The cyber threat landscape is constantly evolving and requires agile processes and programs to keep pace with sophisticated threat actors and new attack vectors. Cybersecurity risk management needs collaboration across the entire enterprise, especially among cybersecurity and data privacy teams. A breakdown in collaboration between the two may create a false sense of security and increase exposure to cyber attacks and regulatory penalties.
General Counsel and Cybersecurity Risk Management
As risk managers, general counsel (“GC”) play an integral role in this partnership. GCs are increasingly responsible for working with the C-suite to thoroughly understand cybersecurity programs, including vulnerabilities and capabilities, to ensure preparedness plans are implemented ahead of cyber incidents and compliance requirements are met. The results of a Digital Insights & Risk Management survey from FTI Consulting show that executives, including GCs, are highly concerned about security and data privacy as top risk areas and, as such, are “deeply involved” in related decision-making.
General Counsel and Cybersecurity Risk Management
GCs are responsible for reducing liability, upholding reputation and avoiding regulatory penalties. These efforts can be streamlined by creating cross-functional alignment and collaboration between teams and departments primarily focused on one of these risk areas. For example, data privacy teams possess details about how information is stored, logged and shared across an organization, which is vital in developing programs that ensure fulfillment of regulatory requirements. Further, data privacy teams ensure that information governance and privacy by design elements underpin all new programs, systems and processes, and that risk management efforts include the spectrum of data privacy risk and data breach response needs.
Just as GCs need to work closely with data privacy teams, they should also thoroughly understand their organization’s readiness and incident response plans in advance of a cybersecurity incident. This allows the GC to take a leadership role in ensuring that the plans are properly followed and executed.
Cross-functional alignment should include building effective collaboration between cybersecurity and data privacy teams because, without it, data and critical assets will not be properly protected. The GC can champion this collaboration by creating regular touchpoints for these teams to meet and discuss updates, threats and adjustments to processes.
When these teams remain disjointed, a multitude of vulnerabilities may proliferate. Data sets containing personally identifiable information could be exposed due to cybersecurity teams not knowing this information needs additional protections, or significant downtime and damages as a result of a cybersecurity incident could occur from being unable to access backups.
Connecting Cybersecurity and Data Privacy Teams
While achieving compliance should be one goal of connecting cybersecurity and data privacy teams, it should not be the primary objective; rather, the GC should work with these groups to proactively protect their organization from genuine cyber threats and risks. Identifying what critical assets need protecting, including personal information and other forms of sensitive data, and what threats are unique to their organization allows for defenses to be appropriately tailored based on the specific cyber risk profile.
GCs can drive a culture of compliance, another key area that should not be overlooked. By working to demonstrate the importance of cybersecurity and data privacy and how they align with company values and success, the GC can help weave awareness about cyber and privacy risks into the fabric of their company culture. Such a culture can become an essential and reinforcing aspect of risk management. Employees interact with sensitive data every day and are regularly targeted by cyber attacks and scams. When uninformed and unsupported, targeted employees can introduce new access points for threat actors to exploit via personal devices or other entry points. Conversely, when employees have bought into the importance of data protection and their role in upholding it, they help strengthen the defenses put in place by cybersecurity, IT, privacy and legal teams.
General Counsel Should Collaborate with Cybersecurity and Data Privacy Teams
Proper cybersecurity and data privacy programs require regular collaboration and effort across an organization to be successful. To ensure this collaboration, GCs should work with cybersecurity and data privacy teams to deeply understand what policies are implemented, what capabilities exist and where vulnerabilities are present. This hands-on involvement will help create a resilient organization capable of mitigating risks, responding quickly to an incident with minimal downtime and achieving compliance.