fell into this a little bit by accident. In fact, I think, I was with you on one of your very first incidents and, a little bit daunting, you know, to try and manage as a breach coach, a cyber incident. But perhaps you could tell us more, in your own words, about the role of lawyer breach coach, however you want to position it in the whole sort of process.
Jonathan Crompton: I’ll talk about this from the angle of a breach, coach. And we can definitely talk about lawyers and taking that role. And, I, I’m very happy to disagree with you repeatedly on whether that’s necessary. I think we probably disagree. So we agree vehemently in different directions on the issue of whether it needs to be a lawyer, but, the role of a breach coach is essentially crisis manager.
And when I was thinking about preparing for the podcast, what came to my mind was Rudyard Kipling’s poem If so, if you can keep your head when all about you are losing theirs and blaming it on you. If you can trust yourself when all men doubt you, but make allowance for their doubting too. Essentially, you come into a situation where everybody is panicking, everybody’s worried about their job because something has gone wrong.
And our job as breach coach, whether it’s as a lawyer or an IR provider, is to come in and say, don’t worry boys and girls, we’ve seen this before. We may not have seen exactly how this has happened, but, but we bring our experience and knowledge to the table so that when people are rushing to answer questions from their stakeholders and there’s a variety of stakeholders at the table at that point, we can look at it rationally and come up with answers so we can spot issues ideally before they arise.
We can calmly advise on a path out of the forest, whilst both looking at the weeds in front of them and under the weeds, generally. But if you if we’re talking about specific, the we look at the type of the incident. We consider the skills and vendors that they might need. In the grand scheme of things, based on our experience, we use our knowledge of the large and ever changing landscape of forensic investigators, and we consider what other services they might require.
For example, if it’s a ransomware incident, are they going to take a day or have they closed the door on paying, or is there a possibility that they may? And if they may pay, it’s highly unlikely that a company that is victim, unless their crypto, exchange is highly unlikely that they stole cryptocurrency and so they are going to need a break up.
So as soon as somebody says, well, we might pay a ransom, then we know that that triggers certain things, including the possibility of a cryptocurrency broker. If it’s in the US, they absolutely will need credit monitoring, because that’s an obligation in most US states. If it’s in, if it’s an incident that impacts Asia or the UK or the EU, they probably won’t need credit or identity monitoring.
But the regulators might ask for it and it may be best to offer it first. So these are the things that we come to the table with. And at that overview of what might happen. And it’s in our job to answer the specifics and also keep our head up and enable the people who are responding, whether they have a specific crisis, response team or it’s just people running around doing their jobs.
We enable them to do those jobs whilst we’re spotting issues. And then the role of us as an insurer introduced, incident response manager is that we can then deal with the insurer in the background, head of questions, deal with any issues that come up to try and avoid, insurance coverage disputes in the background.
Paul Jackson: As the listeners could probably tell, we’ve had previous conversations on who makes the best breach coach. We obviously differ slightly in our opinion on that, but, honestly speaking though, in fairness, it’s about the person and it’s the right person. Whether that person is a lawyer or an investigator. Is the right person to manage a crisis to help guide the client through that, through the, you know, probably the most difficult times of their careers.
So, yeah, in fairness, I, I’m in the middle of this. It’s all about the person. And you’re definitely the right person to be, having in charge of a crisis. Your demeanor, your calmness and your knowledge certainly, helps clients through those, difficult days.
Jonathan Crompton:
And this is of this is one of the things I’ve said before is that if we argue in the ecosystem of, cyber response providers, service providers, of which we are one and THEOS is one, and there are many others, if we argue about a role and if we try and act like hyenas or jackals over, over the victim, and we try to take as much work for ourselves, the only people that will benefit from that, the, the threat actors. And if you think of the cyber ecosystem as a series of connected Venn diagrams, we overlap on many of the things that we do. But the keys to respect each other’s role and inspect each other’s relationships and work together because, on one occasion I may bring THEOS in and or THEOS might bring me in. But if what we’re trying to do is take as much work as we possibly can to build as many fees as we can, then the victim company will lose. We will fight. You will stop referring work to me. I will stop referring work to you. And then the only people that will win on the threat actors.
Paul Jackson: And to be fair, that’s why we work well together. Because we know that balance is important. And, yes, it should always be in the best interests of the client. So let’s move on. And talking about getting engaged, for instance. So, we’ll talk about the whole ecosystem in a moment. But what do you find most challenging for yourself around an incident when that phone rings and you suddenly you’ve got a big major cyber breach or a ransomware incident on your hands, what you find most challenging?
Jonathan Crompton: The quick and easy answer to this is gaining the victim’s trust. I think that’s partly because of the way that we’re engaged. And, we are the hotline, which is often provided by the insurer. So this might be the first time that the victim is coming to us. They have a, service that has been offered by their insurer, and they come to us in a time of crisis. But they may never have spoken to us before now.
It would be better if they have spoken to us before. And we often do onboarding calls. We have another one tomorrow morning, where we introduce what we do and who we are. But the biggest thing is that people are mistrusting at the time. And so for certainly the role that we play, the hardest job is to gain the trust.
So we come in and we say, don’t worry, we’ve got this. And at that point somebody is saying, I’m a financial controller, who are you? Or I’m, I’m the IT team. What do you know about it? And so it’s very important we set our goal to start with, we say what you’re good at and what we are not good at.
And what we do not do is we don’t do the forensic investigation. So that’s very clear. So we can come in and say we don’t do the tech part. We know people that do and these are the right people for this incident. We recommend you use X and that builds trust. And that trust is really important.
Paul Jackson: So you raise a really good point that we kind of, talked about the whole ecosystem of insurance, cyber insurance, you know, it’s all about, helping a client who is insured to have the right people ready to respond to be the fireman, if you like hen the house is on fire, to come and respond quickly and do all the things necessary to put out that fire. I’m obviously focused on the incident response piece. It’s always been my background to anything else. We just recently built out that capability to add to the arsenal of services that we provide. But I’m curious, right, how do you go about with the insurance companies deciding which is the right ideal partner, which is the right incident response partner, because things change so quickly? I don’t think we’ve seen lots of movement in the Asia Pacific region recently. How do you kind of decide on the right partner for a job?
Jonathan Crompton: We need to know the vendors, and we need to spend a lot of time knowing the market for incident response. For example, there is one team that focuses on Pen testing, and if they were asked to do a forensic investigation in the way that you might do a forensic investigation, I think they would probably struggle.
There’s another vendor that is very well known that won’t do employee investigation. So if there’s a hint of an insider, they will refuse to touch it. And so it’s knowing these things, knowing, for example, what happened to your previous team where people went, what you’re doing with THEOS and who you’ve brought in and having to trust that you have the right skills and the right people that you can work with. So it’s really knowing the landscape of vendors is the most important thing. And then having a relationship so that we can we can talk openly about the cost, for example, if it’s if it’s a victim that has no deductible, i.e the insurer is going to pay everything, then that means one thing. It means that they probably will be wary about engaging people.
But if it has a particularly high deductible or it’s a small company or charity, they’re not going to be able to tolerate the same level of fees. And so if we were to call THEOS and we would have a preparatory call with, with the victim and you would come up with an estimate, we have the level of trust where I could say this looks to be three or I’ve seen this in another incident and this looks above where I think it should be before we even flag it to the insurer.
Is there anything you can do with this? And then when you do go to the insurer and we go to the insured victim, we can say no. And she would question this and it’s genuinely what it would cost. If you’d like us to do a second, estimate, we can all along try to encourage them to move as quickly as possible.
But I think it’s knowing the landscape, having personal relationships with the vendors and being able to talk about whether it’s an incident that the general public geographically in terms of capacity and whether it works from a financial perspective.
Paul Jackson:
Yeah. So you raised a very important topic of deductibles, and it’s very rare to have full coverage nowadays in cyber insurance as well.
I don’t know how many you see, but we see almost never that you get full coverage from zero up with. So we come up like many companies, we come up with a solution for that, which is the retainer. An incident response retainer, so that if the incident falls within the below the limit of the deductible, well, they can use our services without touching the insurance and save the insurance for a the disastrous day that the big event.
What happens if a company has a retainer, say, with a company like us, but with not only insurance companies panel how does it work? Because obviously the insurance company will have approved an offer of a vendor support if the insured wants to choose their own instant response provider.
Jonathan Crompton: Insurers in Asia have a lot more, power to choose than they do in the rest of the world. And so what an insurer here will generally be looking at, and we don’t advise on coverage, and I certainly don’t speak for the insurers. I speak for what I’m saying. But what an insurer will generally look at is whether the cost are reasonable. And that will depend on the account how much, how much the premium is all sorts of things.
If an insured is going off panel, they need to be prepared to answer questions about whether it’s reasonable or not. And we certainly may be called in to, to answer questions or to ask questions of the insured about what we think is reasonable or not, and maybe suggest a couple of other options. But the most important thing is, is to know, number one, what services and which service provider does the victim want if they want to use a vendor who is not on panel, that’s probably fine.
They need to know whether it is going to be covered or not. They need to know whether they are prepared to pay if it is not covered. And we worked on an incident in the autumn where the insured was a big financial institution, and they brought in a very large international, response team event of a big company that was charging very high hourly rates and staffing it very, very highly that the insured victim brought in that company before we were onboarded.
And we spotted this is an issue. When we recommended a ransom negotiator, we recommended a ransom negotiator that we knew also did IR so that they could have a bit of an overview and see whether things were being done properly. What they said was they are being trained properly. It’s just really expensive. And we were able to relay that message and what they were the victim was unable to do was to come to an actual point if the original vendor and then switch over, because that they were in kind of huge amounts of costs every week that probably were necessary so that the insured help here have an awful lot of choice that they don’t in the rest of the world, but they need to be prepared to explain whether it’s reasonable or not. They also need to be prepared to cover the costs if it isn’t, because when we brought in, we brought in as a service provider, we’re not imposed by the, the insurer. And we certainly wouldn’t want to we wouldn’t want to impose ourselves, into a crisis situation where we’re not wanted.
So the victim company just needs to know what the solution is. And you and I definitely agree on this point, which is that you shouldn’t be deciding your team at the time of the incident. You should have decided who it is already, and if that is to have an incident response retainer with someone like THEOS, great. If it’s to have insurance coverage in place that provides that service, great.
If there’s an overlap, also great. Just know who you’re calling at what time.
Paul Jackson: Yeah, you don’t want to be dealing with limits of liability and other legal clauses, whilst your house is on fire. Right. So. Absolutely right. And we talk a lot about retainers and having pre-approved pre-agreed contracts with, you know, a few suppliers, but still, time and again, we see many, many incidents happening to companies who’ve never even thought of this. And they struggle through it at the time of that incident, which is far from ideal,
Jonathan Crompton: Or all that certain parts of the business have thought of it. For example, the management team may have thought of it and then may have pushed it to the risk management team who has put in place a solution through the insurer, and they’ve also flagged it with the IT team that may have put in place a retainer.
But what they haven’t done is thought about how it works. They haven’t had a simulation. They, they haven’t actually considered what will happen in the event of an incident.
Paul Jackson:
Absolutely. Those, simulations or tabletop exercises are pretty important. They, you know, because they give a flavor of what’s already been pre-planned, whether it works or not. And bringing all the partners that you have, you know, we see all too often the tabletop will just use us, for example, to talk through the technical aspects. And I do say to them every time, why don’t you bring in the law firm as well? Because in a real incident you’d have a breach coach, etc. And they go, it’ll cost too much for the tabletop or something like that. They’ll find a reason not to. And yet that’s not fully testing that capability, is it? Yeah.
Well, it’s kind of on them, though, isn’t it? Really? Yes. Right. And I’m glad you said yes. Yeah. Okay. Moving swiftly on. And last, last question on the breaches is the thorny question of paying the ransom. So we always get asked this, you know, should we pay. Should we pay. What are the risks to, you know, is there an honor among thieves?
Will they honor if we pay them? How do you advise clients on this?
Jonathan Crompton: There is a legal answer to this and a cyber response answer to this. So the legal answer is, you have to look at it two ways. Firstly, is it legal to pay the ransom a can you pay a ransom? The second question is looking at from the other side, who you pay as in the recipient.
Is it legal to pay that recipient? Now in England, Singapore, Hong Kong, some of the common law jurisdictions, it’s legal to pay a ransom. And there’s a very clear decision on that in the context of kidnap and ransom, that the money doesn’t constitute the proceeds of crime until it hits the hands of the of the threat actor.
That’s the legal point. And for the record, that’s not legal advice. If you need legal advice, please come to us. But it’s not only a legal question, but maybe a regulatory question. Does your regulator permit it so some regulators would not permit the paying of ransom. Do your law enforcement authorities, do they, permit it? And generally they won’t say no.
Some are less willing to let it slide than others, I would say, but some just see it as not a question for them. And then you’ve got issues of the victim company itself. Is there any reason why it wants to pay ransom or any reason? Why can’t we work on an incident that involved company that was linked to an embassy and they said, absolutely not.
We will not be paying a ransom, but we will negotiate. We will negotiate to buy time. So the strategy that we put together was that they would negotiate whilst they investigated and put in place a notification strategy. Once they had issued their final notifications to regulators and to date subjects, they then just stop negotiating. So the company itself had reasons why it wasn’t going to pay, but it was prepared to negotiate.
There are other reasons. For example, they hold data VIPs where they might think that they don’t want to negotiate. And then halfway through the incident, they changed their mind because they realize that that data has been impacted. We’ve had one of those. All of this is this shows why a decision has to be taken in the round, and you need a response team, not just a legal advisor, not just a, a managing director or whoever is handling the business side of it and IT team.
Can you tell us that you’re secure before we stop negotiating or before we decide not to pay? Because at that point you’re going to irritate the threat actor. So all of this goes into the round of making a decision on whether to pay or not. To pay a decision has to be the victim. Companies, insurers like, say, what we have now that they will just say whether in principle it is insured or not.
But they weren’t advised on whether to pay or not to pay. We can advise legally on whether it’s possible, but we will then raise issues that the victim company has to think about in reaching its decision. For example, is there one board member who strongly feels against it? But that board member has a lot of political power on the board.
It’s these types of things that need to weigh in to the decision on whether or not to pay, but can companies pay ransoms? Generally, yes. In most jurisdictions in which we operate, unless it’s to a sanction person.
Paul Jackson: Got it. And you know, all the stuff you’ve just brought up is companies never think about this. Organizations never think about it until it’s too late and it just comes back again to that preparedness, that readiness, that resilience that companies need by rehearsing this, by practicing, by having tabletop exercises, crisis exercises, and talking through these kind of decision making, that they may have to do under stress.
And I think all the points you’ve raised a fantastic. But I’d like to switch gears again in the last ten minutes or so that we got and talk a little bit about Hong Kong, because that’s why we’re both sitting right now, although I’m sort of regional, but I am sat with you right now here in Hong Kong. And it’s big in the news, Protection of Critical Infrastructures Computer Systems Bill. And it’s caused a lot of noise. What are your views on this new law. And could you briefly explain what it actually means to you.
Jonathan Crompton:
The Protection of Critical Infrastructures Computer Systems Bill which is snappily titled, is the equivalent of cybersecurity bills or Cybersecurity Act, seen in various other places in the world.
Singapore has one, Malaysia has one that came into force last year. Various countries or jurisdictions, I should say, are putting in place critical information infrastructure laws. And what they do is that they designate certain companies as critical information infrastructure operators. They might call them CII or CIOs or whatever they are, but essentially, if there were an attack on your systems, would this be critical to the jurisdiction?
So train networks, airports, water companies, energy companies, pipelines. Colonial pipeline is an example of, a company that got hit. Now, all of those companies are potentially going to be designated as critical information infrastructure companies. And the Hong Kong law that they propose is going to designate them in advance, and it’s going to require them to meet certain proactive obligations and certain reactive obligations in the event of a breach.
I think what’s important to know is that if a company is going to be designated as a critical information critical infrastructure operator, they probably already know, because unlike in other jurisdictions, Hong Kong has been discussing this with the CIOs already. So they’re a subway company. They know that they’re being designated. The exchange is probably going to be designated.
I mean, all the things that you would expect. And that means that they can prepare in advance even after the law comes into effect, is there’s a transition period before it kicks in in other jurisdictions. Malaysia, as an example, the law came into effect the CII sector leads within designated. Those sector leads then have to go out and decide who they’re going to designate as critical information infrastructure operators.
And so it’s in Hong Kong. People already, the companies already have, an eye on what they will need to do. The obligations for reporting, in Hong Kong, more lenient than in Singapore and Malaysia. But the problem with, with the bill and the problem with, I think a lot of Hong Kong recently is it comes off the back of the protest and then Covid, and so is any time that the security department is involved.
There is a question about whether this relates to national security or not. And the division of the government that is managing this, will be the liaison is the Security Bureau. And so a lot of people have raised questions about whether this is a law that is trying to do something that it’s not, and the government is going to great lengths to try to say, you know, this, this we really just trying to protect our critical information infrastructure with everything with Hong Kong, we will have to see.
I genuinely believe that this is something that is designed to protect it. Systems that are critical for the running of Hong Kong, and the wording of the law is more lenient. And certainly the companies that I’ve been talking to that have been designated don’t necessarily see this as some way to try and undermine their information security.
Paul Jackson: Yeah. You know, you’re skirting around some of the core issues that have been raised by the media, and I’m going to save that for another podcast because honestly, Jonathan, we could go so much deeper and further into the laws in Hong Kong and the controversy surrounding whether they’re real or whether they’re just hyped up to sell more newspapers or get more clicks.
It’s a lengthy topic that hopefully you might be up for one day, but I know it touches on sensitive areas and I don’t want to get you into trouble, certainly on that. But in talking about laws, obviously I don’t want to go into this now because I do want to get you back on the show, and we’re kind of running out of time on this one.
But, data privacy is a huge thing here because the laws haven’t been updated in many years. And let’s save that for another day.
Jonathan Crompton: Actually, we can answer it very, very quickly. So the personal data privacy ordinance is, an incredibly old ordinance. It was based on a template that I think was, was came about in the very early 1980s. There have been a few updates to it. We were hoping to see some updates in relation to the what to do in the event of a breach, but the government has recently announced that it’s shelving these following, feedback from business. I don’t I’m not one who likes additional regulations put on our clients, but Hong Kong is quite an outlier. We now have a regulatory landscape that is very out of kilter with a lot of jurisdictions, and that creates complexity. And removing that complexity, I think, would help companies. Whereas what we’re seeing is the government is focusing on other issues and saying that it doesn’t want to place additional burden on industry and therefore has decided it’s going to shelve these changes again.
Paul Jackson:
That’s a great answer. And, I entirely agree with you. I think it does add complexity and no doubt about it. So yeah, let’s keep fingers crossed that the government revisits this sometime soon. But, yeah, as I say, they’ve got a lot of other things to be, dealing with at the moment. But talking of dealing with things, just to recap the sort of legal side of things up, along with laws comes the stick.
And look at the former cop. Right. You know, that’s and it’s challenging to find the right people in law enforcement, in government bodies, in the authorities that are capable and have the talent to properly investigate and to, you know, to to uphold these, these laws and enforce or enforce these laws. So what’s your view on the enforcement capability here? And do you think they got enough people to, to really deal with these new laws coming in?
Jonathan Crompton: The way that you phrase the question is essentially, do they have the capability to deal with enforcing the critical infrastructure bill? I think the what I can say is that the capabilities, the tech capabilities in the Hong Kong police force have grown enormously in the past few years.
The money that has been put into the cyber teams at the police, is quite significant. We are seeing, we do cyber fraud as well. We do civil fraud. Basically any bank fraud that takes place, we deal with the police quite a lot. And so when we’re dealing with the police there, if we get through to the right team, they know what they’re doing.
They can move quickly. If we deal with a district investigation team who doesn’t deal with cyber fraud on a regular basis, they don’t necessarily have the skills. I think the issue is policing priorities and whether the team is big enough to cover everything that’s happening. Hong Kong is a is, I think, quite well known as a recipient jurisdiction of fraud funds.
And we are writing to the police pretty regularly, and we’re just one of many law firms. So the question is whether the police have the resources to deal with everything, and then what are their policing priorities? I personally think that the Critical Information Infrastructure Bill is going to be one of their priorities. And so I think that there will be a team that either is in place or is tooled up, but I don’t know because I don’t know who that team is.
And you’ll you’re right that if there is somebody who is very, very good, they might well be poached to go to private industry.
Paul Jackson: That’s true. Yeah. Okay. So I’ll let you off the hook with that one a bit and move on swiftly because you’re a lawyer. Right. So look, you’re more familiar with actually asking questions rather than answering them.
And, I’m gonna ask a dangerous question here before I close out the show. But, if you were hosting this show, what would you ask someone like me?
Jonathan Crompton: We’ve just finished earlier today. A fireside chat with a tech founder who was previously a lawyer. And what came out of that discussion was the idea of when is the right time?
When is the right time to move? When is the right time to found something? I think you know where I’m going with this. So you have been in large organizations and you’ve headed teams for large global organizations for quite some time. What you’ve done is you’ve made an active decision now to join feels and to add to its capabilities and potentially take it to another level. I suppose my question is why now? And also, what is it that you’re hoping to achieve?
Paul Jackson: That’s a great question. Thank you for that one. And I’ll answer it very quickly. It’s about the stage in my career. Okay. So with my previous employers, you know, things changed. They decided to make strategic decisions in our region, which impacted my ability to deliver in this region.
So I’m not going to say too much about that other than that it was very disappointing. And it’s left a gap in the market here. Now, I could have moved to another similar company, you know, a large global firm where I’d be heading the region and building out capacity. But there’s always a risk the same thing would happen again.
You know, I would not be the ultimate decision maker, and that could affect my ability to deliver out here and also my reputation out here. So I had long conversations with the former CEO of THEOS, who’s Alex Hudelot, who’s in our first webcast, and we explain some of the reasons behind this. But I think ultimately it’s an opportunity to leave a legacy, to build something special in this region.
We want to be focused on the region driven from overseas, from another region, and really be bespoke and, you know, be on the ground with people to really work with clients and provide professional advice and guidance. You know, in the, in the way they deserve in our region. So it’s the opportunity to build something special, leave a legacy, and do things, in the way that I control. That’s the simple answer right back to me asking questions.
Jonathan Crompton: I was going to say, I’m very happy, that you are doing that because it provides another, I are service provider. It provides options. And we know that you, the quality that you bring in some of the team that is working with you, we know their quality as well.So we’re looking forward to working with you.
Paul Jackson: Thank you Jonathan. It’s always good to have options. Right. And talking of options, what music do you like listening to. Because I always end the show with this question because I’m a music lover. It’s the way I choose, the way I relax, it’s the way I decompress from a very stressful job.
And I just love music all through the vinyl records, you know? I just take great satisfaction in putting that needle on the on the record. And I know you like music a bit as well. So what are you currently listening to? What helps you to decompress a little bit?
Jonathan Crompton: I listen to pretty much everything I have to say. One part of my story that I jumped over was, I nearly left grammar school at the age of 16 to go and study performing arts. I didn’t I stayed, and here I am. But, so, you will probably shoot me for this, but I do love some showtunes. So at the moment, I’m finding it very hard to escape pretty much all of the Wicked soundtrack.
But alongside that, I’m listening to 1990s Divas. Is it? It was a reason for these two things 1990s divas, but also there’s a couple of, artists that I’m listening to, Rag’n’Bone man I love, I love it, Rag’n’Bone man. I also quite like what Leigh-Anne Pinnock is doing. So she was in Little Mix. She’s now on her own and she’s, pursuing a kind of Afrobeats career.
So I like that. And Kygo and I think where Kygo remixes I love so literally anything. But let me just explain the straight tunes and the divas. I have a ten month old daughter and my wife doesn’t listen to that much music at home. I listen to music all the time. And so what I will do in the morning is I’ll get up, I’ll turn the speaker on, and I will play something that she wants to hear.
And she loves divas. Absolutely love divas. And at the weekend I introduced her to Wicked, and she, she was blown away with the head. And so I think there’s going to be a bit more of that around the house. I’m afraid.
Paul Jackson: I’m so glad I asked that question. What a great answer. It never fails to surprise me what my guests listen to. And I think you’ve just taken it to a whole new level there, but I’m not surprised that an 11 month old is listening to that stuff. I’m just surprised that a seasoned lawyer is listening to and don’t get me wrong. But Jonathan, thank you so much for being a guest today, and I really hope we can resume the conversation in a few months time and perhaps unpick how the laws are evolving, how data breach, coaches, is evolving and touch on other topics that maybe our listeners might want to raise with you.
Jonathan Crompton: That would. Great.
Paul Jackson: Thank you very much. So, THEOS, Cybernova was presented by myself. Paul Jackson, the studio engineer and editor was Roy D’Monte. The executive producer was myself and Ian Carless. And this podcast is a co-production between THEOS Cyber and W4 Podcast Studio.
The THEOS Cybernova podcast.

Episode Summary
What happens when a ransomware attack hits, and every decision counts?
Jonathan Crompton, Partner at Reynolds Porter Chamberlain (RPC) and Head of Cyber Response for Asia, takes us behind the scenes of cyber crisis management. With extensive expertise in cross-border disputes, cyber incident response, and data protection, Jonathan explains how legal strategy and clear decision-making can mean the difference between recovery and chaos.
In this episode, host Paul Jackson dives into the realities of managing a breach, from evaluating ransomware demands and navigating regulatory obligations to building the right response team. Together, they uncover the critical steps and decisions companies must make during high-stakes incidents, while highlighting the importance of preparation and collaboration in mitigating risks.
If you’ve ever wondered what happens when a cyber crisis unfolds or how legal and crisis management come together during a breach, this episode offers practical insights and expert advice to help you stay resilient in today’s cyber realm.