Why In-House Lawyers Have Made Cybersecurity a Top Concern
/Increasing reports of data breaches, privacy concerns, and ransomware attacks demand preparation and vigilance from corporate legal departments
For the first time, cybersecurity leads general counsels’ lists of perceived risks to their organizations, finishing just ahead of regulation/compliance and data privacy.
According to the Association of Corporate Counsel’s 2021 survey of nearly 1,000 in-house legal leaders, cyber threats rank highest among a list of 14 concerns — ranging from antitrust litigation to shareholder activism — now handled by company legal departments.
Here's an overview of why cybersecurity has become such a hot-button issue for general counsels and their teams and how leaders are approaching it.
Rising cybersecurity threat levels
Large-scale data breaches, malware, ransomware, and supply-chain hacks are just some of the threats facing companies today. Cybercriminals have achieved a level of sophistication that is challenging even the most technologically well-equipped organizations. Attackers have progressed beyond data hacks to cyber raids that can cause wide-scale destruction to a company’s infrastructure and networks.
Company boards and leaders of in-house legal teams have had to evolve their risk governance models to manage emerging cybersecurity vulnerabilities. While these threats were increasing in scope and frequency before the pandemic, the move to remote work increased the opportunity for cybercriminals to exploit weaknesses. Similarly, the rise in online shopping resulted in more customer data in circulation, making large retailers and their suppliers attractive targets for skilled hackers.
According to the ACC survey, nearly 90% of the legal leaders surveyed believe that data privacy issues will “accelerate.”
High stakes and complicated cybersecurity regulations
In 2021, the average cost of a data breach was $4.24 million, according to IBM research. Also alarming: it takes most companies “212 days to detect breaches and 75 to contain them,” making it easier for cybercriminals to evade detection.
The risk of cyber-attacks is also widely distributed. Attacks on large companies, utilities, or municipalities may receive the most press coverage, but 43% of attacks in the US are directed at small and medium-sized businesses. Smaller organizations may be more vulnerable because they lack the resources larger organizations can dedicate toward leading-edge cybersecurity.
Where there is risk, there is usually a growing number of government regulations intended to manage that risk and protect consumers. But lawmakers have struggled to keep pace with the emerging cyber threats.
Federal and state authorities lack consensus on how to regulate corporate responsibility for cybersecurity incidents, instead creating a “patchwork quilt” of regulations that complicates compliance responsibilities for companies and their legal teams. For example, many states have passed data breach notification legislation that mandates how a company must respond to a customer data hack, but there is no unified federal law.
Staying on top of regulation that impacts compliance efforts is an essential function of in-house lawyers. But in smaller organizations, it may make sense to outsource cyber-related compliance responsibilities to a law firm specializing in a given industry.
Adjusting to new responsibilities
Chief Legal Officers and their teams are being entrusted with managing many aspects of cybersecurity, not just those typically considered the legal department’s domain. Many company leaders take an "all hands on deck" approach to building an organization-wide defense against breaches. In many large public companies, the boards of directors are becoming more involved in cybersecurity issues, often working closely with the general counsel.
Data management standards strictly enforced across a company and applicable to all employees — regardless of where they are working — can help minimize network weaknesses.
This requires cross-department cooperation, including strong collaboration between an organization's legal and information technology (IT) departments.
Often, cyberattacks can turn into “legal headaches,” and a close working relationship between the legal team and the chief information security officer can help in times of crisis.
Company leaders must work together to develop a robust strategy for safeguarding IT infrastructure and effectively responding if it is compromised. For example, some experts recommend staging mock cyberattacks to practice crisis management techniques. Others advise bringing in outside experts to train employees on data management safety protocols routinely.
It’s important to stress the human element in any strategic plan to minimize cyber threats. For many organizations, the greatest danger of hacking or malware comes from inside their own house. Beyond the fear that ill-intentioned employees may steal or leak data, company leaders worry about careless behaviors that expose a company to risks.
For in-house legal leaders, managing external and internal cyber threats has become a growing priority — and a weighty addition to their to-do lists.
Carrington Legal Search is celebrating 20 years in business: we were in the trenches with our clients during 9/11 and 2008. We partner with our clients to identify leaders and mission-critical talent to shore up and grow companies even during the most challenging times. We are here for you! To make our nationwide network work for you, get in touch at 512-627-7467 or email carrie@carringtonlegal.com.