The latest State of Cybersecurity Report released by the ACC Foundation in collaboration with EY has revealed that legal departments continue to play an increasingly important role in a business-wide cybersecurity strategy. There is growing cross-functional collaboration among Legal, IT, Security, and other applicable business units, and one out of five companies now have a dedicated cybersecurity lawyer (often a senior-level position), who is sometimes even embedded in the IT department. The data included in this report represents 265 companies across 17 industries and 24 countries, providing a comprehensive understanding of how legal departments of different sizes engage in cybersecurity matters.
When asked who in the organisation is primarily responsible for coordinating the response to a data breach, the most common answer was the chief legal officer (CLO) for 38% of companies, up from 21.2% in 2020. Moreover, 84% of CLOs now have at least some cybersecurity-related responsibilities (up from 76% in 2020), whether in a leadership position, as part of a broader team with cyber responsibilities, or as part of an incident response team.
“As modern CLOs’ roles and responsibilities continue to expand, cybersecurity strategy and oversight is unquestionably one area where we’ve seen the largest growth,” noted Susanna McDonald, vice president and chief legal officer of ACC. “Between the ever-increasing frequency of attacks and substantial financial and reputational risk to the organisation’s operations and brand, this comes as no surprise. CLOs bring a unique combination of legal training, strategic thinking, and risk analysis to the table to best help prevent and, if need be, react to cybersecurity situations.”
With so much at risk, including damage to brand reputation, the liability of data subjects, regulatory action, loss of proprietary information, loss of business continuity, and potential executive liability, it is also no wonder that CLOs rank cybersecurity as the single most important issue in their overall business today (see other top findings from the 2022 ACC Chief Legal Officers Survey).
CLOs play an important role in cybersecurity
Not only are CLOs expected to react (once a data breach has occurred, for example), they often play an integral role in developing the underlying risk-mitigation strategy for the organisation. 61% of survey respondents say the legal department has a co-equal voice in setting the company’s overall risk-mitigation strategy alongside IT and compliance, and 64% of CLOs regularly report to the board of directors on cyber issues or, at least do so on an ad hoc basis.
More chief legal officers and general counsel oversee privacy than cybersecurity. In three-quarters of organisations, the CLO oversees privacy, which is either the direct responsibility of the CLO (55%) or has a dotted line to the top legal officer of the company (19%). Conversely, the cybersecurity function reports to the CLO in just 38% of organisations, 15% indicated that the CLO oversees cybersecurity directly and 23% do so through a dotted line.
The fact that privacy reports to the CLO more often than cybersecurity is consistent with the results observed in the previous edition of the survey. However, the number of participating organisations where the CLO oversees cybersecurity shows a 20-point increase from 18% to 38%.
The cybersecurity function is housed in many separate departments within the organisation, according to survey participants. A plurality (35%) of respondents report that cybersecurity is primarily handled by the chief information officer (CIO), 23% indicate that it is under the chief technology officer (CTO), 11% report that the responsibility for cybersecurity is spread among different departments or business functions, and nine% indicated that it is primarily housed in the legal department. This is the largest percentage of legal departments that house the cybersecurity function that has been observed since 2015, although it remains a relatively uncommon practice.
In-house counsel dedicated to cybersecurity increasing
38% of legal departments say their spend has increased as a result of their approach to cyber, compared to one year ago. This is an increase from just 23% who said so in 2015. 50% said this increase was mainly attributed to outside spend (on law firms, ALSPs, and consultants), while 25% said the increase was mainly attributed to inside spend (on legal resources exclusively devoted to cybersecurity).
This spending pattern is in line with what we are observing in hiring patterns. 22% of companies now employ an in-house counsel with responsibility for cybersecurity, up 10 percentage points since 2018. In 48% of cases, this lawyer is responsible for coordinating cyberlaw strategy across the entire business and in 29% of cases this lawyer is fully embedded in cybersecurity/IT and works directly with technical resources. 56% of these lawyers are in senior-level positions.
The number of companies that now require annual cybersecurity training for all employees has also increased by 20 percentage points since 2020. 63% of companies now have mandatory annual training on cybersecurity for all employees, an increase from 43% in 2020. 27% require training at different intervals and just 9% have no training requirements at all, a reduction from 33% in 2018. Among companies that require training, a quarter customise that training to the specific role or level of security access of individual staff.
These are just a few of the many findings made in the most recent iteration of the ACC Foundation’s biannual State of Cybersecurity Report. To find out more, buy the full report here and check out these ACC resources that might have the solution you are looking for:
- Cybersecurity is one of the top three issues for chief legal officers — learn the basics and how to work with your technology department (see here).
- Connect with like-minded peers and tap into the wisdom of the crowd when tackling your company’s risk management challenges or starting a new cybersecurity initiative. Join the ACC IT, Privacy & eCommerce Network to exchange ideas and expertise on policies, best practices and more. (An ACC membership benefit.)
- In-house counsel share their organisation’s most sensitive data with outside law firms. Yet 70% of legal departments have no tool for assessing their law firms’ data security, and nearly 30% are dissatisfied with current methods. Check out the Data Steward Program that gives legal departments a push-button tool for assessing law firm data security, consistent with their organisation’s most rigorous information security requirements, at no cost to in-house counsel.