The Arc of a Cyber Incident and Strategies for Enterprise Response, with Lisa Sotto
February 17, 2026
In this episode of Privacy in Practice, hosts Kellie du Preez and Danie Strachan sit down with Lisa Sotto, Chair of the Global Privacy and Cybersecurity Practice at Hunton Andrews Kurth, for a practitioner-level conversation on the full arc of a cyber incident, from first detection through board notification and the regulatory long tail that follows.
Drawing on Lisa’s decades of advising Fortune 500 companies and global regulators, the conversation examines why incident response efforts often fail when confined to IT and how organizations can meet complex international notification requirements with imperfect information.. Lisa breaks down real‑world ransomware negotiation dynamics and touches on the Bybit investigation, which has received significant media attention worldwide, as well as high‑profile cases like the Uber criminal conviction and the Drizly FTC consent order signal for executive accountability. Kellie draws on VeraSafe’s own client experience with cyber insurance and cross-boarder breach notification, while Danie bridges the US liability to Europe’s NIS 2 Directive and its implications for executive oversight.
This episode goes far beyond cybersecurity basics. It’s a strategic, practitioner‑level briefing for leadership teams who need to understand not just how incidents unfold, but how to respond effectively under intense regulatory and operational pressure.
In this episode of Privacy In Practice, hosts Kellie du Preez and Danie Strachan welcome Lisa Sotto, Chair of the Global Privacy and Cybersecurity Practice at Hunton Andrews Kurth, and a Star Performer for Privacy and Data Security (Chambers and Partners), for a detailed, practitioner-level conversation on how cyber incidents actually unfold, from first anomaly detection through board notification and the regulatory long tail that follows.
The discussion traces what Sotto calls “the arc of an incident”: mobilizing the response team under privilege, retaining forensic investigators and extortion negotiators, coordinating with law enforcement agencies, and managing global notification obligations. Kellie raises the practical complexity of locating affected data subjects when address data is unavailable, the cost dynamics of cyber insurance, and why controllers remain responsible for regulatory notification even when the breach originates with a vendor. Danie examines the ethical and legal dimensions of ransomware payment decisions and extends the accountability discussion across the Atlantic to NIS 2's executive liability provisions—noting that several VeraSafe clients were unaware the directive applied to them.
Together, the three examine the emerging trend of personal executive accountability through the lens of three landmark matters: the criminal conviction of Uber’s chief security officer, the FTC’s individual consent order against Drizly’s CEO, and the SEC’s recently dismissed action against SolarWinds and its CISO. They also explore why boards have evolved from what Lisa describes as “deer in headlights” to active participants in cyber governance, and what practical steps—from tabletop exercises to vendor diligence to immutable backups—separate organizations that survive a breach from those that do not.
What this episode covers:
- The current nation-state and criminal threat landscape, including SALT Typhoon, the $1.5B Bybit theft, and DPRK imposter IT workers
- How social engineering and agentic AI have rendered traditional phishing detection obsolete
- The "become aware" notification threshold and the strategic case for early regulatory disclosure
- Why one incident response plan with severity levels outperforms multiple plans
- Ransomware payment decisions: sanctions risk, decryptor reliability, and the limits of criminal promises
- NIS2 executive accountability and the CCPA cybersecurity audit requirements
- How law enforcement agencies operate as strategic partners rather than adversaries during active incidents
- And so much more!
Lisa Sotto is Chair of the Global Privacy and Cybersecurity Practice at Hunton Andrews Kurth. Recognized as one of the National Law Journal's 100 most influential lawyers in America and named a Star Performer for Privacy and Data Security by Chambers and Partners, Lisa brings decades of experience advising governments and Fortune 500 companies on cybersecurity incident response and data protection strategy.
Connect with Lisa Sotto here: LinkedIn
Connect with Kellie du Preez here: LinkedIn
Connect with Danie Strachan here: LinkedIn
If you enjoyed this episode, make sure to subscribe, rate, and review it.
Episode Highlights:
- [05:02] How Ransomware Attacks Really Work Today
Cybercrime today is not cinematic; it’s routine, opportunistic, and relentless. Financially motivated attackers target any organization they can access, exploiting technical gaps or human weaknesses through social engineering. Once inside, they quietly explore systems, stage sensitive data for exfiltration, and then apply pressure. These groups evolve, disband, and re-form, but their playbook stays consistent: find a vulnerability, take what’s valuable, and extort.
- [10:27] The First Critical Hours After a Breach
AI has transformed cybersecurity risk by making sophisticated attacks easy to execute and nearly impossible to spot. Perfectly written phishing emails, deepfake voices, and fake videos have erased the old warning signs, shifting the threat from technical weaknesses to human instincts. Urgency, authority, and the desire to be helpful are now the most exploited vulnerabilities. Training still matters, but it’s no longer enough to rely on yesterday’s cues. Organizations must assume deception will look real and build new safeguards to protect people from being manipulated into doing the wrong thing for the right reasons.
- [21:10] Why Cyber Is a Leadership and Board Responsibility
Cybersecurity incidents don’t fail organizations because of technology alone. They fail when teams operate in silos. A breach is an enterprise-wide crisis that requires coordinated action across IT, security, legal, privacy, communications, HR, risk, and audit, with consistent internal and external messaging. Daily alignment is essential. Equally important, involving law enforcement early can materially improve outcomes. These agencies treat companies as victims, share threat intelligence, and help map attacker tactics, while collaboration may later support prosecution through bodies like the US Department of Justice.
- [10:30] The Arc of a Cyber Incident: Mobilising the Response Under Privilege
Lisa walks through the full incident lifecycle: anomaly detection (or the dreaded media call), mobilising the pre-assembled response team through out-of-band communications, retaining forensic investigators under legal privilege, engaging extortion negotiators, coordinating with law enforcement, and navigating cyber and data protection notification obligations across jurisdictions with timelines ranging from 3 hours (Chile) to 72 hours (EU). She describes live threat actors listening on incident response calls and the necessity of forcing cameras on.
- [31:19] Personal Liability: From the Uber Conviction to the SolarWinds Dismissal
The discussion traces the three landmark cases establishing the trend of individual executive accountability: (1) the criminal conviction of Uber’s CSO for concealing a breach; (2) the FTC’s consent order that followed Drizly’s CEO personally for ten years, requiring him to implement security measures at any company where he holds a leadership role; and (3) the SEC’s action against SolarWinds’ CISO for allegedly misrepresenting security posture, which was recently dismissed. Strachan adds NIS2’s executive accountability provisions and du Preez notes the CCPA cybersecurity audit requirements — critically observing that these apply to companies with revenue as low as $50M, not just billion-dollar enterprises.
- [44:40] Ransomware Negotiations: Sanctions, Reliability, and the Ethics of Payment
This section provides insights into a practitioner’s framework for the ransom payment decision: when payment for a decryptor may be the only alternative to shutting doors, why immutable backups change the calculus, why paying for data deletion rarely works (criminals may not delete, and notification obligations remain regardless), how sanctions screening determines whether payment is legally permissible, and the sobering reality that some decryptors arrive corrupted and some companies are re-extorted after paying.