Recent studies highlight the increasing role of in-house lawyers in overseeing their organisation’s cybersecurity. Lucy Trevelyan explores the implications of this trend and considers what counsel contemplating the challenges of their new realm of responsibility need to take into account.
According to the Association of Corporate Counsel’s (ACC’s) 2021 Chief Legal Officers Survey, responsibility for cybersecurity and data privacy now falls under the umbrella of the chief legal officer (CLO) in nearly half of organisations surveyed.
This trend, the survey concludes, follows the global shift to remote working and reflects the growing integration of business strategy and technology policies in response to the pandemic.
A separate ACC Cybersecurity Study also revealed that 71 per cent of organisations have placed their CLO in either a leadership role in respect of cybersecurity strategy or as part of a team with cybersecurity responsibilities. The study also showed that 18 per cent of organisations have an in-house lawyer dedicated completely to cybersecurity – up from 12 per cent in 2018.
The trend, says Anurag Bana, a senior project lawyer in the IBA’s Legal Policy & Research Unit, stems from digital transformation significantly accelerating the convergence of legal and compliance matters.
“Macro and micro-level operations are transforming the corporate structures where in-house lawyers are operating”, he says. “Such organisational convergence is making in-house teams not only provide core legal and compliance advice but also involving them in addressing the legal aspects of cybersecurity threats and data privacy.”
In-house teams are uniquely positioned internally to provide key insights and recommendations on the development of mitigation and defensive strategies for the benefit of the company. “The development of corporate governance strategies with respect to cybersecurity has also increased and that’s where the influence and role of in-house teams comes in to play to either lead or support this development,” adds Bana.
“The development of corporate governance strategies with respect to cybersecurity has also increased and that’s where the influence and role of in-house teams comes in to play to either lead or support this development”
Anurag Bana, Senior Project Lawyer, IBA Legal Policy & Research Unit
The whole story
Cybersecurity is not just an IT responsibility, though many have viewed it as such in the past, says Chris White, Head of Consultancy at IT consultancy QuoStar and the former Global CIO at Clyde & Co.
“While IT has a huge part to play in securing the environment through firewalls, antispam/virus, etc, this is only part of the story,” says White. “There is a vast amount of legislation and regulation about data security and many breaches are a reportable offence, which can result in huge fines and reputational damage.”
“GDPR [the EU General Data Protection Regulation] and data sovereignty, legislation like the Patriot Act in the US, and growing client demands about data, will affect the entire organisation if mishandled,” he adds.
He believes that in-house teams are taking greater responsibility over cybersecurity because they’re the ones equipped to deal with it.
In the modern world of technology it’s hard to undervalue cybersecurity, says Nazar Chernyavsky, Vice-Chair of the IBA Technology Law Committee and a partner at Sayenko Kharenko, Ukraine. “Effectively, for many businesses data is one of the pillars of their success. Accordingly, it is important to dedicate enough attention to the security of their data and channels of communication.”
Chernyavsky highlights that it has already become the new “normal” to have a dedicated officer within the company who is responsible for information security.
Companies don’t want to expose their sensitive and critical systems to outsiders and as a result, they try to build up that expertise in-house. Chernyavsky suggests that an insider who knows a business’ processes well might be best placed to protect those processes, exercising a holistic approach to security.
The lawyer can take on this role if they have a managerial role within the organisation and can shape the culture of other employees, he says. “Otherwise, this role may be perceived as technical – similar to compliance – and people would be treating all requirements formalistically, thus blaming the lawyer – the security officer – [for] any failures.”
However, the area of cybersecurity is growing in complexity. As a result, the potential to make a mistake is increasing.
For Chernyavsky, it’s important to have someone at the C-level who will be responsible for security, including information security. “It would be more efficient to outsource technical functions to someone specialized, but keep overall control over the processes”, he says.
Such solutions – and the threats themselves – are becoming more sophisticated. Getting experts involved in implementing the solutions is useful, says Chernyavsky. “A number of cyber security consultancies not affiliated with any particular vendors may help to identify and then deploy the most appropriate technical solution for the company. Further support may also be useful, especially when it comes to any critical situation response, when any minute matters.”
A mix of roles
As most companies do not see cybersecurity and data privacy as fundamental, there is a trend to add the security role into existing structures like in-house teams, says Leopoldo Pagotto, Vice-Chair of the IBA Anti-Corruption Committee and a partner at FreitasLeite, in São Paulo.
Pagotto explains that the main drawback comes in regards to the structure of the data governance programme. As with any other compliance-related programme, “there may be an inherent conflict of interest – the legal in-house teams may be a source of risks for cybersecurity and data privacy and one may question [the team’s] independence and autonomy to investigate issues arising from its own violations to the rules and policies,” he says.
In-house lawyers can at times find their new role challenging in terms of identifying where to start, says Bana. “With traditional legal risks, there is a predictable allocation of resources in context with the business, but cyber risks have an unusual nature of threat which can be a challenge. It is therefore necessary to have a common understanding of issues with other teams and functions (including internal and external) for budgetary requirements and allocation.”
In this accelerated business environment, in-house teams need to optimise their competencies. “They are no longer just corporate gatekeepers,” says Bana. “In addition to developing a broader business understanding, [and] “deep-dive” expertise in risk and compliance, they are now also on the frontlines of tackling the new business challenges of cybersecurity.”
Preparing for threats
“Competency in cybersecurity is vital in enabling the company to prepare and implement a legally compliant cyber incident strategy without compromising the competitiveness of the business,” he explains.
This can also include drafting and reviewing a company’s cyber policies and processes. In-house teams can establish and coordinate essential relationships with other departments and teams within the company to address cyber risks and threats. “Cyber risks are a mix of external and internal attacks, compromising of devices through data hosting, accessing and sharing with operational risks,’ notes Bana. ‘A strong working relationship with other departments is essential.”
Although creating and managing internal capabilities can reduce cost, internal responsibility for cyber security and data privacy also allows for the creation of bespoke and effective infrastructure, governance, and policies that are aligned with the unique needs and requirements of the organisation, says Dennis Murphy, a consultant at Gateley Legal.
However, this can also create risk. In Murphy’s view, it can lead to the adoption of a ‘marking your own homework’ mindset and to teams developing a bias in respect of how effective their internal mechanisms are. “Companies with a mature cyber security approach will regularly involve independent third parties to assess their capabilities and processes thereby ensuring a complete and unbiased review.”
Given the shift to remote working, existing policies, guidelines, and responsibilities need to be amended to reflect the current environment. “Platforms such as Zoom and Teams provide the capacity to virtually educate and inform employees about cyber threats and ensures updates or required actions are known and carried out,” highlights Murphy. “The introduction of mechanisms such as two factor authentication and VPNs also provide additional protections for employees working from home.”
“Companies with a mature cyber security approach will regularly involve independent third parties to assess their capabilities and processes thereby ensuring a complete and unbiased review”
Dennis Murphy, Consultant, Gateley Legal
Cybersecurity in the Covid crisis
In-house teams are trying their best to navigate their way around the crisis caused by the Covid-19 pandemic. At this time, it’s critical to instil and implement necessary safeguards to prevent hackers and cyber criminals from exploiting this vulnerable situation, Bana says.
“There is more risk of breach of communication or data confidentiality when operating remotely or working from home,” he says. “In-house teams need to effectively work together and protect themselves from online threats of emerging novel viruses. There should be regular testing of systems.”
He adds that what’s equally important is that in-house teams develop a strong relationship with the company’s communication department. There should be regular briefings and discussion of cyber incidents, and a response plan created to assist in protecting the company’s profile and reputation from any potential untoward cyber incidents.
In recent years, the potential for fines and damage to reputation arising when a company either loses data or it’s accessed by an unauthorised third party has increased significantly, says Emma Wright, Lead Partner for Cyber Legal Advisory at Deloitte Legal. “The cybersecurity risks have increased as many workers and processes have moved online during the pandemic. This may have made some more susceptible to phishing attacks or making basic mistakes in relation to security of corporate IT systems.”
But cybersecurity solutions are available to help prevent many of the basic employee errors and reduce the cyberattack vectors. “These might, for example, allow for phishing to be easily reported by staff or to check that the external email addresses are intentional’, says Wright. ‘Backend monitoring systems may also need to be updated to reflect changes in systems.”
Preparing for the cybersecurity role
The advice Chernyavsky offers lawyers taking on the cybersecurity role is to keep track of the latest technological developments and keep one’s mind open. “Do not try to foresee and regulate all possible situations, but rather help preparing people to [handle] any unexpected and non-standard situations.”
Understanding technology is a key requirement for in-house lawyers to fulfil any kind of operational role, says Bana, as is understanding the basic structure of the cyber network where the technologies are interconnected and functioning for the company.
Bana explains that currently, the basic structure is broadly driven by cloud-based technologies with remote access and real-time device connectivity (Internet of Things, or IoT) and app-based control mechanisms.
“Do not try to foresee and regulate all possible situations, but rather help preparing people to [handle] any unexpected and non-standard situations”
Nazar Chernyavsky, Vice-Chair, IBA Technology Law Committee
“These technologies are being used internally and externally for various document reviews and for contracting purposes and to communicate business-sensitive, consumer data and market competitive information,” he says. “However, increased connectivity also leads to an increase in vulnerabilities and that is where there is a need to have adequate safeguards and defensive systems in place.”
His advice to in-house lawyers taking over the cybersecurity reins is to connect with local chambers of commerce institutions and industry associations, who can provide practical advice, guidance and information in addition to networking opportunities.
Additionally, there are various reputable sources to obtain information, such as the National Institute of Standards and Technology (NIST). The IBA Cybersecurity Guidelines also provide a list of resources available from key organisations and businesses.
They should also stay alert, be prepared and ensure they understand the continuous evolving nature of cyber risks. “Obtain as much information as possible about the associated risks,” advises Bana.
It’s important for a lawyer in the cybersecurity role to keep themselves up-to-date on the latest developments in cybersecurity. Implementing a cyber incident and breach response plan with a clear communication policy in place within the company structure is also important, adds Bana.
He says that identifying and establishing key relationships within the company and externally, including in respect of third parties, is also important. If they haven’t already, companies should consider getting cybersecurity insurance.
Wright advises lawyers to be a bridge between the IT function and the rest of the business – cybersecurity often gets left to be addressed by the IT function, yet lawyers can help translate the issues into business risks.
Wright’s advice is to run an incident response preparation session so everyone is clear on their roles in the event of a breach, and to check that the policies are fit for purpose.
“The value of an in-house lawyer can be significant when preparing any communications, whether it’s to customers, regulators or the wider market,’ she says. ‘Building trust so the business turns to you in the event of an issue is key for any in-house lawyer. With data privacy and cyber lawyers, the incidents are often time critical so involvement from the outset will be helpful to all involved.”
“Building trust so the business turns to you in the event of an issue is key for any in-house lawyer”
Emma Wright, Lead Partner for Cyber Legal Advisory, Deloitte Legal
It is important too, she says, to be approachable. “There is often a pragmatic solution for fixing data privacy or cyber security issues. Through building the trust of the business, you will hopefully find yourself being involved at the outset of projects for you to sidestep issues rather than trying to resolve when things go wrong.”
In the event of a breach, having reliable and reputable external professionals on standby to move swiftly is key, says Harpreet K Sidhu, Publications Officer of the IBA Corporate Counsel Forum and General Counsel, Corporate Secretary and Privacy Officer at Pethealth Inc in Ontario.
Sidhu’s advice includes for lawyers to be familiar with their organisation’s cybersecurity insurance policy, including by knowing what type of coverage the company has and what their deductible is. She suggests looking to a parent company to determine any extended umbrella coverage.
In the event of a breach, line up a good PR [public relations] firm as you will need one to manage communications both internally and externally, says Sidhu. Employees will want to know what happened and if they were affected. A good PR firm can assist in drafting the right communications without causing panic in the organization.
“Key partners and vendors may also want to know if they can assist or provide guidance,” says Sidhu. “Likely your insurance policy will cover for a complete investigation to be done by an IT forensics firm to discover what happened and who was affected. You also want to ensure you have outside counsel who is familiar with cybersecurity and data protection to assist in drafting any regulatory notifications that may be required [by] the local privacy office or regulatory body that regulates your business.”
Nick Watson, a partner at Keystone Law, highlights key questions in-house teams need to ask themselves to ensure the cybersecurity role is carried out properly.
Who needs to be involved?
“Cybersecurity and data protection issues are about the marriage of business, legal and technical expertise and insight. Risks stem from compliance obligations (which have financial teeth) as well as the potential loss of trust in the brand and damage to goodwill. You must understand the legal obligations and implications. You must also appreciate the business needs and impacts. Finally, you need to focus on the technical and organisational measures (many of them IT-related) that will promote cybersecurity and enable your organisation to comply with data protection laws and meet its wider confidentiality obligations. As part of this, you should also think about training and awareness programmes that focus on phishing and “fake president” emails, etc. Often, the flaw is human, not technical.”
What are the types of information that need protecting, in what way, and where are they located?
“You need to think about personal data and confidential information. These both comprise internal and client/customer data. How much protection is appropriate depends on how you need to use it and what risks any breach would pose. As you apply more security, so you give up a degree of access and usability. If you want to commercially exploit valuable information (as all businesses do), you have to balance access and security – you cannot have both to the extent you would like.
Location of personal data is critical because it determines your compliance obligations. It is also vital to know this in case you have to respond to a breach or attack. You will struggle to respond effectively without this information.
You cannot answer all these questions yourselves, so make sure you involve business and IT colleagues at an early stage.”
Do we have the relevant expertise already?
“If not, you need to co-opt that by bringing in external practitioners who can supplement your capabilities on a temporary basis, or recruit a new team member with specialist expertise so that you can cover the risk. Take care, however, not to cede control to someone who lacks the necessary business insight. That would significantly undermine the benefit of an in-house function. Stay close to the analysis and advice so you can avoid an unworkable outcome.”
Do responsibility and accountability for this process sit at the appropriate levels within the legal and compliance team and in the business?
“If you get this wrong, you may end up with an excessively cautious rule book or an overly generalised, broad brush approach. You must obtain management buy-in to key decisions and risk areas. Responsibility can be delegated but accountability must, ultimately, reside at the top.”