Georgie Collins explains how in-house counsel are increasingly vital to an organisation’s cybersecurity strategy - and its response to a cyber-attack.
‘I am convinced there are only two types of companies: those that have been hacked and those that will be’ (Robert Mueller, former FBI director)
The cost of cyber-attacks to global businesses in 2016 is estimated to be US$445 billion (according to a report conducted by internet security company McAfee). Cybersecurity is now one the biggest challenges facing a business.
In-house counsel operate at the intersection of complex legal and business challenges facing organisations; they are ideally placed – and increasingly required – to play a central role in cybersecurity strategy, risk assessment, prevention and crisis management.
In terms of risk management, developing and implementing a strategy for cybersecurity, a real stumbling block is that cybersecurity often does not feature prominently on the agenda in the boardroom. It is seen by many as a techy IT matter, rather than a practical business issue that has to be dealt with and co-ordinated across various stakeholders in a business. The false belief that ‘it won’t happen to us’, coupled with the perception that cyber-attacks and data breaches are the preserve of financial institutions, technology companies and government-related agencies, is a dangerous one, and leaves businesses hugely vulnerable.
Whether through an internal error or malicious external attack, at some stage a business will suffer a security breach. We are no longer in the era of it being a question of ‘if’; it is a question of ‘when’.
Companies that fail to take the threat seriously may be subject to claims, not just by regulators, but by stakeholders in the business. If appropriate risk and crisis management measures are not put in place, the directors themselves may be exposed to significant legal threats, including potential breaches of directors’ legal duties, corporate governance and disclosure obligations.
The reality is that, from a board and corporate governance perspective, cyber is now just as important as audit and accounting. Every business with any online presence or footprint, which holds data and information or has staff, is at risk. Beefing up your IT system with security protocols and firewalls in not enough – the next step is to educate all staff from the boardroom down as to the risks and potential ramifications.
The matrix below highlights the key risks and practical considerations associated with cyber-risk management and incident response.
In-house counsel are well placed to help a board understand and facilitate its obligations in the arena of cybersecurity. Answering the following questions will be essential to understanding an organisation’s cyber-risk profile, both from a practical and legal perspective:
1. What plans are in place to reduce the prospect and impact of a cyber-incident?
2. Does the organisation have an incident response plan?
3. Are there resources to deal with a cyber-incident?
4. Does the organisation have cyber-insurance?
5. Does the organisation have measures in place to deal with regulatory and legal claims?
Central to this is understanding the relevant stakeholders, both internal and external, and the roles they have to play, both in terms of risk planning and prevention, and incident response and crisis management.
Key internal stakeholders are:
• the board
Key external stakeholders are:
• outside counsel
• insurance companies
• market analysts
In formulating a plan, it’s important to gain an understanding of the threats to an organisation, which of course, may differ depending on the nature of the business of a particular organisation. The main incidents are:
• theft of PII (personal identifiable information)
• sabotage of systems
• theft of confidential or sensitive data
• denial of service
• malware infection
In addition to the above, in-house counsel need an understanding of the legal framework that deals with cyber-risk and compliance, and the array of legislation, notably the following.
In-house counsel are integral to most of the response activities and involvement with the relevant stakeholders. They will need as much information as possible in order to determine an organisation’s compliance, legal obligations and liabilities so as to be able to effectively co-ordinate and communicate with internal and external stakeholders, and ensure their organisation is in the best possible position to prepare for and react to a cyber-incident.