It goes without saying cybersecurity has become a big issue and can affect our everyday life. Recent incidents including last year’s DDoS attacks are vivid examples of this. Against this backdrop, a bigger responsibility has been put on general counsels (GCs) or corporate lawyers who must be knowledgeable and prepared to deal with these threats.
It goes without saying cybersecurity has become a big issue and can affect our everyday life. Recent incidents including last year’s DDoS attacks are vivid examples of this. Against this backdrop, a bigger responsibility has been put on general counsels (GCs) or corporate lawyers who must be knowledgeable and prepared to deal with these threats.
That’s the point raised by
Kroll in its recent report titled Cyber Risk: GCs Take Responsibility. The work is a collaboration with Legal Week to survey 138 senior legal professionals around the world on the subject of cyber resilience and responsibility.
According to the report, GCs’ attitude toward the need for preparedness varies. “Our findings revealed that while some GCs have fully embraced their widening mandate, some are more sanguine about their company’s risks, while others might even be avoiding the increased responsibility because they consider themselves unprepared to understand or manage cyber risks,” Kroll said.
Among the key findings, in terms of the role of the GC grown in relation to cyber risk, 45 percent say their role has expanded in the area of planning, 40 percent monitoring, 37 percent reporting, and 43 percent responding to a cyber incident.
Also, GC involvement in the incident response plan (IRP) varies regionally, the report found, citing no GCs surveyed in Latin America are central to their company’s IRP, while 20 percent are in China, 53 percent in Europe, and 60 percent in North America.
In terms of communications, survey data shows that 30 percent of GCs at US companies discuss cyber-related topics and organizational readiness every month with their IT team. Comparable figures for China (37 percent) and Europe (32 percent) are slightly higher.
Figures for those who never discuss these matters at all are more revealing. These include South East Asia (36 percent) and Latin America (36 percent); Sub-Saharan Africa (33 percent); Middle East (24 percent); Europe (9 percent); North America (5 percent) and China (4 percent).
According to Kroll, insurance is another aspect of cyber risk for which increasing numbers of general counsel have either a supervisory or direct role. However, when asked about the coverage and exclusions which apply to their cyber insurance, how much GCs know about the detail of what is covered varies widely. The report cites 33 percent of GCs in the Middle East, 67 percent of GCs in Latin America and 75 percent of GCs in Southeast Asia do not know if employee mistakes are covered. For coverage of third party providers/vendors and hacking/phishing/malware/ransomware, 100% of GCs in Southeast Asia do not know if their organizations are covered, the study shows.
The report concluded by saying denial and complacency amid existing risk are not the answer. “The true quality of an effective general counsel therefore comes with the wisdom to recognize and admit their own areas of weakness, and more importantly, those of their business and the environment in which they operate. Then they do something about managing the risks facing them. In a word: responsibility,” Kroll said. “Taking responsibility for the cyber risks in their business is a hallmark not of weakness, but of real strength. And increasingly, GCs are taking responsibility.”