A finance officer approved 15 wire transfers after a video call with his board. Every face on the screen was a deepfake. The loss, John Wilson told a London audience, ran over $25 million.
Wilson, chief information security officer and president of forensics at HaystackID, opened with that case to anchor a question legal organizations keep getting wrong: who owns cyber risk? His answer, delivered across a 20-minute session on Wednesday at LegalTechTalk in London, was that no single department can.
The session, “Building Cross-Functional Cyber Governance to Avoid a $25 Million Mistake,” ran on June 17 at the InterContinental O2. Anju Malik, who supports marketing, public relations, and digital agencies at Omnicom, moderated, joined by Wilson and Komal Gupta, chief innovation officer at the Indian law firm Cyril Amarchand Mangaldas. LegalTechTalk, an award-winning gathering of the legal-technology community, was in its first of its two days, June 17 and 18.
Some background helps explain why the case landed. A deepfake uses artificial intelligence to clone a real person’s face and voice well enough to hold up in a live conversation. That capability has reworked an old scam, the urgent executive request to move money, often called business email compromise or CEO fraud. The classic warning sign used to be a voice or a face that felt slightly off. When the impersonation is synthetic and convincing, that instinct stops protecting anyone.
A board call that never happened
Wilson’s opening case showed exactly that failure of instinct. The company was in Hong Kong, he said, and the trouble began when a finance officer received a request to move money. It looked suspicious at first. Then the officer joined a conference call with members of the board who could approve the transaction. The participants used the right terminology and spoke in the expected vernacular. The transfers went through.
“He did 15 transfers, all went through,” Wilson said. A week later, the officer learned that none of those board members had actually been on the call. Every participant had been a deepfake, rendered with the right faces and the right phrasing.
What made the scheme work was patient reconnaissance. An investigation found that threat actors had gained access to the company’s systems but never exploited them the way a typical breach plays out, with no ransomware and no obvious data theft. “All they did was gather the intel so that they could speak in that right language,” Wilson said, learning the names, phrases, and routines that let the fake board sound authentic. The intrusion, in other words, was research. The theft happened later, on the call. The money, Gupta said, was very difficult to unwind, the usual outcome once funds move across borders through accounts that empty quickly.
Why governance outgrew the IT department
A loss like that turns less on technology than on who is allowed to make a decision, and that was the panel’s real subject. The instinct is to file cyber risk under IT, Gupta said, but artificial intelligence has changed the stakes. Governance now reaches confidentiality, client trust, and reputation, which means “it wasn’t just my responsibility.” When each function works in its own direction, she said, blind spots multiply, because every stakeholder evaluates the risk from a single vantage point.
Cross-functional governance, in practice, means that legal, IT, compliance, and leadership share ownership of cyber risk rather than handing it to a single team. The logic is that the fallout from an incident, privileged data exposed, clients lost, regulators notified, a brand damaged, lands well outside IT’s remit, so the decisions cannot sit there alone. For a law firm, a breach is not only a technical event. It can compromise client confidences and the legal protections that attach to them.
Gupta tied disciplined governance to results. She told the audience her firm has reached about 85 percent sustained adoption of AI tools, a figure she connected to treating AI strategy, workflow redesign, and change management as one continuous effort rather than separate projects. The word she stressed was sustained. Adoption that holds over time, she said, is what converts a strategy on paper into daily practice, and the same coordination that drives that adoption is what makes governance stick.
Where the plans fall apart
Shared ownership is the goal. Reaching it is where Wilson sees most organizations stumble. Almost everyone he works with writes the policy and the process, then stops short of testing it. “They don’t actually tabletop” the plan, he said.
A tabletop exercise is a facilitated walkthrough in which the people named in a response plan sit together and talk through a simulated incident, step by step, to see whether the plan survives contact with reality. Wilson’s point was that plans drafted in the abstract tend to break the moment they go live. A chief technology officer may know the company has data centers but not what a particular server can reach or who holds the keys to it. That is why the engineer responsible for the system has to be in the room, alongside the people who hold administrative rights and can actually take action under pressure.
Wilson also faulted the habit of staffing a plan with junior “doers” who lack the access or the detail to execute when it counts. And he pointed past the technology entirely: outside counsel needs to know in advance that a public relations firm will be required, because breach notifications and press handling are part of the response, not an afterthought. Running the exercise, he said, is the step that turns a written policy into one that works.
The first 48 hours
Even a well-rehearsed plan still has to run under fire. Asked what decisions matter most in the opening day or two, Gupta started with containment: confirm that nothing else is exposed, then stop assuming and focus on the facts. Wilson built out the mechanics. Time is of the essence in the first 24 to 48 hours, he said.
He recommended following a defined escalation chain, a pre-agreed order of who to contact and in what sequence, reaching the director or manager just below the chief technology officer who can connect responders to the right resources, rather than jumping straight to the top and stalling. The aim is speed without chaos.
Then comes the harder discipline: validate and authenticate what actually happened, rather than trusting first appearances. Attackers now run multi-phase operations, Wilson said. The first, loud intrusion is often a smoke screen, deliberately noisy but low-impact, staged to hold the response team’s attention while the attackers quietly move through other systems to reach what they actually want. Some then sell that foothold to other criminals, who come in afterward and overwrite traces, making it far harder for investigators to reconstruct the original attack. “It’s really important to validate, authenticate, to not fall into that track,” he said.
A verbal password no machine can guess
Validation is what saves a response once an attack is under way. Preventing the next deepfake call is where Wilson got concrete, with the session’s sharpest line and its strangest phrase. Set an organizational challenge-and-response that lives only in conversation, he said: a benign question with an absurd, agreed-upon answer that is never written down and never stored in any system, so no AI can retrieve or reason it out. At board meetings, before minutes are taken, members agree on the exchange.
His example: ask “How’s your weather today?” and the correct reply is “blueberry hot dogs.” “That’s completely meaningless, nobody’s going to understand it,” Wilson said, and because the question sounds harmless, it does not tip off an impersonator the way a formal security challenge would. Malik added the rule that makes it work. The phrase cannot be recorded anywhere. “It has to be verbal only,” Wilson said.
The approach borrows from a long-standing security practice known as out-of-band verification, confirming a request through a separate channel the attacker does not control. What is new is the reason the channel has to be spoken and unrecorded. An AI model can only imitate what it has been able to observe or ingest. A phrase that exists nowhere in writing, in no email, no document, no system of record, gives the impersonator nothing to learn from, which is the whole reason a shared secret as silly as blueberry hot dogs can hold the line.
Rehearse, then rehearse again
Both panelists landed on practice over paperwork. Drafting a policy matters, Gupta said, but rehearsing the response matters as much, and it cannot be a one-time, tick-box launch. People forget and staff turns over, so the drill has to repeat on a schedule, and the policy should document who handles an incident internally and which external stakeholders to contact first.
Wilson agreed that response is not a one-time success. Communication runs on several tiers at once, he said, a board-level conversation, an administrator-level conversation, and an outside-counsel conversation, and every tier has to be tested. The firms that do run a dry run often limit it to IT staff and the chief technology officer, which he called inadequate. Marketing, technology, and board members all have to give up time and take part for the rehearsal to mean anything.
If a caller wearing your chief executive’s face asked your team to move money in the next hour, what would they say back, and is that answer written down somewhere it should not be?
News sources
- LegalTechTalk 2026: Europe’s Event for Legal Transformation (LegalTechTalk)
- LegalTechTalk 2026 Agenda (LegalTechTalk)
- LegalTechTalk 2026 Speakers (LegalTechTalk)
- “Building Cross-Functional Cyber Governance to Avoid a $25 Million Mistake,” featuring John Wilson (HaystackID), Komal Gupta (Cyril Amarchand Mangaldas), and moderator Anju Malik (Omnicom) (LegalTechTalk live session, June 17, 2026, author’s session notes and transcript)
Assisted by GAI and LLM Technologies
Source: HaystackID published with permission from ComplexDiscovery OÜ
Advisory Note: As the LegalTechTalk discussion on deepfake-enabled wire transfer fraud demonstrates, AI-driven impersonation, business email compromise, and cyber incident response now require coordinated governance across legal, cybersecurity, compliance, finance, leadership, and communications teams. HaystackID’s global advisory expertise in cybersecurity, data governance, cyber incident response, and AI governance can help organizations identify exposure, strengthen verification protocols, rehearse cross-functional response plans, and build defensible processes for emerging AI-enabled fraud and cyber risk.
