Cross-Examined

Episode Title:Cyber incident fallout: What happens when the proverbial bits hit the fan?Episode Summary:When a cyber breach strikes, the technical problems are only the beginning. In this episode, we examine cyber incident fallout and what really happens inside a law firm once an attack is discovered. From regulatory obligations to client conversations and reputational risk, this discussion unpacks the hard realities lawyers face in the aftermath of a breach.Guest:• Cameron Whittfield, Partner, Herbert Smith Freehills Kramer• Specialist in cybersecurity, information security and emerging technology law• Market-leading adviser on major cyber incident response across Australia• www.linkedin.com/company/herbert-smith-freehills• www.hsfkramer.com/our-people/c/cameron-whittfieldHost:• Jayne Gurton, Law Institute of Victoria• [email protected] | https://www.linkedin.com/company/law-institute-of-victoriaEpisode Overview:Cyber incidents are no longer rare occurrences for law firms, but an inevitable eventuality with long-lasting consequences. This episode focuses on cyber incident fallout and the legal and human challenges that follow a breach. Cameron Whittfield explains what those first chaotic hours in the aftermath of a cyber incident look like, why early decisions on communications and privilege are so difficult to undo, and what regulatory obligations such as the Notifiable Data Breaches scheme need to be planned for and actioned. .This discussion offers practical insights into post breach response and communication, stakeholder relationships and performing under pressure during a crisis. Listeners will learn why preparation matters even more than technology spend and how reputations are shaped by what happens in the aftermath of a breach as much as the breach itself.Topics & Timestamps:• 01:34 The first call – what it feels like when a breach is first discovered• 05:15 Bringing calm and structure to the first 48 hours• 07:16 The human impact inside a firm during a cyber crisis• 09:31 Where responses go wrong and why communication matters• 12:48 Client conversations and professional obligations after a breach• 14:42 Common mistakes firms keep repeating• 29:50 What good preparation looks likeKey Takeaways:• The first 48 hours after a cyber incident shape legal, regulatory and reputational outcomes for years• Early communications decisions cannot be undone and require careful judgment• Blame cultures undermine effective crisis response and information sharing• Legal professional privilege must be managed carefully without blocking response efforts• Client trust depends on transparency, process and timing after a breach• Preparation and planning matter more than the size of a firm’s IT budgetResources & Links:• LIV Cybersecurity Hub – Practical guidance and resources for Victorian legal practitioners | http://www.liv.asn.au/cybersecurityhub • LIJ: Cyber risk and law firms – Analysis of cyber security obligations for legal practices | https://www.liv.asn.au/web/law_institute_journal_and_news/web/lij/year/2025/02february/law_firms_and_cyber_risk.aspx • Office of the Australian Information Commissioner – Notifiable Data Breaches scheme overview | https://www.oaic.gov.au/privacy/notifiable-data-breaches • Australian Cyber Security Centre – Cyber security guidance for professional services firms | https://www.cyber.gov.au • Privacy Act 1988 (Cth) – Legislative framework governing data breaches | http://www.legislation.gov.au/C2004A03712/latest/text• Herbert Smith Freehills Kramer Cybersecurity Practice – Insight into cyber incident response | https://www.hsfkramer.com/insights/2023-06/surging-cyber-incidents-regulatory-activity-and-class-claims-in-australia About This Podcast:Cross-Examined is a new podcast from the Law Institute of Victoria. Tune in to hear experts discuss hot topics in the law and the changes shaping the legal profession. Regular episodes will cover everything from AI and cyber threats to ethical dilemmas, workplace taboos and practice management insights.This podcast is recorded on the traditional lands of the Wurundjeri people of the Kulin Nation. The Law Institute of Victoria acknowledges the Traditional Custodians of Country across Australia. We pay our respects to Elders past and present.Disclaimer:This podcast is for informational purposes only and is not intended to replace professional legal advice. The views expressed in this podcast do not necessarily reflect the views of the Law Institute of Victoria (LIV). The LIV is not responsible for any losses, damages or liabilities that may arise from the use of this podcast. Listeners should seek independent legal advice for their matters.Production Information:• Produced by: The Law Institute of Victoria• Producer and audio editor: Garreth Hanley• Music: Garreth Hanley• Copy and show notes: Louise SuretteConnect With Us:Email: [email protected]: https://liv.asn.au LinkedIn: https://www.linkedin.com/company/law-institute-of-victoriaApple Podcasts: https://podcasts.apple.com/au/podcast/cross-examined/id1858765728Spotify: https://open.spotify.com/show/0zvyk5xia4wYv9YWcXphgVMentioned in this episode:2026 Legal Forum advertLegal Forum 2026: Discover the forum where lawyers come to connect, be inspired and stay ahead. The Law Institute of Victoria’s flagship, full-day conference brings ideas, leading experts and the profession together to learn, connect and shape the future of legal practice. Wednesday 10 June | Pullman Melbourne on the Park | https://www.liv.asn.au/legalforum

Episode Summary:Many law firms make a heavy investment in cybersecurity tech, and yet attackers can simply walk straight through their front door. This episode exposes how ethical (and criminal) hackers think and act, revealing why human trust and everyday routines are often a real vulnerability attackers’ exploit. This episode pulls back the curtain on penetration testing, and the white hat hackers who help firms fix weaknesses before criminals can exploit them.Guest:• James Thompson, Director, principal cybersecurity consultant and penetration tester, Malware Security• More than 20 years’ experience testing government, defence and critical infrastructure networks• Specialist in offensive security, social engineering and red team engagements• www.linkedin.com/in/cyberjt• www.malsec.com.au Host:• Jayne Gurton, Law Institute of Victoria• [email protected] | https://www.linkedin.com/company/law-institute-of-victoriaEpisode Overview:Securing a law firm from cyber attacks must take into account not just technology, but the physical environment as well. In this episode, penetration testing expert James Thompson explains what really happens when an organisation hires a pen tester and how cyber breaches can come through the front door as well as a link in an email. The discussion unpacks penetration testing, red team engagements and social engineering attacks, with practical examples from professional services environments. Listeners will learn how ethical hackers exploit human behaviour, why organisations often fall within minutes of an initial breach and what law firms can do right now to reduce their attack surface. Topics & Timestamps:• 02:04 What is penetration testing• 04:40 Common vulnerabilities in office environments• 08:49 Real-world social engineering scenarios• 11:14 What happens after initial network access• 13:48 Practical steps firms can take immediately• 15:20 Choosing a penetration testing provider• 17:20 Emerging cyberthreats and AI-enabled attacksKey Takeaways:• Penetration testing combines technical skill with human manipulation to mirror real cyber attacks• Front desks, unlocked doors and helpful staff are common breach points• Many organisations are compromised within 15 to 30 minutes of initial access• Multi-factor authentication and reducing attack surface significantly raise the barrier• Not all vendors offering pen tests deliver genuine human-led testing• Regular testing and staff awareness are essential parts of cyber risk managementResources & Links:• Law Institute of Victoria cyber security resources – Practical guidance for legal practices | https://www.liv.asn.au/web/resource_knowledge_centre/cybersecurity-hub/web/content/resource_knowledge_centre/cybersecurity-hub.aspx • Law Institute Journal – Cyber risk and legal practice coverage | https://www.liv.asn.au/web/law_institute_journal_and_news/web/lij/year/2025/02february/law_firms_and_cyber_risk.aspx | https://www.liv.asn.au/web/search_results_page.aspx?search=cyber• Australian Cyber Security Centre – Guidance for professional services | https://www.cyber.gov.au• Malware Security – Penetration testing and red team services | https://malsec.com.au• Australian Signals Directorate Essential Eight – Baseline cyber security controls | https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/essential-eightAbout This PodcastCross-Examined is a new podcast from the Law Institute of Victoria. Tune in to hear experts discuss hot topics in the law and the changes shaping the legal profession. Regular episodes will cover everything from AI and cyber threats to ethical dilemmas, workplace taboos and practice management insights.This podcast is recorded on the traditional lands of the Wurundjeri people of the Kulin Nation. The Law Institute of Victoria acknowledges the Traditional Custodians of Country across Australia. We pay our respects to Elders past and present.DisclaimerThis podcast is for informational purposes only and is not intended to replace professional legal advice. The views expressed in this podcast do not necessarily reflect the views of the Law Institute of Victoria (LIV). The LIV is not responsible for any losses, damages or liabilities that may arise from the use of this podcast. Listeners should seek independent legal advice for their matters.Production Information• Produced by: The Law Institute of Victoria• Producer and audio editor: Garreth Hanley• Music: Garreth Hanley• Copy and show notes: Louise SuretteConnect With UsEmail: [email protected]: https://liv.asn.auLinkedIn: https://www.linkedin.com/company/law-institute-of-victoriaApple Podcasts: https://podcasts.apple.com/au/podcast/cross-examined/id1858765728Spotify: https://open.spotify.com/show/0zvyk5xia4wYv9YWcXphgVMentioned in this episode:2026 Legal Forum advertLegal Forum 2026: Discover the forum where lawyers come to connect, be inspired and stay ahead. The Law Institute of Victoria’s flagship, full-day conference brings ideas, leading experts and the profession together to learn, connect and shape the future of legal practice. Wednesday 10 June | Pullman Melbourne on the Park | https://www.liv.asn.au/legalforum

Episode Summary:Victorian lawyers are now being held to a minimum cybersecurity standard, and failure can lead to professional misconduct findings. This episode examines cybersecurity professional misconduct risks, what regulators expect in practice and how new privacy and ransomware laws raise the stakes for every firm, big or small.Guest:• Simone Herbert-Lowe, founder, Law & Cyber• Professional indemnity specialist with more than 30 years of legal experience• Expert at the intersection of cyber risk and legal professional responsibility• https://www.linkedin.com/in/simone-herbert-lowe/• https://www.lawandcyber.com.auHost:• Jayne Gurton, Law Institute of Victoria• [email protected] | https://www.linkedin.com/company/law-institute-of-victoriaEpisode Overview:Cyber risk has moved from an abstract IT issue to a core professional responsibility for Victorian lawyers. In this episode, we examine cybersecurity professional misconduct through the lens of recent court decisions, regulatory guidance and real-world claims experience. Simone Herbert-Lowe explains how the “reasonable practitioner” standard is being applied in 2026, why human behaviour remains the weakest link in law firm security, and how small and mid-sized practices are often more exposed than large firms.The discussion also unpacks the VLSB+C minimum cybersecurity expectations, the expanded reach of the Privacy Act through AML/CTF obligations, and the impact of new laws on ransomware reporting and serious invasions of privacy. Listeners will gain practical guidance on what compliance looks like in day-to-day legal practice and where to focus limited time and resources.Topics & Timestamps:• 00:12 Why cybersecurity failures can now amount to professional misconduct• 01:25 Recent court cases shaping cyber risk expectations• 04:44 Why small firms are attractive cyber targets• 06:48 Behavioural breaches and human error in law firms• 09:26 The “reasonable practitioner” standard in 2026• 12:38 Cloud services, offshore data and Privacy Act obligations• 14:21 Ransomware reporting and the statutory privacy tort• 16:29 Practical actions firms should take this weekKey Takeaways:• Cybersecurity failures can now trigger findings of unsatisfactory professional conduct or misconduct.• Small and sole practices are as at risk as large firms.• Human behaviour, not technology, is behind many serious breaches.• The VLSB+C minimum cybersecurity expectations set a clear baseline for Victorian lawyers.• Privacy Act obligations can apply regardless of firm size through AML/CTF requirements.• Principals must be able to demonstrate practical, documented cyber controls.Resources & Links:• LIV Cybersecurity Hub – Practical guidance and resources for Victorian practitioners | https://www.liv.asn.au/cybersecurityhub • VLSB Minimum Cybersecurity Expectations – Regulator guidance setting baseline standards | https://lsbc.vic.gov.au/sites/default/files/2024-02/VLSB%2BC_Minimum_Cybersecurity_Expectations.pdf • Australian Information Commissioner v Australian Clinical Labs Limited [2025] FCA 1224 – Federal Court decision on privacy and cyber breaches | https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/FCA/2025/1224.html• ASIC v FIIG Securities Limited [2026] FCA 92 – Cybersecurity governance and regulatory enforcement | https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/FCA/2026/92.html• Mobius Group Pty Ltd v Inoteq Pty Ltd** \[2024\] WADC 114 District Court of Western Australia, decided 20 December 2024 https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/wa/WADC/2024/114.html• Ransomware payment reporting factsheet – Department of Home Affairs guidance | https://www.homeaffairs.gov.au/cyber-security-subsite/files/factsheet-ransomware-payment-reporting.pdf• OAIC guidance on statutory privacy tort – Overview of serious invasions of privacy | https://www.oaic.gov.au/privacy/your-privacy-rights/more-privacy-rights/statutory-tort-for-serious-invasions-of-privacy• Australian Privacy Principles: https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelinesAbout This PodcastCross-Examined is a new podcast from the Law Institute of Victoria. Tune in to hear experts discuss hot topics in the law and the changes shaping the legal profession. Regular episodes will cover everything from AI and cyber threats to ethical dilemmas, workplace taboos and practice management insights.This podcast is recorded on the traditional lands of the Wurundjeri people of the Kulin Nation. The Law Institute of Victoria acknowledges the Traditional Custodians of Country across Australia. We pay our respects to Elders past and present.DisclaimerThis podcast is for informational purposes only and is not intended to replace professional legal advice. The views expressed in this podcast do not necessarily reflect the views of the Law Institute of Victoria (LIV). The LIV is not responsible for any losses, damages or liabilities that may arise from the use of this podcast. Listeners should seek independent legal advice for their matters.Production Information• Produced by: The Law Institute of Victoria• Producer and audio editor: Garreth Hanley• Music: Garreth Hanley• Copy and show notes: Louise SuretteConnect With UsEmail: [email protected]: https://liv.asn.auLinkedIn: https://www.linkedin.com/company/law-institute-of-victoriaApple Podcasts: https://podcasts.apple.com/au/podcast/cross-examined/id1858765728Spotify: https://open.spotify.com/show/0zvyk5xia4wYv9YWcXphgVMentioned in this episode:2026 Legal Forum advertLegal Forum 2026: Discover the forum where lawyers come to connect, be inspired and stay ahead. The Law Institute of Victoria’s flagship, full-day conference brings ideas, leading experts and the profession together to learn, connect and shape the future of legal practice. Wednesday 10 June | Pullman Melbourne on the Park | https://www.liv.asn.au/legalforum

Episode Summary:Most cyber breaches are not technology failures. They are psychological successes. In this episode, cybersecurity psychology takes centre stage as Dr James Carlopio explains how scammers exploit human instinct, habit and urgency, and what lawyers can do to build safer cyber cultures.Guest:Dr James Carlopio, psychologist and co-founder, Cultural Cyber SecurityPhD in organisational psychologyExpert in cyber psychology, social engineering and cultural approaches to cyber riskhttps://au.linkedin.com/in/jamescarlopiohttps://www.culturalcybersecurity.com/james-carlopio-ccsHost:Jayne Gurton, Law Institute of [email protected] | https://www.linkedin.com/company/law-institute-of-victoriaEpisode Overview:Cybersecurity psychology explains why most breaches occur even in organisations with strong technical controls. In this episode, Dr James Carlopio explores how social engineering, phishing scams and AI-driven deepfakes exploit hardwired human instincts rather than technical weaknesses.Drawing on real-world examples, James explains why awareness alone is not enough, and why behaviour change requires skills, repetition and cultural leadership. Legal practitioners will gain practical insights into reducing cyber risk through everyday habits, verification practices and leadership role modelling, with a focus on making cybersecurity personal, relevant and embedded in day-to-day legal practice.Topics & Timestamps:00:04 Why cybersecurity failures are mostly human, not technical01:47 Why law firms are attractive targets for scammers03:31 Common scam tactics targeting lawyers and legal staff05:25 Psychological principles criminals exploit06:44 Deepfakes, voice cloning and verification strategies09:09 Why old confidence scams still work10:24 Practical, low-cost cyber prevention strategies13:36 Emerging threats and AI-driven scam campaigns16:20 Simple actions listeners can take immediatelyKey Takeaways:Most cyber breaches succeed by exploiting human behaviour rather than technical gapsLaw firms are high-value targets because of money movement and sensitive dataSocial engineering relies on urgency, habit and trustAwareness alone does not build cyber resiliencePractical skills and regular practice reduce risk more than one-off trainingLeadership behaviour and culture drive cybersecurity outcomesResources & Links:LIV Cybersecurity Hub – Practical guidance and resources for Victorian legal practitioners | https://www.liv.asn.au/cybersecurityhubLaw Institute Journal: Cybersecurity and phishing risks – Analysis and guidance for legal practices | https://www.liv.asn.au/lijOffice of the Australian Information Commissioner – Notifiable Data Breaches reports | https://www.oaic.gov.au/privacy/notifiable-data-breachesCultural Cyber Security – Insights on cyber psychology and behaviour change | https://www.culturalcybersecurity.comAbout This Podcast:Cross-Examined is a new podcast from the Law Institute of Victoria. Tune in to hear experts discuss hot topics in the law and the changes shaping the legal profession. Regular episodes will cover everything from AI and cyber threats to ethical dilemmas, workplace taboos and practice management insights.This podcast is recorded on the traditional lands of the Wurundjeri people of the Kulin Nation. The Law Institute of Victoria acknowledges the Traditional Custodians of Country across Australia. We pay our respects to Elders past and present.Disclaimer:This podcast is for informational purposes only and is not intended to replace professional legal advice. The views expressed in this podcast do not necessarily reflect the views of the Law Institute of Victoria (LIV). The LIV is not responsible for any losses, damages or liabilities that may arise from the use of this podcast. Listeners should seek independent legal advice for their matters.Production Information:Produced by: The Law Institute of VictoriaProducer and audio editor: Garreth HanleyMusic: Garreth HanleyCopy and show notes: Louise SuretteConnect With Us:Email: [email protected]: https://liv.asn.auLinkedIn: https://www.linkedin.com/company/law-institute-of-victoriaApple Podcasts: https://podcasts.apple.com/au/podcast/cross-examined/id1858765728Spotify: https://open.spotify.com/show/0zvyk5xia4wYv9YWcXphgVMentioned in this episode:2026 Legal Forum advertLegal Forum 2026: Discover the forum where lawyers come to connect, be inspired and stay ahead. The Law Institute of Victoria’s flagship, full-day conference brings ideas, leading experts and the profession together to learn, connect and shape the future of legal practice. Wednesday 10 June | Pullman Melbourne on the Park | https://www.liv.asn.au/legalforum

The verdict is in - at its core, cybersecurity is a psychological problem. And in a profession built on confidentiality, privilege and trust, the stakes couldn't be higher.In the next series of Cross-Examined, we will look at cybersecurity for lawyers. We talk to people who break in, the people who clean up afterward, and the specialists working at the intersection of cyber risk and professional obligations.Tune in to find out how cyber criminals breach our defenses and get practical, up-to-date advice on protecting yourself, your firmand your clients.Cybersecurity, Cross-Examined. Coming soon from the Law Institute of Victoria. Subscribe wherever you get your podcasts.About This PodcastCross-Examined is a new podcast from the Law Institute of Victoria. Tune in to hear experts discuss hot topics in the law and the changes shaping the legal profession. Regular episodes will cover everything from AI and cyber threats to ethical dilemmas, workplace taboos and practice management insights.This podcast is recorded on the traditional lands of the Wurundjeri people of the Kulin Nation. The Law Institute of Victoria acknowledges the Traditional Custodians of Country across Australia. We pay our respects to Elders past and present.DisclaimerThis podcast is for informational purposes only and is not intended to replace professional legal advice. The views expressed in this podcast do not necessarily reflect the views of the Law Institute of Victoria (LIV). The LIV is not responsible for any losses, damages or liabilities that may arise from the use of this podcast. Listeners should seek independent legal advice for their matters.Production InformationProduced by: The Law Institute of VictoriaProducer and audio editor: Garreth HanleyMusic: Garreth HanleyCopy and show notes: Louise SuretteConnect With Us📧 Email: [email protected]🌐 Website: www.liv.asn.au🔗 LinkedIn: www.linkedin.com/company/law-institute-of-victoria📱 Apple Podcasts: Cross-Examined - Podcast - Apple Podcast🎵 Spotify: Cross-Examined | Podcast on Spotify