Cyber attacks: A key concern for businesses worldwide

Beitrag als PDF (Download)

 

40% of the 600 companies surveyed by the ACC Foundation for the 2020 State of Cybersecurity Report: An In-House Perspective suffered a data breach in the preceding year. In fact, the 600 companies from 36 countries, including Europe, on average had 24 cyber incidents in one year!

When asked who in the organization was primarily responsible for coordinating the response to a data breach, the most common answer was the chief legal officer (CLO) in 21.2% of these companies, up from only 4.6% in 2015.

It was not the head of information technology (IT) at 18.5%, not the chief information security officer at 15.4%, and not the chief privacy officer at 9.4% of these organizations.

With so much at risk, including damage to brand reputation, the liability towards data subjects, regulatory action, loss of proprietary information, loss of business continuity, and potential executive liability, it is no wonder that CLOs rank cybersecurity as the single most important issue facing their overall business today (see other top findings from the 2022 ACC Chief Legal Officers Survey).

CLOs play an important role in cybersecurity

Cybersecurity breaches are on the rise, with the number of serious cyberattacks on critical sectors in Europe nearly douling in 2020 (see here), according to the European Union’s Agency for Cybersecurity. Recently, Microsoft was affected by an attack that originated in Europe and eventually spread to 70,000 computers in their Asian offices (see here), and in early 2021, the entire Irish healthcare system was nearly taken out due to hacking in the context of a major cybersecurity breach (see here).

These cases only represent a tiny fraction of what is occurring and showcase the new landscape that an in-house counsel must navigate when it comes to the current cyber landscape. They help highlight the various scenarios CLOs are facing as they find themselves playing an increasingly crucial role in cybersecurity both in terms of prevention and mitigation.

CLOs are not only consulted on a response basis (once a data breach occurs, for example), but they often play an integral role in developing the underlying risk mitigation strategy for the organization. 61% of survey respondents say the legal department has a strong voice in setting the company’s overall risk mitigation strategy alongside IT and compliance, and 64% of CLOs regularly report to the board of directors on cyber issues or, at least, do so on an ad hoc basis.

In 2020, cybersecurity and privacy functions reported to the CLO in 18% of companies, and this percentage was even higher in the IT, professional services, financial, and insurance industries. Even when the CLO does not directly oversee cybersecurity, they are still either a part of an enterprise-level team with cybersecurity responsibilities, or are in a leadership role on that team in 71% of companies.

In cases where cybersecurity does report to the CLO, the company’s cybersecurity program tends to take a more proactive risk-based approach (i.e., they search for methods to meet various risks whether or not they are mandated by a regulatory requirement) rather than using a more reactive, compliance-based approach (i.e., simply following the rules).

The number of in-house counsels dedicated to cybersecurity is increasing

New national and international EU legislative compliance requirements regarding information security and data protection are placing greater responsibility on senior executives when it comes to their organization’s cybersecurity strategy. This trend has also been reflected in the numbers of companies reporting the increase of in-house counsels now solely dedicated to cybersecurity. In 2020, 36% of legal departments reported to be spending more because of their organization’s approach to cybersecurity and this has been increasing over time from only 23% saying so in 2015.

A survey of companies by British security firm Sophos found that the average cost of a ransomware attack increased significantly in 2021. The survey estimated that the average cost of an attack for 2020 was $761,106, but by 2021 that figure had risen considerably to $1.85 million. The calculated cost took into account the cost of insurance, business loss, clean-up, and any ransomware payments and reflected the growing complexities of cyberattacks.

In the context of the ACC Foundation’s report, findings saw that departments had increased their legal spend as a result of increasing and tightening their cybersecurity approach. This spending pattern aligns with what we are observing in hiring patterns. In 2020, 18% of companies had at least one in-house lawyer with formal responsibilities related to cybersecurity issues, a six-percentage point increase from 2015.

In larger companies with fifty or more legal staff, this percentage jumped to 44%. In 60% of those companies, this lawyer (or group of lawyers) has not simply focused on a small number of specific aspects of cybersecurity, but is also responsible for coordinating the cyberlaw strategy across the entire enterprise, including in areas such as incident response, supply chain concerns, product/service development, labor/employment, regulatory compliance, legislative policy, and PR crises. In most cases, these dedicated cyber lawyers are executive-level lawyers.

With cybersecurity now being such a key concern for businesses worldwide, plus the ongoing challenges being compounded by the COVID-19 pandemic, the role that CLOs play when it comes to dealing with and preparing for ransomware attacks is more important than ever before. CLOs should jump at this opportunity to gain a wider influence over implementing policies and strategies within their companies and embrace their growing roles as businesses continue to learn how to navigate a world that is increasingly online.

To learn more about this topic, these ACC resources might have the solution you are looking for:

  • Cybersecurity is one of the top three issues for chief legal officers — learn the basics and how to work with your technology department (see here).
  • Connect with like-minded peers and tap into the wisdom of the crowd when tackling your company’s risk management challenges, or starting a new cybersecurity initiative. Join the ACC IT, Privacy & eCommerce Network to exchange ideas and expertise on policies, best practices and more (An ACC membership benefit, see here).
  • In-house counsels share their organization’s most sensitive data with outside law firms. Yet 70% of legal departments have no tool for assessing their law firms’ data security, and nearly 30% are dissatisfied with the current methods. Check out the Data Steward Program that gives legal departments a push-button tool for assessing law firm data security, consistent with their organization’s most rigorous information security requirements, at no cost to in-house-counsel.

 

b.garcia@acc.com

g.marletta@acc.com

teegler@acc.com

Aktuelle Beiträge