Topic 1: 2026 cyber trends: what to watch for and what you can do
The cyber threat landscape in 2025 was varied, with greater ebbs and flows in threat actor activity than in previous years. After a relatively quiet first half, cyberattacks ramped up in the second half of the year. These included major operational disruption in the United Kingdom (UK) at auto manufacturer Jaguar Land Rover, the exploitation of a zero-day vulnerability in Oracle E-Business Suite that reportedly led to the compromise of dozens of businesses’ data, and the breach of a widely used Salesforce integration reported to have affected more than 700 organisations. Earlier than expected, we also saw artificial intelligence (AI) tools used not only to enhance hacks, but also to conduct them. Anthropic discovered and publicly disclosed a state-sponsored attack designed and executed using autonomous AI.
Against that backdrop, we outline five key trends from 2025 and practical steps businesses may wish to take to address them.
1. Disruptive attacks remain prevalent. We continued to see large-scale operational disruption from ransomware and other attacks that took distribution and stock management systems offline.
Mitigation steps to consider:
A. Confirm that interdependencies for key control, distribution, stock management, and other critical systems have been mapped recently, and ensure that those maps are updated regularly. It is extremely difficult, and sometimes impossible, to do this during an incident.
B. Identify what your minimum viable operating state would be if you were the victim of a disruptive attack, how that state could be achieved (ie, ‘how to keep the lights on’), and what resources would be required. Engage with senior management to ensure that adequate resources are available and plans are in place that could be executed during an incident.
2. Help desks as the initial point of entry. Threat actors are targeting internal and external help desks (among other managed service providers) as a primary access vector by socially engineering help desk staff into changing account passwords and resetting multi-factor authentication (MFA) tokens and devices outside established procedures.
Mitigation steps to consider:
A. Review help desk protocols for password and MFA reset procedures to ensure that they are robust and account for the threat of audio-visual deepfakes. Additionally, consider handling requests from high-risk users, such as senior executives, management, superusers, and users with administrative privileges, internally.
B. Work with your help desk to ensure that staff are trained and consistently follow protocols. This includes developing a ‘challenge culture’, where help desk staff are encouraged to be polite but sceptical of callers and to require them to authenticate their identity before assisting, irrespective of rank or circumstances. Ensure that help desk operations are assessed not only on speed and lack of complaints, but also on compliance with security protocols.
3. Threat actors are targeting senior executives and their families. Threat actors are increasingly compromising senior executives’ personal devices, email and social media accounts, and home networks to put greater pressure on businesses to pay cyber ransoms. This includes targeting family members, including minors, and deploying harassment techniques ranging from voice masking and sending executives photos of their children’s schools to releasing compromising photos to colleagues or posting them on adult websites.
Mitigation steps to consider:
A. Raise awareness of this trend among senior executives and support them in improving their personal cybersecurity posture to better protect themselves, their families, and the business. This should include informing them how to escalate personal cyber incidents within the business. Some businesses are providing limited cyber services for senior executives and board members at their personal residences.
B. Confirm whether existing dark web monitoring covers senior executives and consider working with them to extend it if it does not. This should be navigated carefully due to privacy and data protection considerations.
4. Successful large wire-diversion fraud schemes have been enabled by audio-visual AI deepfakes. We have seen multiple wire-diversion fraud schemes that leverage AI-generated deepfakes of senior executives. Barriers to entry are decreasing and the quality of readily accessible tools is increasing rapidly, significantly increasing the risk to businesses.
Mitigation steps to consider:
A. Ensure that general cybersecurity awareness training includes modules on the latest audio-visual deepfake technology, ideally with a demonstration of how realistic the technology has become, using a known individual from the business.
B. Provide bespoke training to, and revisit wire-transfer authorisation procedures with, key members of your finance and treasury teams. This can include incorporating challenge words and other simple but effective low-tech solutions.
5. The remote IT worker threat remains prevalent. Although United States (US) authorities have disrupted parts of the North Korean remote IT worker scheme, in which North Korean IT workers impersonate foreign nationals to obtain remote IT roles, the threat continues to evolve. Originally aimed at generating revenue for North Korea’s weapons of mass destruction and ballistic missile programmes, the remote IT worker threat now includes workers from other countries and employees who outsource all or part of their job or individual job tasks. It poses significant business, reputational, and regulatory risks for companies.
Mitigation steps to consider:
A. Review your current pool of remote IT workers for red flags associated with remote IT worker schemes, such as day-to-day language skills that are poorer than those demonstrated in interviews, working hours that diverge from those of the location where the individual purportedly works, or limited appearances on video during meetings.
B. If you rely on outside recruiting partners, liaise with them to better understand their hiring practices and background checks. Consider more direct involvement in the hiring process, particularly for hires who will have access to critical systems. This can include updating interview protocols to require candidates to answer location-specific questions about the area in which they live or to produce identity verification documents during the video interview.
Topic 2: protecting privilege in incident response: litigation lessons from the U.S.
Companies responding to data breaches often face the question of whether their incident response investigation is protected by attorney-client privilege or the attorney work-product doctrine. The issue primarily relates to whether reports generated by an incident response (IR) firm may be protected from discovery in US litigation, but other communications may also be at risk in discovery if the work of the IR firm is not part of a privileged investigation.
US courts have chipped away at the attorney-client privilege and work-product protections afforded to IR reports and communications with IR firms. Nevertheless, several opinions continue to support the proposition that incident response reports are protected. Ultimate success is a fact-intensive inquiry that requires advance planning. Courts have scrutinised when, how, and why companies engage IR vendors; which business function manages the engagement; how the vendor’s workflow is managed; the roles of other technology teams at the company in interacting with the vendor; the form of the report produced by the vendor; and to whom the report is distributed. In investigating how the vendor was paid, some courts have even found that payment from the information technology (IT) budget, rather than the legal budget, is affirmative evidence that the IR vendor was hired to support business operations rather than the provision of legal advice. We explore in further depth here the relevant factors that US courts consider and provide practical guidance on navigating the legal minefield around these issues to maximise the chances that companies can successfully assert their rights to preserve protections over key records if litigation arises following an incident.
Broadly speaking, US litigants can shield documents and communications from discovery under two theories: attorney-client privilege or work-product doctrine.
-
- Attorney-client privilege: In general, attorney-client privilege covers records that involve communications from a client to an attorney for the purpose of seeking legal advice. Under the Kovel doctrine, communications between lawyers and third parties who are instrumental to providing legal advice, such as a translator, paralegal, or forensic accountant, may also be protected by attorney-client privilege. See United States v Kovel, 296 F2d 918, 920-23 (2d Cir 1961) (discussing the circumstances under which attorney-client privilege may extend to certain non-lawyers who support the lawyer in providing legal advice). Here, the work of IR vendors may be protected by privilege where the technical work done by the vendor is instrumental to a lawyer’s understanding of the legal ramifications of the incident.
- Work-product protection: Attorney work-product protection may be available for records created in anticipation of litigation. ‘Created in anticipation of litigation’ means that the substance of the record must have been, in substantial part, influenced by ongoing or imminent litigation, though the precise tests for this standard vary by jurisdiction. The antithesis of records created for the special purpose of aiding in litigation is records created solely in the ordinary course of business. Nevertheless, work-product protection may be available for ‘dual-purpose’ documents that serve both litigation and business purposes, depending on the jurisdiction. In the IR context, work-product protection is asserted over materials prepared by the IR vendor because those reports are critical for legal counsel to provide advice regarding the company’s obligations in responding to a data breach and the litigation that almost inevitably follows. But courts scrutinise vendors’ reports to determine whether they would have been created in the same way ‘but for’ the litigation. Where the court concludes that pending or imminent litigation did not cause or otherwise affect the preparation of the factual report, work-product protection will not attach.
The law in this area as it applies to IR vendors remains very much in flux, as there is a relative dearth of case law on this topic. The case law that does exist is at the district court level, without any circuit court squarely addressing this issue. No cases to date have fundamentally disagreed with the application of these protections to IR work.
Because of their technical nature and because cybersecurity is part of core business operations, records generated by an IR vendor under privilege or work-product protection may seem like ordinary business documents to an outsider without further context. In determining whether a given IR document merits protection, courts investigate the document’s purpose, namely whether the IR vendor generated it while facilitating the provision of legal advice or helping prepare for the possibility of litigation. This requires looking into whether and how counsel directed the IR vendor’s work, which in practice can become a multi-factor inquiry that probes all aspects of the relationships between the IR vendor, the company, and counsel. Below, we enumerate the factors courts look to as indicia of legal purpose in an attorney-client privilege or work-product context and provide an overview of how some of the major cases apply them.
-
- Relation to vendor’s ordinary work: Does the IR vendor perform work under its engagement with counsel that differs meaningfully from the work it performs for the company in the ordinary course of business, if any? Is the work solely for the investigation, or does it include incident preparedness or remediation activities?
- Budget source: Who is paying for the IR vendor’s services? Is it the information security team or the legal team?
- Dual-track investigations: Is there only one investigation? Is there a team outside the privileged workstream that is performing an ordinary-course investigation? Will there be a second, non-privileged IR report?
- Scope of distribution: Who is privy to the IR vendor’s communications and reports? Is that group narrowly focused on providing legal advice, or is it broader and focused on the business response?
| Case | Finding (protected or not) | Factors considered (explanation) |
| In re Target Corporation Customer Data Security Breach Litigation (2015) | Privileged and protected by work product | Primary purpose: legal Factors cited: dual-track investigation (separate, independent track clearly for legal advice purposes) |
| In re Experian Data Breach Litigation (2017) | Protected by work product | Primary purpose: legal Factors cited: relation to vendor’s ordinary work (different); scope of distribution (narrow) |
| In re Premera Blue Cross Customer Data Security Breach Litigation (2017) | Not protected by work product | Primary purpose: not legal/business Factors cited: relation to vendor’s ordinary work (similar) |
| In re Dominion Dental Services USA, Inc Data Breach Litigation (2019) | Not protected by work product | Primary purpose: not legal/business Factors cited: relation to vendor’s ordinary work (similar) |
| In re Capital One Consumer Data Security Breach Litigation (2020) | Not protected by work product | Primary purpose: not legal/business Factors cited: relation to vendor’s ordinary work (similar); budget source (business); single-track investigation (no substantive alternate track); scope of distribution (broad) |
| Guo Wengui v Clark Hill, PLC (2021) | Neither privileged nor protected by work product | Primary purpose: not legal/business Privilege: vendor’s purpose was not in support of obtaining legal advice Work product: relation to vendor’s ordinary work (similar); scope of distribution (broad); single-track investigation (no substantive alternate track) |
| In re Samsung Customer Data Security Breach Litigation (2024) | Neither privileged nor protected by work product |
Primary purpose: not legal/business Privilege: single-track investigation (no substantive alternate track); scope of distribution (broad); relation to vendor’s ordinary work (significant business purposes) Work product: similar reasons as above |
Relation to vendor’s ordinary work
Courts formerly deemed the direction of outside counsel a primary factor in determining whether an IR vendor’s report merited protection. For example, in In re Experian Data Breach Litigation, the court relied on the fact that the IR vendor’s report was initially delivered to outside counsel at outside counsel’s direction in finding that ‘but for the anticipated litigation, the report wouldn’t have been prepared in substantially the same form or with the same content.’ 2017 WL 4325583, at *2-3 (CD Cal May 18, 2017). Courts increasingly scrutinise, however, whether the actual services the IR vendor has provided to lawyers can be differentiated from the vendor’s day-to-day services. Without substantive differences in the scope of work for the privileged workstream, there is a risk that a court may deny protections. For example, in In re Capital One Consumer Data Security Breach Litigation, the district court upheld a magistrate judge’s finding that a vendor report was not protected because the ‘only significant evidence that Capital One has presented concerning the work Mandiant performed is that the work was at the direction of outside counsel and that the final report was initially delivered to outside counsel.’ 2020 WL 3470261, at *5 (ED Va June 25, 2020).
Beyond ensuring that counsel is directing IR vendors, companies must therefore make efforts to distinguish the actual work IR vendors do from the business-as-usual cybersecurity work many of these same vendors support. Work-product protection may be inapplicable when a vendor’s prior scope of work does not substantively change after outside counsel becomes involved, as that tends to indicate that the IR vendor’s work was done in the ordinary course rather than as an aid to attorneys and in anticipation of litigation. See, eg, In re Premera Blue Cross Customer Data Security Breach Litigation, 296 F Supp 3d 1230, 1245 (D Or 2017) (‘[Mandiant’s] scope of work did not change after outside counsel was retained. The only thing that changed was that Mandiant was now directed to report directly to outside counsel and to label all of Mandiant’s communications as “privileged”‘); In re Dominion Dental Services USA, Inc Data Breach Litigation, 429 F Supp 3d 190, 194 (ED Va 2019) (rejecting arguments that a Mandiant report was prepared ‘but for’ the anticipation of litigation in part because ‘the actual description of services’ in the putatively protected report ‘are almost identical to the services promised in the June 2018 statement of work, entered into by the defendants and Mandiant months before any threat of litigation’).
If companies are penalised from a privilege standpoint for using the same vendor before and after an incident, they face a Catch-22. From a preparedness standpoint, an IR vendor should have basic familiarity, in advance of an incident, with the systems, processes, and technologies that a company uses. This enhances the speed and precision of incident response work. For example, the IR firm can pre-deploy sensors, beacons, and other technologies, and can assist with risk assessments and testing that will let it rapidly gather the technical data needed to diagnose and contain an active breach. But some courts have found that the pre-incident engagement of a vendor may be too similar to the vendor’s work during the incident, meaning that the vendor’s work product would not have been any different ‘but for’ the litigation and therefore does not merit work-product protection. See, eg, In re Capital One Consumer Data Security Breach Litigation, 2020 WL 3470261, at *6 (rejecting work-product claims where the pre-incident statement of work (SOW) and incident response SOW were virtually identical, and explaining that Capital One failed, like the companies in Premera and Dominion Dental, to establish ‘that the report Mandiant would have created for Capital One pursuant to its pre-data breach SOW would not have been substantially the same in substance or scope as the report Mandiant prepared for Debevoise’ because ‘both contractual arrangements were virtually identical’).
Some companies seek to minimise this risk by clearly separating the workstreams in separate contracts. For example, some have the IR engagement contract ready, but unsigned, before an incident, ensuring that the IR firm can be deployed rapidly while preserving all arguments that the vendor’s IR work was strictly confined to post-incident response work designed to help legal counsel render advice. Others pay for a retainer specific to incident response. Whatever the contractual arrangement, companies can strengthen their arguments for privilege or protection by ensuring that the IR-specific paperwork does not tie back to the same master services agreement that governs the ordinary-course work performed by the vendor and by ensuring that the scopes of work materially differ between the privileged engagement and the work done in the ordinary course.
Budget source
While it may seem natural to deduct expenses related to the IR vendor from a company’s cybersecurity or IT budget, some courts have found that payment from a business function other than the legal department weighs against a finding of privilege, as it tends to suggest that the vendor operated in the ordinary course rather than in support of litigation or legal advice. For example, in denying work-product protection, the court observed that ‘Capital One paid Mandiant for this work from a Capital One fund denominated “business critical” expenses.’ See In re Capital One Consumer Data Security Breach Litigation, 2020 WL 3470261, at *1.
To the extent possible, IR vendor fees should be paid out of the legal budget. This may require careful coordination between functions when the IR vendor is engaged, particularly if that engagement occurs in the pre-incident context.
Dual-track investigations
Courts have viewed dual-track investigations favourably, where the company conducts separate investigations: one in the ordinary course of business and another in aid of counsel. While this approach can be cumbersome and expensive, some companies have successfully divided the response tracks so that one track, typically the company’s usual vendor or internal team, focuses on business continuity and remediation, while the other track, retained by counsel, is for privileged legal purposes. The second vendor, engaged by outside counsel, focuses separately on providing information to counsel that can be used to provide legal advice. Of course, this requires either a mature in-house cyber team or a second funding stream to pay for a second IR vendor.
To preserve privilege, however, the tracks must actually be separate from one another and the advice rendered must be independent. For example, in In re Target Corporation Customer Data Security Breach Litigation, the court found that one investigation was focused ‘on informing Target’s in-house and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice,’ while Target conducted a parallel ordinary-course investigation with a separate team. 2015 WL 6777384, at *2-3 (D Minn Oct 23, 2015). Some courts may extend this to the fact-gathering by the IR vendor as well as any technical advice given to counsel on cybersecurity issues. See, eg, In re Samsung Customer Data Security Breach Litigation, 2024 WL 3861330, at *8 (noting that ‘Target claimed that any information gathered by the latter task force is protected by the attorney client privilege and the work-product doctrine’ in successfully establishing a dual-track investigation). Conversely, in Guo Wengui v Clark Hill, PLC, a dual-track investigation was insufficient to shield a vendor report from disclosure where one vendor retained by counsel did the majority of incident response work, and there was no evidence that the other vendor, supposedly retained for business continuity purposes, did any work on the incident. 338 FRD at 11-12. Courts may therefore be less likely to protect reports if they find that the true purpose of a dual-track approach appears ‘designed to help shield material from disclosure’ without other indicators that it was for legal advice. Id at 13.
Courts sometimes point to the presence of recommendations for cybersecurity improvements in a report as indicating that the report was not created to assist counsel. Cyber remediation, the courts argue, is not why counsel is engaged. Note, however, that the converse is not necessarily true, and courts have found that the absence of recommendations from an IR report does not necessarily prove that the report was made for the purpose of providing legal advice. See, eg, In re Samsung Customer Data Security Breach Litigation, 2024 WL 3861330, at *14 (‘[T]he fact that Stroz did not provide any remediation services does not diminish the business purpose of the investigation it conducted.’); In re Capital One Consumer Data Security Breach Litigation, 2020 WL 3470261, at *4-5 (rejecting defendant’s argument that ‘Mandiant’s investigation would have focused on remediation’ if it was for a business purpose). The takeaway is that companies pursuing a dual-track strategy must take care to ensure that each track operates as an independent whole, that the non-privileged track actually produces factual findings, and that the privileged portion excludes recommendations.
Scope of distribution
Even where privilege or work product may attach, courts also consider whether the IR vendor report was shared widely with non-legal employees or otherwise disclosed to third parties, such as the Federal Bureau of Investigation (FBI). See, eg, In re Samsung Customer Data Security Breach Litigation, 2024 WL 3861330, at *14 (‘The breadth of Samsung’s involvement or participation in Stroz’s process and wide dissemination of the Stroz Analysis undermine[s] Samsung’s assertion that Stroz was only retained to provide technical interpretation for the benefit of [outside counsel].’); Guo Wengui v Clark Hill, PLC, 338 FRD at 13 (explaining that a report was unprotected because ‘Defendant also shared the report with the FBI’ and opining that ‘[t]he Report was probably shared this widely, as Plaintiffs persuasively argue, because it “was the one place where [Defendant] recorded the facts” of what had transpired.’). Courts may also consider broad dissemination to be more consistent with a business purpose than with litigation. For example, in upholding a magistrate judge’s order stripping work-product protection from a vendor report, the court in In re Capital One Consumer Data Security Breach Litigation explained that the report’s broad distribution underscored Capital One’s business needs for it, including that it was provided to approximately 50 employees, the company’s board of directors, regulators, and an accountant. 2020 WL 3470261, at *6 n6. Broad distribution of the report can also create waiver issues if, for example, an attorney-client privileged document is shared with a third party to whom the privilege does not extend, such as an insurer.
Once again, companies are in a bind. In the wake of an incident, there is often intense pressure from many different stakeholders to provide access to the IR vendor’s findings. Navigating this may require a multi-faceted approach. Before an incident, meetings can be held with relevant stakeholders to explain the risks inherent in sharing the IR vendor’s work product broadly within the organisation. During an incident, prudent messaging may assuage some stakeholders’ need to know every detail. ‘Tear sheets’ or executive summaries of the IR report may also be created, which allow the sharing, for example, of go-forward recommendations while preserving the underlying analysis of the IR vendor on issues of root cause, potential data exposure, and other findings core to the legal advice. Together, these alternatives may relieve some of the pressure stakeholders might put on obtaining the vendor report itself.
Takeaways
The way that post-incident cyber investigations are structured and managed can have critical downstream consequences for privilege and work-product disputes in litigation. While courts have increasingly chipped away at protections over vendor reports, companies can still take precautions to attempt to preserve them. In considering how to handle post-incident IR work, consider the following:
-
- Who retained the vendor and for what purpose? Retention by legal counsel, particularly outside counsel, rather than the technology function is more likely to result in a finding of privilege.
- What was the scope of the vendor’s services? IR services that differ meaningfully from services a cybersecurity vendor would provide in the ordinary course are more likely to merit protections. Ensure that the documented scope is focused on work necessary for counsel to assess legal obligations and respond to litigation. Remediation should not be part of that scope.
- When was the vendor retained? Pre-incident retention for ordinary-course work may cut against a finding of privilege. If you decide to use the same vendor for proactive work as well as IR work, use separate agreements with different scopes of services.
- To whom was the report distributed? Broader distribution, especially to business and technical teams, tends to weigh against a finding that a report merits protections.
- Who paid the vendor? Payment by legal rather than the technology function is more likely to result in a finding that protections are merited.
- Was there a parallel investigation for business continuity? Multi-track investigations, one by legal and one by the business or technology function, can be an effective path towards protecting the report created by the privileged track.
- What were the contents of the report, and did it include go-forward remediation recommendations? The presence of remediation recommendations weighs against finding a report protected, but the absence of such recommendations is not necessarily sufficient to prove that a report does merit protections.
- Was the report in a different form than it otherwise would have been if litigation was not anticipated or pending? In general, the closer a report adheres to legal concerns, especially those informed by actual or imminent litigation, the stronger any claim for protections will be.