Cyber Woman: A Lawyer’s Career on the Front Line of Cybersecurity with Joanne Elieli of Stephenson Harwood - Episode 53 Artwork

The Legal Genie Podcast

This podcast hosted by Lara Quie, explores the fascinating world of the legal ecosystem and the people within it. From rainmakers at global elite firms to trainees just starting to get their feet wet. From King’s Counsel, barristers, in-house counsel and the judiciary to legal tech innovators, pricing specialists, HR managers, business development and marketing professionals, legal headhunters and everyone else who is a mover and a shaker in this space. My goal is to help you see your world differently. What insights can you gain from hearing others share their experiences? What action can you take as a result? I hope that you enjoy the conversations.
Love from The Legal Genie x

All Episodes

The Legal Genie Podcast

Cyber Woman: A Lawyer’s Career on the Front Line of Cybersecurity with Joanne Elieli of Stephenson Harwood - Episode 53

December 14, 2025 • Lara Quie • Season 5 • Episode 53

In this episode of The Legal Genie Podcast, host Lara Quie is joined by Joanne Elieli, Partner at Stephenson Harwood and the firm’s Cyber Lead, for a wide ranging and highly practical conversation on cyber risk, data protection, and what lawyers really need to understand about modern cyber incidents.

Drawing on her extensive experience advising organisations during some of their most critical moments, Joanne takes listeners inside the reality of cyber breaches, from supply chain attacks and ransomware negotiations to AI driven phishing and deepfake fraud. She also shares candid insights into her career journey, her path to partnership, and why authenticity, mentorship, and diversity of thought matter in both law and cybersecurity.

This episode is essential listening for lawyers advising clients on risk, compliance, litigation, or crisis management, as well as those building careers in technology, data, and cyber law.

What You Will Learn:

How cyber attacks actually unfold in practice, beyond the headlines
The most common and most dangerous cyber threats facing organisations today
Why supply chain attacks and business email compromise are on the rise
How AI and deepfakes are changing the threat landscape for businesses and law firms
Practical cybersecurity steps that even small businesses and startups must prioritise
What good cyber readiness really looks like inside an organisation
Why incident response plans should be tested, reviewed, and legally privileged
How lawyers add value during cyber crises as trusted, calming advisers
The role of human behaviour as the weakest and most critical security link

Send us a text

Support the show

Also:

· If you liked this episode, please rate the show, and leave a review wherever you listen to your podcasts to help the Legal Genie reach a wider audience.

· Look out for the next episode coming soon.

You can connect with Lara Quie:

· On LinkedIn at https://www.linkedin.com/in/laraquie

· Website: The Legal Genie Podcast (buzzsprout.com)

Episode 53 with Joanne Elieli

Lara Quie: Hello and welcome to episode 53 of the Legal Genie Podcast with me your host, Lara Quie, and today I'm delighted to have with me Joanne Elieli. Joanne is a partner in Stevenson Harwood's London office and is the firm's cyber lead specializing in complex cyber data and technology related disputes and investigations.

She has a wealth of experience in providing clients with strategic advice in relation to data breaches and cyber incidents, and in handling associated follow on litigation. In particular, she's regularly involved in defending claims brought in relation to alleged breaches or infringement of data protection laws.

In addition to her fee earning work, Joanne sits on the board of Advisors of Cyber London, a UK government backed cyber cluster, and she's also passionate about pro bono and DE&I. Welcome to the show, Joanne. It's great to have you here.

Joanne Elieli: Thank you very much and thank you very much for the kind introduction. It's almost as if I wrote it myself.

Lara Quie: So let's start with a little bit of background about yourself, your family, and where you grew up.

Joanne Elieli: Yeah, sure. Where to start? It's a big question. So I grew up in the north of England in a place called Preston in Lancashire. So very close to the border of the Lake District.

And actually I moved back not very far from there about seven years ago, shortly after I had my first daughter. So, I went to our local, primary school, local secondary in Preston. I went off to university in York when I was 18 and I studied modern languages and linguistics focusing on French and German.

Quite a long way away from law. And actually law hadn't really crossed my mind at that stage of my educational journey. It wasn't until much later on in my degree that I thought law might be something that I would want to explore. So I finished my degree. I spent a year in the south of France, which was a lovely time in Provence for 12 months.

And after that decided that I would start applying for training contracts. And the rest really went from there. I spent 11 years living in London and working for an American law firm in London. And I had my first daughter when I was a mid-level associate in 2017 and my second in 2019, and I moved back up to the north of England in between the two of them.

And so I've been living in Lancaster now for the last seven years, and I commute regularly from Lancaster to London every week. I spend three nights a week in London, and the rest of the time is in my family home in Lancaster with my husband and children.

Lara Quie: Amazing. Well, I think that's what made me reach out to you right at the very beginning of our relationship, because I also did French and German and linguistics.

Joanne Elieli: I remember. and then

Lara Quie: Yes, and then converted to law later on. So I think having languages has always been a big advantage, especially understanding a different culture, but also the way that the brain works. I think that when you learn a different language, your brain neurons connect in a different way, and it's very mind expanding.

Joanne Elieli: I think that's right. I really agree with you. And it's funny, I don't think I necessarily appreciated as much when I was going through my university studies, all of the different skills that I was acquiring during that time. So only now with the benefit of hindsight, I can really see that you know, everyone refers to them as soft skills, but actually most of the time I think they're some of the hardest skills.

But those soft skills that I was learning along the way, the ability to communicate across boundaries, whether that's language or culture, I think were really crucial skills for me to develop at such a young age. And it certainly helped me throughout my career as I've gone along now.

Lara Quie: Yeah. So you mentioned that you were at a US firm, but can you walk us through your very early career- your days as a junior lawyer and then becoming a partner at Stephenson Harwood?

Joanne Elieli: Yeah, of course. So I first did a vacation scheme when I was in my penultimate year of university, and I'd done a little bit of legal work experience in the run up to that. So I'd written letters to various barristers chambers in the north of England, see if I could go along and do some work experience.

And I did a couple of mini pupillages. I had a family member, an uncle who was a prosecutor for the CPS at the time and so he told me lots of stories, all about what went on in court and what the barristers would do and the solicitors would do. And so that really was the initial spark of interest for me hearing about that.

As I say, I did a couple of mini pupillages. I met a judge whilst I was on one of the mini pupillages who very kindly said I could go along and shadow him for a week afterwards. And so I did that and then I decided that I wanted to explore a bit more of the corporate side, the commercial side of law.

And so I applied for some vacation schemes and I did a couple of those in my penultimate year. One with a regional law firm and one with a US law firm. And really enjoyed the experience. I found it incredibly interesting and just the diversity of the work that was on offer was really piqued my interest.

And so I applied for training contracts in, it must have been in the autumn term, I think of my final year of university and was fortunate enough to have interviews and was offered a couple of training contracts. And I ultimately chose to go with an American firm, which at the time was called Edwards Angel, Palmer and Dodge.

It actually doesn't exist in London anymore now. It was the subject of a couple of mergers over the years within a couple of years of me having been there. I think when I was a newly qualified, it became Edward Wildman. And then when I was, I think three years, PQE we had the really exciting time.

This was in January 2015 where most of the London office of Edwards Wildman, as it was then resigned on mass and launched the new London office of what is now Cooley. And so at that point in time, it was the largest launch of the London office of a US law firm in the legal market's history in London.

So it was incredibly exciting. I think there was about fifty-five lawyers at that point in time. Then obviously once you had all the business support staff around that as well, it was much bigger. And so it was really exciting venture to be a part of really and obviously Cooley's gone from strength to strength since and I stayed there right up until I moved to Stevenson Harwood 18 months ago.

So spent you know, effectively all of my career working with the same group of lawyers in the litigation department across Edwards, Angel Palmer and Dodge was Wildman and then Cooley. And so I'd spent, I think it was about 13, 13 and a half years working with the same group of people.

And I moved I was a senior associate at Cooley and I moved to make partner at Stevenson Harwood 18 months ago. So it's been an interesting period. Obviously, I had two children over the course of my associate life as well, and I did an 80% schedule, so a four day week for about two. 12, maybe maximum 18 months across that period as well.

So had experience both pre and post children and on a full-time and on a part-time schedule as well, which has been quite a quite interesting journey.

Lara Quie: Yeah. It does sound something that you really couldn't predict. I mean, joining one firm and then having all of these different things happen and then it becomes something completely different.

And so the different cultures of these firms. And then joining a much larger organization, obviously Cooley is very international, lots and lots of offices. So thinking about your current focus, you do disputes, but there's very much a focus on data breaches, data protection, and of course cybersecurity. Have you got any particular advice for young lawyers thinking of getting into those areas of law?

Joanne Elieli: Yeah, it's a really good question. It's one that we come across quite a lot. It's a really hot topic, I think for students, law students in particular who wanting to get into that tech data protection cyber space at the moment, and I think there are a few really crucial things, some which I think are a given and others that perhaps might not be as obvious when you're at that really early stage in your career. I think the things that are a given from my perspective when I'm talking with junior lawyers or students who want to go on to become lawyers is to ensure that you have a really strong technical foundation.

I think understanding key concepts that are relevant to technology disputes, data protection to cyber-attacks are really crucial. So things, you know, being able to talk about how cyber-attacks happen, be able to have a good working knowledge of what the process of that might look like, the sort of losses that organizations might suffer as a result, but having, I think, a good working knowledge of key concepts like data anonymization, data encryption, network security, those sorts of things I think will stand you in really good stead as you're looking to go through your journey into getting a training contract and qualifying to become a lawyer in this area of law. And I think following industry news really goes hand in hand with having that strong technical foundation.

One of the things that I often say to people who are looking to get into this area of law is you don't need to have a subscription to the Financial Times. You don't have to read, you know, all of the business or the tech sections of the broadsheets. Instead, there are huge amounts of cyber blogs that you can follow that are totally free.

There are tech law blogs and obviously pages that you can subscribe to in order to get weekly, daily, monthly updates so you don't have to be shelling out money in order to be able to be gaining this industry expertise. There's so much out there now that you can take advantage of for free.

I think the things that perhaps might be less obvious to those who are wanting to get on this career track is how to try and gain some practical experience and I think often more students will think about things like moot clubs or debate socs and those sorts of activities, which are obviously brilliant to have.

But, you know, when I was at the University of York, for example, those clubs didn't exist. And I know that they don't across all universities, particularly if universities don't have a law facility within the university. So one of the things I often recommend to people wanting to get more practical hands-on experience is actually to go and sit in your local county court and just sit in the public gallery and listen to what's going on. There is so much to be gleaned from watching the interactions between solicitors and their barrister, between clients and their solicitors, and then the barristers and the judge, and you can learn so much from just sitting and listening to openings or closings, or witness cross-examination or the delivery of expert testimony and I think that sort of experience is really second to none and, to my mind is far more instructive than perhaps being a member of a debate society would be in terms of just learning how the litigation process works and the inner workings of the court system. It would give you an awful lot to talk about at an interview for a training contract if you didn't otherwise have any paid work experience.

Lara Quie: That's such a good point. I think ultimately, we sometimes forget that this is about the rule of law and what happens in practice. And the reality is that day in day out, people are going into courtrooms. People are there, whether they have a claim or they're defending a claim and what are all the different roles that everyone plays in the courtroom with the judge and all of the different people and you know, just really seeing what that looks like.

I suppose for most people the only exposure is TV dramas and films and things. I mean, the older people among us will remember Rumpole of the Bailey in various police procedural kind of shows, but I think that just really getting there to see the emotions in the room and see what happens that's, fundamental to the practice of law.

And often people don't actually get that exposure. So that's a really good idea. And I think what you said about thinking creatively about using sources of information, I mean, we are so lucky with the internet and with podcasts and with so much available now. I think there's really no excuse for young people not to arm themselves with so much information and exposure before those initial interviews, but thinking out of the box, making an effort as you say, going along to your local county court, just to have a look. Those galleries are public galleries and you have a right to go and have a look. So that's a really great tip.

When it comes to businesses facing cybersecurity threats. I mean, we're seeing so much of it in the news right now. Yeah. And I know that a lot of things might seem like really big and complicated, but ultimately, what are the sorts of threats that small businesses in particular are facing and what can they do about cybersecurity and data protection?

Joanne Elieli: Yeah, it's a good question and you are right. I think so much of what we see in the media and the sorts of news stories that make headline press is all to do with large international corporate entities, but there's a huge amount that's going on behind all of that. With startups, with small businesses, SMEs.

And it's one of the areas that Cyber London, which is the not-for-profit organization that I sit on the advisory board of, is doing a huge amount of work in respect of at the moment, although their efforts are focused predominantly in London as the name Cyber London may suggest. But there are these cyber clusters all over the UK focused on geographical locale, but there are lots, I think are very straightforward things that SMEs and startups can be doing to protect themselves, and I think there's a number of low hanging fruit that often go missed by these organizations. I think the first one from my perspective is to really make sure that your business has got multifactor authentication enabled.

So MFA. That really adds an extra layer of security to your emails, to your cloud services, to key business applications. And it's incredibly simple to set up. It's highly effective against account compromise, and it's something that we recommend all organizations and individuals in fact, should be setting up as a matter of course across their entities systems.

I think the, second one again, and it's really easy to overlook, I don't know about you, Lara, but you know I'm quite guilty for overlooking the reminders that I get on my Apple iPhone, for example, to upgrade my software. And it lets me know that there's a system update that needs to be installed and I can be guilty as the next person for sitting on that for a couple of weeks until you get around to doing it. But actually keeping your software updated is really important. You know, regularly updating operating systems applications if you've got antivirus software, keeping that updated as well, and enable automatic updates where possible to run in the background so that you are always patching security vulnerabilities, I think is just those two things alone are just incredibly simple things that I think all organizations should be doing on a day to day basis.

But then on the more I suppose proactive basis, my final tip would be to really back up your data regularly. If you don't have scheduled automatic backups of important files to a secure cloud environment or some sort of external drive, then I really strongly recommend that small businesses do that as a matter of priority.

But above that is to test your backups to make sure that your data can be restored if it needs to be at a later date. It's all well and good having this data all sat somewhere and it being incredibly well protected. But when push comes to shove, if you can't access it easily or quickly then it really undermines the premise of even having a backup in the first place.

So those are, probably my three key aspects from a very practical perspective but looking at it from a human cantered approach as well, I think training your employees if you have them, training yourself, if you're a sole trader or, you're the founder of a startup. I think on matters related to cyber hygiene is really important.

You know, they don't have to be long-winded, you know, weekly exercise sessions, you can really just run very short practical training sessions. And the primary thing that you're going to want to train your employees on is going to be things like safe internet use. And I'd probably say the biggest one is, being able to spot phishing emails.

You know, reminding your staff not to click suspicious links or to download unknown attachments. Those quite basic aspects that really, you know, all of us can be susceptible to, and it's interesting because I had a client quite recently who was telling me about a not particularly sophisticated phishing attack that had happened, but one that was incredibly effective, where the bad actor had targeted all of the individuals that was on their website that wore glasses.

So they'd looked at all of the profile pictures of everyone on their website, and they'd spotted everyone that wore glasses and they'd sent them an email that told them that their contact lens prescription or their daily contact lens package was ready to be collected. And you had to click this link in order to schedule your time to collect it or to have it delivered whatever, it was.

And the volume of people that clicked that was far beyond what had been expected, and unfortunately, they had the appropriate systems in place that they were able to mitigate the effects of that. But I think from memory it was something like 50% of the individuals that had been sent this email actually clicked through because most glasses wearers do wear contact lenses as well.

And sure enough, I probably thought, oh, this sounds about right. I'm ready to pick up my, prescription and so they clicked through. And so I think training your staff on those sorts of emails and just making sure that you're double checking the details of them. And, you know, we all have tired days.

We all have days where we're not as on the ball as we might think we are. And it's quite easy to click through those things. So that would be my, top tip from a human centred perspective.

Lara Quie: I think it's interesting that often the human is the weakest link when it comes to cybersecurity.

Joanne Elieli: It nearly always is. There's another incident actually, which made me laugh quite recently because I thought it appealed to you know, the I suppose the want in all of us to be recognized for our achievements because there was a phishing attack that I know was pushed out quite broadly across a number of organizations.

But it was telling people that they'd been nominated for an award and that they had to click through this link in order to confirm that they would like to be shortlisted as a finalist. Now, who doesn't love to get an email like that says, congratulations, you're so amazing at your job that one of your colleagues has shortlisted you and you everyone's so flattered by it.

I mean, the temptation to click that link must be. Quite something. And so I, know that was a phishing attack that affected quite a number of people. I think it was the summer before last, so that, that's another one that I think, you know, perhaps it appealed more to people's pride and their ego than maybe the contact lens subscription did.

Lara Quie: I can imagine that currently it is ranking season and people are being bombarded by, congratulations on your Legal 500 or Chambers ranking, and you'd just be so used to receiving all of those that it sort of might just pass through, you wouldn't notice. But I think you just absolutely have to be on your guard at all times.

It is definitely one of those things, especially as lawyers, you know, who are already highly sceptical. We, need to say yes, be sceptical, examine every single sender, hover your mouse over the email address just to check that it really is who you think it's from, just to be sure. So there have definitely been some trends in some of the attacks and cyber incidents that we've seen. What would you say are their most challenging features at the moment?

Joanne Elieli: I think this is a really good question and there are two that I think is worth us touching on from my perspective. The first is supply chain attacks, and the second we've already touched on really is this business email compromise.

And the reason I mentioned supply chain attacks is because they've featured so heavily in what we've all been reading about over the summer with a number of attacks on the retail sector in this country. And what we are really seeing is a trend towards hackers targeting software vendors or service providers to try and compromise multiple organizations at once.

And you know we've seen this in a number of incident and I'm not going to name individual companies by name today, because I don't think that's the proper thing to do, but there's obviously been a number that have been reported in the news. There's also a large number that haven't been reported in the news because although they might not be household names that would be meaningful to consumers or to your average homeowner.

But there have been some big incidents that have happened over the course of the last six months that have had wide reaching impact for those people who operate within certain sectors. And the HR sector has been affected quite heavily over the last six months. There've been a, couple of big breaches impacting organizations that operate in that space, and I think this is a real challenge for both businesses small and large, because it's very rare to have an organization that doesn't have third party contracts, that don't have trusted suppliers or vendors. It does make that detection and prevention activities that we've talked about in the context of small businesses, much more complex particularly where you've got a large number of trusted third parties that you rely on to operate your organization.

And so trying to put in place very strong contractual provisions and obligations with those third parties I think are really important. But we are seeing hackers really try and exploit those supply chains as a means to gain entry to either a large number of organizations or a particularly secure organization where perhaps they have got less secure third parties that hackers perceive as being more capable of accessing them through.

The second then is this business email compromise. And I think the trend that we're seeing in relation to business email Compromise Attacks is this use of social engineering now to really try and trick employees into sending, whether it's financial information or actual funds themselves, or sensitive data by impersonating executives or vendors.

And historically, we used to see that solely through the means of emails being sent by way of a spoofed email address. And, as you quite rightly said before, the only real way to figure that out is to hover your mouse over individuals' names. But now what we're seeing and the challenge that we're seeing organizations face is, you know, that these attacks are not just really specific.

They're being very highly targeted. They're often bypassing technical defences. They rely on human error. But the real challenge is that we're seeing threat actors now deploying things like deep fakes and AI to really augment the sophistication of these attacks. And so, you know, we're seeing things like cyber criminals using AI to create very convincingly fake audio or video messaging for the purposes of fraud or disinformation. And it's becoming so much more difficult to be able to verify the authenticity of these faked voicemails or telephone calls or videos.

And I think, in a corporate environment, the traditional security tools that organizations have probably relied on to try and weed out those fake emails is not as sophisticated as we might like in, in weeding out those threats that are coming from a, an audio or from a video channels perspective. So I really see that as being the new frontier that we're needing to fight from a cyber perspective, you know, as we've just mentioned, the human element to these things mean that the more under pressure you are, the busier your day is, the greater the volume of calls or videos or emails that you get as an individual, the more likely it is that these things will slip through the net. And so it's, becoming a real challenge for corporates to be able to manage these sorts of attacks at the moment.

Lara Quie: I think you are absolutely right. It's about the fact that these bad actors are within the walls of your organization in terms of they can use Teams to dial in and you think that it's your colleague, but no, when you click the threat actor comes on in the form of a deep fake and therefore it is really difficult because as you say, the social engineering aspects, the level of their knowledge, the way that they leverage AI to gain an inside information and incredible amounts of data that has you convinced that's the right person, you know, that really is your colleague.

Although their request is little unusual, you're thinking. Sure but it's got to be them because they've just called me on Teams. It's so sophisticated it has to be real. But I think there can be some way that you can check. So you can have say, passwords or ways of verifying. Have you got any advice on what sort of thing that somebody could do?

They've received a Teams call, they're a little suspicious. What are the kind of questions they should ask to authenticate?

Joanne Elieli: Yeah, really good question. And actually we are starting to see some clients of ours in their accounting departments create code words so that if a request is coming in, that feels even just slightly off to them, they will put the phone down, they will call back.

They will make the call themselves. And this is often what we recommend to clients to do in these situations is if you have received an incoming call. That you think sounds a little bit unusual is to actually end that call and for you to say, let me call you back, and so that then you are using your own means and you are using that telephone number.

It's much more likely that the threat actor is calling you off a number that is unrelated to the actual individual that you believe you are speaking to. And so if you've got any shadow of a doubt about the authenticity of the call, end that call, call it back on a clear line and see if the person that you believed you were talking to knows about the conversation in the first instance.

But also this introduction of code words, passwords, safe words, however you want to coin them. Coming up with those so that if you've got any doubt about it, then you should be able to issue this. The only caveat to that is obviously to make sure that you then aren't saving those safe words or those code words in a place that if you were to have somebody infiltrate your network, they would then know, because we've seen this, not quite in this situation, but I've seen it in another situation before where a client of ours has had a bad actor infiltrate their systems and they encrypted all of the data on the network and, made a ransom request for the decryption of the data and its safe return with the promise that it wouldn't be published, you know, in a public forum. And the amount of the ransom that they'd requested at the time we thought was pretty reasonable you know, fell within the bounds of what the organization would've been willing to pay. And within about 24 hours, the request for the amount of the ransom had increased tenfold. And that was because the bad actor was within the system. And what they had seen was a number of the C-suite executives attempting to access a folder.

And that folder contained the insurance policy documents for the organization. And so the bad actor then was able to follow that through. Came across the policy documentation discovered that they had insurance in place that actually was to the value of ten times the original request for the ransom. So what did the bad actor do?

They upped the request by ten times. And so you find yourself in a situation where you've inadvertently led the third party who's infiltrated your systems to the place where you really didn't want them to go. And so I suppose it's being alive to that fact, if you've got a series of whether it's complex passwords or not, is to save them somewhere that is off the network so that if anybody needs to access those passwords, those code words, in order to be able to authenticate a request for a payment or a request for exchange of data.

You're not inadvertently leading anyone else who may have infiltrated your systems to that place as well, so that they can deploy those code words in a way that's malicious. But it's, trying to put those thoughtful processes in place, but then also have the practical provisions associated with it that mean you aren't inadvertently hindering your own efforts in the long term.

Lara Quie: Yes, I've certainly heard of instances where executives are chatting away on Teams, not really conscious of the fact that the bad actors are monitoring every single conversation. So it is probably wise, therefore, to have a WhatsApp chat or an offline solution where people can communicate as a group, but there isn't within the local system that the threat actor could infiltrate.

Cyber readiness aspects are very broad. A lot of people are not really considering things like that when the emergency happens, all the things that actually you could have prepared in advance, such as having a different communication channel and knowing exactly who the decision makers are, who are in each of the teams, what the responsibilities are. So tell me a bit about cyber readiness and the kind of things that you think organizations should think of to prepare.

Joanne Elieli: So the big one for me is having an incident response plan in place. And if there are any of my clients that are listening to this podcast, they will be sick of the sound of me saying this because it's something that I really bang the drum about on a very regular basis, is not just to have one, but to test it.

And two, review it and revise it anytime you have an important structural change within your organization. We generally advise clients to review it and to test their incident response plan on an annual basis. But actually, if you've had an organizational restructure, if you've had, you know, someone within your executive team change roles within the twelve months, it's always worth revisiting it, refreshing people's memories on it.

The difference between having a good incident response plan and having a bad one or not having one at all is night and day when it comes to an organization's ability to react quickly and efficiently in respect to a crisis. And I really can't emphasize enough just how important it is to keep on stress testing those.

And so that's something that we talk about a lot with our clients. One of the really interesting things associated with incident response plans, and it's often a point that's really overlooked. And so again I'm often out banging the drum in respect of this, is to really involve your legal team. Now in the UK, that can be your in-house legal team, or it can be external legal counsel.

But in Europe, generally it should be external legal counsel. And the reason I say that is because having the benefit of privilege apply over your incident response plan can be a really meaningful addition if you were to experience an incident and there were to be a regulatory investigation or regulatory inquiries, or even follow on litigation arising from that incident because if you have had your legal team involved from the outset, then you should be able to claim privilege over that document.

Now, you might not want to. You know, in an ideal world, your incident response plan will be so all singing or dancing, that you'd be delighted to disclose it to a regulator or disclose it in the course of litigation to show how prepared you were and to show what great organizational security measures you did have in place.

But if for any reason, there were discovered retrospectively with the benefit of hindsight to be holes or weaknesses in that incident response plan, then you may well want to deploy legal privilege over that to avoid you having to disclose it and establishing liability potentially for any data subjects or for any third parties that might try and bring a claim against you.

So we really recommend that our clients engage with either their in-house legal team or their external legal counsel as appropriate in the preparation of those incident response plans, so that you've got that banner of legal privilege applying to it should you wish to deploy that at some point in the future.

Obviously, if you don't do it, you can never seek to deploy it, whereas if you do have it, at least you've got the option to choose whether or not to claim that later down the line. But that's, that's the really big one from my perspective, and I think it's crucial to get technical teams and legal teams working in unison.

I'm a big believer in collaboration between technical and legal. There are points that your technical teams, internal or external will spot that, you know, your lawyers just won't. We are coming at it from totally different perspectives and I think combining those two perspectives into one document is really important.

And even better if you can get the input of a communications team or your PR team in that as well, because those, for me, are really the three crucial elements when putting together any good crisis management plan or incident response plan is to have those three buckets covered off from the outset rather than trying to firefight it in real time as and when a crisis occurs.

Lara Quie: Yeah, I think that's a really good summary of how businesses can prepare. And the point on privilege is an important one because I think, you can lock into privilege if you're thoughtful and you prepare for it, and sometimes lots of things can happen before legal advice is sought and you can lose some valuable protections if you do that.

So being organized and prepared is so important and having that policy, as you say, really well thought out and people trained on how to use it and printed copies available. It's also, yes, preferably laminated a good idea. The number of times, big time,

Joanne Elieli: The sticky back plastic.

Lara Quie: Well, exactly. But it's that hard copy, of your insurance policy if you have it because I think so many people would go to their computer to get hold of these documents. And obviously in those situations where the data has been compromised and obviously that's pretty difficult. You must have some really great stories about cyber incidents. Are there some interesting ones that you could share?

Joanne Elieli: Yes, and I'll have to be careful that I don't obviously share any names. But yeah, the one that I told you about in terms of the insurance policy is one that really sticks out in my mind. Because I just thought the ingenuity of the threat actor there in actually being able to find what the maximum amount of ransom payment they might achieve, I just thought was very sophisticated.

In terms of other things that have been quite interesting there was one that I worked on that will be going back a few years now and it was probably the most complicated breach this I've ever worked on, and it lives in my mind mostly because it was one of the most stressful periods that I'd had when we were engaged in a breach like this. But we were acting for a very large charity that had been impacted by a data breach that had impacted its cloud provider.

And what had happened was that very sensitive personal data relating to a number of vulnerable children had been impacted. And there were children located in almost every jurisdiction across the globe. For me, I think one of the reasons why that one was so interesting and, I say that purely from a legal perspective because obviously it, it was a really terrible incident that affected a huge number of very vulnerable children.

I think we're talking about 200,000 children in total. But the reason why it was so interesting from a legal perspective was us trying to figure out how it was that we could fulfil our client's duty to notify those individuals. We'd reported to the data protection authority in this jurisdiction and in other jurisdictions as well.

So that. That bit was relatively straightforward, but the challenge we had was that so many of the impacted data subjects were minors and they were located in really remote jurisdictions across the globe with no obvious means of being able to communicate with them. But the nature of the data that had been impacted included things like geolocations of these children, very detailed information around their health history, their family history, medical data, all of those sorts of things. And so in the hands, we knew this data was on the dark web, and so in the hands of a bad actor or in, in the hands of a criminal, they could have really divulged a lot of information to these children to create a sense of safety or a sense of security, and potentially really abused that trust as a result.

So we had to think really carefully about how we notify these children in a way that doesn't cause more alarm than it cured as a result of that notification. And some of them were in such remote communities that email wasn't an option, and some of them, you know, post was delivered by hand once a month.

And so it was a real challenge from our perspective to be able to come up with a way that was proportionate but meaningful to all of these individuals because we were certain that in some of these jurisdictions, us trying to explain to them what the GDPR was and how they'd been a breach of it would be absolutely meaningless and could quite possibly cause more distress than it, it resolved.

And so we had to take a number of very tailored approaches depending on different geographical locations on the nature of different communities. And I've never worked on a breach before or since that was quite as complicated as that. But it was just such a unique set of circumstances. And I suppose for me, it's one of the things that I really love about working on these sorts of matters is that it's so rare that you have any breach that is the same.

You can be going from something like that in one situation where, you know you're, talking about very vulnerable children in very far-flung locations to talking about, you know, huge corporate entities where the threat actor not only is holding the data of the company ransom, which is a case that I worked on a couple of years ago, but was also separately, and we didn't discover this until some weeks later, but was also separately blackmailing the CEO of the organization because they'd hack his personal data as well as the companies that found information that they believed the CEO would not want to be made public either to his family or to the, you know, the wider mainstream press.

Joanne Elieli: And so they were blackmailing him to try and get him to authorize the payment of the ransom via the company's funds. And so that was a really, again, another really interesting, and I haven't worked on a matter before, since it's had that same fact pattern where an individual's personal circumstances were being leveraged and also held ransom with a view to trying to get the corporate entity to make payment over ransomware payment.

So that's another one that I think is probably quite high up there on the list of unique circumstances and I don't know whether that's something that, you know, your team has come across in FTI, Lara, but for me that was a new one and that was one that required quite a lot of sensitive handling.

Lara Quie: It does sound very complicated and as you say, sensitive and you had to be very mindful of how complicated this was. It sounds like you really enjoy your job but at the same time, you know, you are fighting really serious criminal gangs. Have you ever worried about your personal safety or anything to do with this arena that is actually, it's quite dark in some aspects.

Joanne Elieli: Yeah, you are right And it, can be, I often feel as legal counsel, we are almost one step removed from that frontline. And I think, you know, the work that the police do in the furtherance of pursuing cybercrime is really phenomenal. You know the sort of investigative work that the IT forensic teams do on the cybersecurity side as well, From my perspective is just technically incredible. It's, you know, beyond my capabilities, far beyond my capabilities from an IT technical perspective, and so often I see those individuals as being, you know, really on the frontline in terms of fighting cybercrime. You know, the IT teams that are really trying to put stringent defences in place to stop bad actors getting into the house at all.

I suppose our role in lots of ways, we help our clients obviously to be more cyber resilient and to be more cyber prepared, but often that's from a compliance perspective, rather from a pure technical, organizational, and security measures perspective although we do support clients with that in conjunction with technical teams as well, our role tends to be more in the background.

I see it until such time as a data breach has actually happened, and then that tends to be the point at which we, move more into the foreground. Even in that situation, as I said before, we're often working as part of a much broader crisis response team where there's it, there's obviously legal, there's pr, communications teams, there's digital forensics, so.

Again, even in that situation, although we might be advising the client, we're often not in direct contact even where there's a ransom request being made. Often that work is given to specialist negotiators who really do that sort of work day in, day out. I certainly haven't personally negotiated a ransom payment with a bad actor.

My role is always one step removed from that. So whilst we do witness a lot of the darker side of the internet and technology and cybersecurity. I often don't feel as though I'm, you know, in really at the forefront of it from a realistic perspective that I do from a legal standpoint, but I think that's quite a different beast.

And so for me, I get a real enjoyment in being that trusted advisor in these situations, and particularly when clients of ours have had a cyber-attack or some sort of data incident. For most of our clients, this will be one of the worst days of their professional career. And there is a real sort of privilege in some respects of being able to be brought in and to be that voice of calm on what is for most people, often the worst day of their career.

And so it's not a responsibility that I take lightly because I think. You know, to be able to come in and instil a sense of confidence in your clients and to let them know that for the most part, this isn't even the worst sort of attack that we've seen perhaps this year. I think can give clients a lot of comfort and it also feels like a real privilege for me to be able to come in and adopt that role and really help them guide the client and the wider business through this really stressful experience and have them draw on the expertise of me and my team to give them that confidence that we'll get through it and we'll minimize the impact as much as possible. So that's the joy that I suppose I extract from these situations. Notwithstanding that it obviously is an incredibly stressful time for anyone who's experiencing it.

Lara Quie: Definitely is. And I think having, as you say, a cool head and loads of experience in that area, to be able to reassure your clients and talk them through all the different steps that they need to take in order to minimize the consequences.

I think that's really important. And as you said, the trusted advisor, ultimately that's what every lawyer should aspire to be. It's that reassuring voice and the person that they can reach out to when things go wrong. It's so important. And yes, I mean, at FTI, obviously we do have people who do the ransom negotiations.

We've got a lot of former law enforcement and former regulators within the team. And I think those kind of aspects of the work is genuinely, as you say, really frontline and probably quite stressful when you think of dealing directly with these threat actors and the consequences as well of what happens with those negotiations, et cetera.

So it's definitely a really exciting area to be involved in and such a modern area. I mean, obviously cybersecurity is going from strength to strength in terms of how we can leverage AI as well to strengthen defences. But at the same time, AI is being used to get round defences by the bad guys.

So, you've got pros and cons of all of this but I think it's really interesting and I think it's amazing to see women involved in this as well, because I think generally computer science and cybersecurity tend to be quite male dominated areas, but there are quite a number of female cybersecurity lawyers and it's really heartening to see that.

And we talked about the fact that you're very passionate about DE&I and the advancement of women as well in the roles. What are your thoughts on DE&I and women in cybersecurity?

Joanne Elieli: Yeah. Good question. It is a tricky, it's a tricky subject to talk about at times.

I mean, you know, the legal profession as well as the cybersecurity industry is still quite male dominated industries. I would say cybersecurity more so than the legal profession, just based on my experience on a personal perspective. But it is brilliant now to see so many more women coming through the ranks and taking those senior leadership positions within the cybersecurity space.

You know, like you quite rightly say there are a number of women, particularly women partners in law firms now that are doing this sort of work. And I love it and I'm a huge cheerleader for anyone who's in this role as a woman because I think it's such an exciting space to be in.

And I think it's one that traditionally has been very male dominated. And so I think any opportunity that we've got to support each other and lift each other up should be celebrated. But in terms of, you know how to support young women lawyers coming through into the cyber and legal space, I'm a big believer in mentorship and sponsorship. I think the two have to go hand in hand. It's all well and good having a mentor that, you know, talks to you behind closed doors and tells you the things that you should be doing. But I actually think it's really incredibly important for junior women to have a sponsor within their firm as well that that talks about them when they're not in the room.

And that's something that I try and do for my associates. And you know, I've been very fortunate that at various stages in my career, I've had people that have done that for me, and I think it's not always easy to create those relationships. It's not always easy to find your network of people.

And I think one of the things I probably fell victim to when I was a junior lawyer was trying to portray a version of myself that I thought was how I should behave as a junior lawyer, as a junior woman in the legal industry, and I don't think that I was always authentically myself when I was in my earlier years.

I think I presented a much more formal view of myself for fear of being seen as being too casual or too, I suppose, you know perhaps not as serious as one would expect a lawyer to be at the sort of firm that I was at. And actually, one of the things I've learned as I've got more senior and more experienced is actually clients expect obviously a level of academia, they expect a level of legal knowledge, but what actually makes the difference in my view between being instructed and not being instructed on matters is how amenable you are to working with your client. How flexible you are. Clients like you to be authentic.

They want to see your personality. You know, they don't just want to work with a robot. If they did, you know, I'm sure AI would have a greater hold than it does already. You know, they want that personable approach. They want you to remember the names of their children or their favourite hobbies, and have that chitchat at the beginning of a call.

And so one of the things that I promised myself when I made partner, and one of the things that I'm trying to follow through with now that I'm in a position where I'm creating a team at Stephenson Harwood, is to really try and lead with authenticity. And so the associates that I work with, for better or for worse, you know they get my personality all the time and I think that's something that I'd really encourage more junior lawyers to be like, because I know obviously there's confines that you need to operate within. We're all in a professional environment after all. But I do think that, you know, bringing your sense of humour and bringing your authenticity into the office can only be a good thing. And I'm a big believer, you know, we talk about diversity.

I'm a big believer, not just in diversity from, you know, the traditional gender and ethnic perspectives, but also very much from a diversity of thought perspective because our clients don't want a yes man or a yes woman. You know, they want people who are going to challenge their thinking. And yes, I may well have 15 years of legal experience behind me, but if I have an NQ who comes at a challenge from a different perspective than the way I would do. Just because they don't have the same amount of experience doesn't mean that their way of thinking about things is better or worse. It's just different. And actually, I'm a big believer in having those conversations and thrashing things out from a, an academic debate perspective, stress testing our thinking.

And I want people to stress test my thinking as much as I do theirs as well. And so I think the diversity of thought piece is really important. And so if I would, I was able to give advice to anybody at a junior level, which is share your thoughts, you know and, be yourself. Those would be my kind of two, two big things that I'd encourage anyone starting out in their career to try and do as much as possible.

Lara Quie: Thanks so much Joanne. I think sharing about your struggle with being yourself and eventually coming through to being more authentic is really reassuring to younger people that, you know, it is a journey and it's not always easy to be oneself, as you say, when you are in a very professional profession especially as a legal advisor.

That sort of buttoned up look, used to really carry some weight but I think especially after COVID, people are embracing authenticity. And as you say, clients are very keen to work with people with whom they have a genuine connection and an affinity. And who are affable, easy-going, good to work with.

So you can be that trusted advisor if you're on the same wavelength. So I think we should round up here. I've got thousands of other questions, but I know we have a limited time in this podcast. So if someone listening would like to get in touch with you what's the best way for them to reach out?

Joanne Elieli: So probably LinkedIn. I do enjoy using LinkedIn. I know you do too, Lara. And so I do check my messages regularly. I am, as far as I know, the only Joanne Elieli, on LinkedIn. And so if you want to look me up and connect and start a conversation, I'm more than happy to do that. I know that our relationship started out through a LinkedIn connection originally and so it's real testament, I think, to the power of connections on LinkedIn and the friendships and professional relationships that can develop from that. So if anybody wants to connect with me and reach out, please do feel free to do so.

Lara Quie: Brilliant. Thanks so much for your time today, Joanne. Thank you.

Joanne Elieli: My pleasure. Thank you for having me.