Recently, the Association of Corporate Counsel (ACC) Foundation, in collaboration with Ernst & Young, LLP, released the 2022 State of Cybersecurity Report, An In-house Perspective. The report contained several interesting findings regarding the growing influence of corporate legal departments on their organization’s cybersecurity strategy.
Let’s look at some of the report findings and four recommendations for corporate legal to influence an even greater leadership role in your cybersecurity strategy.
The report, available on the ACC Website here (with a two-page highlights document available here) represents 265 companies across 17 industries and 24 countries, providing a comprehensive understanding of how legal departments of different sizes engage in cybersecurity matters. Here are some of the most notable findings:
Chief Legal Officer (CLO) Influence on Cybersecurity
- Cybersecurity reports to the CLO in 38 percent of departments surveyed (15 percent directly and 23 percent indirectly).
- 84 percent of CLOs now have at least some cybersecurity-related responsibilities (up from 76 percent in 2020), whether it be a leadership position, being part of a broader team with cyber responsibilities, or being a part of an incident response team.
In-House Counsel Responsibility for Cybersecurity
- 22 percent of companies now employ an in-house counsel with responsibility for cybersecurity, which is up 10 percentage points since 2018.
- In 48 percent of cases, this lawyer is responsible for coordinating cyberlaw strategy across the entire enterprise and in 29 percent of cases, this lawyer is fully embedded in cybersecurity/IT and works directly with technical resources.
- 56 percent of these lawyers are in senior-level positions.
Primary Concerns Regarding Data Breaches
- Regarding data breaches, damage to reputation (77 percent), liability to data subjects (61 percent), and business continuity (51 percent) are the most immediate concerns.
Four Recommendations for Corporate Legal to Influence Cybersecurity Strategy
While the above stats reflect the growing influence of corporate legal departments on cybersecurity policy, there are steps that you can take (if you haven’t already) to provide even greater influence and management of cyber risk. Here are four recommendations for corporate legal to influence cybersecurity strategy:
Keep the Organization Current on Cyber Laws and Regulations
In today’s ever-changing cyber landscape, new or strengthened laws and regulations are being enacted regularly. Corporate legal is responsible for staying on top of these changes and communicating requirements to the rest of the organization. Two recent examples of laws passed that address cybersecurity obligations for organizations are:
- Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA): CIRCIA was signed by President Biden on March 15, 2022. It creates two critical reporting obligations on owners and operators of critical infrastructure: (1) an obligation to report certain cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security within 72 hours; and (2) an obligation to report ransomware payments within 24 hours. CISA must first complete mandatory rulemaking activities before the reporting requirements go into effect, but organizations need to be proactive and corporate legal can help with the implementation process.
- Cyber Resilience Act: The European Commission published this regulation on cybersecurity requirements for products with digital elements, which bolsters cybersecurity rules to ensure more secure hardware and software products.
Corporate legal can take a leadership role in managing cybersecurity and data risks by driving the process to develop, implement and update policies and procedures to address changing regulatory requirements.
Apply Proven Workflows to Cyber Response
Corporate legal can also take an active role in the response to cyber incidents within the company that may involve breaches of personally identifiable information (PII) for your customers.
Just as litigation involves an eDiscovery workflow that identification through production of potentially responsive ESI, a similar workflow can be applied to incident response in terms of identifying personal data that has been potentially exposed, reviewing data and documents to identify customers to which the data exposure may apply, and notifying the customer. That’s an eDiscovery process, and corporate legal can take the lead in coordinating that workflow to support incident response for the organization.
Take an Active Role in Third-Party Risk Management
One area in which the ACC report showed much room for improvement was Third-Party Risk Management (TPRM). Just 31 percent said that their legal department is “often” involved in their company’s TPRM programs.
Corporate legal can take a more active role here by conducting a thorough vendor contract review to ensure that vendors and other third parties adhere to your company standards regarding data security. This includes processes and procedures to protect your information when transferred to the third party and requiring in contracts that third parties provide prompt notification in the event of a breach.
Take an Information Assurance Approach to GRC
Legal, Risk, Security and Privacy are all key to effective information governance, and that is reflected in EDRM’s Information Governance Reference Model. Because of their involvement in Governance, Risk Management and Compliance (GRC), legal teams have been placed in a leadership role to ensure a program that manages and protects sensitive data.
Protecting data starts with knowing where the sensitive data is within your organization to protect. Information Assurance is the discipline of efficiently and defensibly identifying, preserving and collecting information from various organizational endpoint data sources to support key discovery business objectives. Corporate legal can and should be a leader in this process, as it drives the success of your organization’s cybersecurity strategy (along with other benefits, including streamlining processes such as eDiscovery).
The ACC 2022 State of Cybersecurity Report illustrates the growing influence of corporate legal departments on their organization’s cybersecurity strategy. But there is much more that legal departments can do to exercise even more influence to reduce cyber risk. If more corporate legal departments address the four recommendations discussed above, those statistics will look even better next year!