Beyond IT: why lawyers are the key to cybersecurity

The modern general counsel is a critical cyber risk ally for boards

The impact of cyber risk can devastate businesses. As we see frequently, cybersecurity breaches result in the loss of critical data such as intellectual property and personal information, and result in massive fines and liability.

The responsibility for managing and mitigating cybersecurity risk has historically rested primarily with the information security team, often under the chief information and security office (CISO). However, the fiduciary “buck” actually stops with the board of directors, not just CISOs and CEOs.

Fortunately, the board has allies and advisors. As the risk has become more profound, so has the breadth of the security landscape with ripple effects across the modern C-suite. The role of general counsel has become vital in guiding organizations through the minefield of managing cyber risk, from security product and service implementation, to breach investigation and response, regulatory reporting and advising the board on emerging best practices and standards.

The office of the general counsel should be a crucial ally to the board to help them understand the rapidly evolving risk landscape and to make effective decisions to manage cybersecurity, comply with regulations and ensure transparent communications.

In 2013, Yahoo suffered a massive cybersecurity breach that exposed three billion email accounts, representing nearly half of the earth’s population at the time. While this breach was bad enough, Yahoo’s poor response and failure to disclose the data breach led to financial losses and penalties well beyond the costs of the breach: in 2017 Verizon reduced its agreed-upon acquisition price for Yahoo by $350 million to $4.48 billion; by April 2018, the SEC fined Yahoo $35 million for not disclosing the breach, and by September of that year the company settled a derivative class-action lawsuit for $47 million.

And Yahoo is just one of the many headline-making breaches we’ve read about the last several years. Just ask Equifax ($575 million), Uber ($148 million) and Capital One ($80 million) about the financial penalties they incurred for mismanaging cyber breaches. The verdict is clear: companies that do not successfully manage cyber risk face severe losses to their brand and balance sheet that can take years to recover, if ever.

Corporate directors and business leaders must approach cyber risk holistically in a manner that encompasses governance, employee privacy and corporate culture. Given the ever-increasing importance of digital connectivity, these issues sprawl well outside the purview and technical resources of the information security team. Instead they must inform the evaluation of the risk profile writ large to enable effective board decision-making.

The board must engage a more fulsome set of stakeholders, particularly the general counsel, to support their risk management decision-making. The general counsel is well-positioned in their capacity as corporate secretarial advisor to advise on emerging standards, build bridges that span directors and security teams and, critically, help integrate cybersecurity with business strategy to engender trust, ensure privacy and create value.

Technical solutions alone are no guarantee against modern risk

As stewards for corporate compliance, legal officers can provide guidance on how boards should view cyber risk and executive leaders deal with cyber incidents. They act as the bridge between directors and chief executives and leaders of human resources, corporate and product security, IT, sales, engineering, corporate communications and investor relations functions.

Cybersecurity is evolving to try to keep up with the rapidly expanding threat landscape. To get ahead, cybersecurity technologies that span understanding people’s interactions with data, continuous monitoring, measuring risk and automated response prior to data loss are critical. General counsels play a critical role in ensuring these efforts meet regulatory obligations. Even the best technical solution is not a guarantee against failure, without the GC’s contributions.

While methods for assessing and responding to cyber risk have evolved, thanks to government and private standards bodies, credit-rating agencies, investors and insurance companies, executive leadership must comprehend the impact to privacy as new technology that adapts to risk is added to the cybersecurity portfolio.

In this modern landscape, the general counsel can help the board and the C-suite establish governance and controls that balance protecting critical and confidential information with ensuring productivity and regulatory compliance.

This might mean establishing policies that determine who has access to personally identifiable data of employees, from the intern to the chief executive, when investigating accidental or malicious data leakage or theft. This also means asking, what does the security analyst know versus the directors, CISO, CEO or corporate counsel?

Boards and employees want to know what personal data is being accessed, used, stored and deleted. General counsels can help establish governance protocols that guide CEOs and CISOs in investigating and responding to potential internal breaches of employee, customer or partner data. In the event of a data breach – it’s a matter of when, not if – counsels can facilitate the investigation process and execute disclosure to regulatory bodies to avoid or mitigate further risk from fines and lawsuits.

General counsel is the vital bridge to other internal leaders

Historically, cyber risk assessments and board read outs have been led by the CISO alone. However, the approaches taken had significant limitations in that they isolated cybersecurity decisions from the business they are meant to serve. While there is no doubt that the CISO is still the foremost cybersecurity expert in an organization, general counsels can serve as the necessary connective tissue to manage the risk more holistically with a broader perspective.

The C-Suite continues to evolve to include leadership positions focused on data security, privacy and trust. Ten or 15 years ago, the role of the CISO did not exist. Today we’re seeing CISOs elevated to a seat at the table with direct access to audit committees and the wider board.

This partnership between legal, business and security leaders formed in the crucible of cyber insecurity will help guide businesses forward through these extraordinary times of rapid transformation and digital disruption.