AI-enabled cyber threats: the legal response is familiar, but the clock is ticking

The first article, examined where responsibility might sit in the AI supply chain when AI output causes loss. This time, the question is more immediate: what should businesses do when faced with an AI-enabled cyber threat?

That question has become harder to ignore in light of recent developments around Anthropic’s Mythos models and other frontier systems with strong cyber capabilities.

Mythos was first deployed through Project Glasswing to help selected organisations identify and fix vulnerabilities in critical software. Several reportedly saw bug-finding rates increase more than tenfold, while Anthropic says Mythos identified over 10,000 potential vulnerabilities, including more than 6,000 high or critical severity issues.

Last week, the US government directed Anthropic to suspend access to the Fable 5 and Mythos 5 models for foreign nationals, citing national security concerns arising from methods of bypassing or “jailbreaking” Fable 5.

This is a developing story, but for present purposes the point is narrower: these models show what advanced AI systems may, in theory, be capable of doing in the hands of cyber attackers.

Refining the question

The question posed was quite broad: what should businesses do when faced with an AI-enabled cyber threat?

The first Westlaw Advantage output gave a useful practical survey. With Practical Law turned on, the answer was sensible and functional, and it leaned heavily on a recent (excellent) Practical Law article on AI incident response. That makes sense. Practical Law is designed to give practical guidance, checklists, notes and commentary.

With Practical Law turned off, and the tool drawing on Westlaw sources only, the answer moved more towards legal obligations, including data protection, network security and sector-specific duties. That also makes sense. Westlaw’s core content is case law, legislation, textbooks and more traditional legal materials.

The comparison was useful, but it also showed the limitation of the question. “What should businesses do?” is a good boardroom question. In substance, the exercise was asking a legal research tool to answer a question that was only partly legal. The question also involved operational, technical and communications decisions that sit outside traditional legal research.

The exercise was therefore narrowed down. Two legal issues jumped out from the research: data protection and contractual exposure.

This is also consistent with how Westlaw Advantage is used in practice. It is important to think carefully about the output; a different question, or different sources, may produce a better answer. A broad question may produce a polished and useful answer, but the better workflow is to ask whether the tool is suitable for the task, what sources it is searching, what factual assumptions it has been given, and whether the question needs to be narrowed.

Here, Westlaw Advantage came into its own once the analysis moved on from “what should businesses do?” to more specific questions about the legal obligations arising from an AI-enabled cyber incident.

So what should businesses do?

The immediate response is classic cyber incident-response work, but AI may compress the timetable and deepen uncertainty. The business may need to make legal and operational decisions before the full technical picture is available.

Data protection and breach notification

When a business experiences an AI-enabled cyber incident, one of the first questions is likely to be whether there has been a personal data breach. Under the UK GDPR, that means a security breach leading to personal data being lost, changed, disclosed, made unavailable or accessed without authorisation.

That definition is broad. A phishing attack, stolen credentials or unauthorised access to a system may all require urgent assessment. There are important factual questions to address: what data was affected, who it related to, how the data was impacted, where the relevant individuals are located and what risk this creates for them.

If the business is a controller and becomes aware of a personal data breach, the ICO must be notified without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. If the breach is likely to result in a high risk to individuals’ rights and freedoms, affected individuals must also be told without undue delay.

Contractual exposure

If customers, clients or counterparties suffer loss, contentious risk follows quickly.

The dispute will start with the contract. A customer might say the business failed to comply with express cyber security obligations, failed to protect confidential information, or failed to meet service levels and business continuity commitments. Those are the sorts of provisions that become important when an incident causes downtime, data loss or customer-facing disruption.

The allegations will usually turn on specific failures, and any defence will be highly fact-sensitive. The business may say the attack would have succeeded anyway, that the attack constituted an independent intervening act by a malicious third party, that the customer’s own security failings contributed, or that the contract limits the claim through exclusions, liability caps or force majeure wording. If a cloud provider, software vendor or AI provider was involved, the business may also look for back-to-back protection from that supplier.

Asking the Hogan Lovells lawyers

The Westlaw Advantage research generated more targeted follow-up questions for two Hogan Lovells colleagues.

Dan Whitehead is a partner in Hogan Lovells’ Data, Privacy and Cybersecurity practice in London. He advises multinational companies across sectors on cybersecurity incidents, crisis management and regulation, often at a global scale.

It was put to Dan what businesses most often get wrong in the first 72 hours of a cyber incident, and how they should handle uncertainty.

Dan’s view was that, in major cyber incidents involving third party threat actors, “some of the core facts will often be unclear for several days, weeks and sometimes months”. Those uncertain facts can include “the degree of impact on the organisation’s systems and those of its partners”, “the volume and nature of any data that has been exfiltrated” and “the potential harm” caused to customers, employees and other stakeholders.

It is therefore important to avoid “early assumptions about risk and potential impact” and to “validate facts on an ongoing basis, as the picture becomes clearer”. That also affects regulatory filings: Dan noted that it is often better to provide authorities with “iterative updates on the investigation at appropriate times”, rather than seeking to disclose the full facts too early.

Dan also emphasised the role of legal teams in the first 72 hours. Those stages are “vital in initiating an effective legal and operational response strategy”, and companies need their in-house legal team “at the heart of the response”: instructing external counsel, protecting privilege, talking to insurers, developing a chronology, engaging law enforcement and developing a communications strategy.

Antonia Croke is a partner in Hogan Lovells’ Complex Commercial Litigation practice in London. She advises multinational companies and financial institutions on high-stakes, cross-border disputes, with a focus on swift, pragmatic solutions to complex corporate disputes. She has a particular interest in AI and digitalisation disputes.

Antonia was asked how businesses should prepare for potential contractual disputes following an AI-enabled cyber incident.

Antonia looked at the contractual disputes angle. Her view was that the strongest position is built before the dispute starts. “The strongest defence strategy is the disciplined maintenance of contemporaneous records of cybersecurity measures”, including records showing that the business selected reputable tools, configured those tools properly, monitored security alerts, reviewed security measures in line with developing AI use and risks, tested response processes and acted on warnings.

Once an incident occurs, the immediate priority is evidence preservation. As Antonia put it, “logs of the cyber security measures adopted should be collated as a priority”, and the business should establish a chronology of where the attack began, when the business became aware, when escalation occurred, when containment steps were taken, when suppliers and customers were notified, when customer impact began and when systems were restored.

The potential claims may be wide-ranging. Antonia identified group claims for breaches of personal data, service interruption or business interruption claims, breach of warranty claims, breach of fiduciary duty claims and breach of confidence claims if confidential business information belonging to third parties is compromised.

Key takeaways

The broad question was worth asking. It produced a useful map of the issues and helped identify where the legal pressure points were likely to sit.

But it was too broad to be the end of the analysis. The value came from using Westlaw Advantage to move from a general incident-response question into more specific legal areas – in this case, data protection and contractual exposure.

What is clear from the research is that an AI-enabled cyber incident will still require expert legal input. AI-assisted research can help map the problem and drill down into the issues that matter. But where the facts are uncertain, the clock is ticking and regulatory or contractual consequences may follow, businesses will still need lawyers to help them make the right calls, test assumptions and advise on the best course of action.

Reuben Vandercruyssen is a Senior Associate in Hogan Lovells’ disputes practice, advising on complex litigation, investigations and business crime. He has a particular focus on AI and emerging contentious risk, including liability and governance issues arising from generative AI.

Authored by Reuben Vandercruyssen, Dan Whitehead, and Antonia Croke.